Citrix has released fixes for six vulnerabilities in NetScaler ADC and NetScaler Gateway, including a high-severity memory-disclosure flaw that researchers place in the same class as the 2023 CitrixBleed bug. That flaw (CVE-2026-8451, rated 8.8) leaks small amounts of memory through malformed SAML requests and shares a root cause with an earlier NetScaler bug that was exploited within days of disclosure. The bulletin also covers an unauthenticated arbitrary file read and several denial-of-service issues, with CVSS scores from 6.9 to 8.8. No exploitation has been reported yet, but NetScaler appliances have drawn more than 20 entries on CISA's exploited-vulnerabilities list in three years, several used in ransomware.
F5 has issued out-of-band patches for two critical flaws in NGINX, the web server and reverse proxy that runs a large share of the internet. CVE-2026-42530 (a use-after-free in the HTTP/3 module) and CVE-2026-42055 (a heap overflow in the HTTP/2 proxy and gRPC modules), both rated 9.2, let a remote, unauthenticated attacker corrupt memory in an NGINX worker, crashing it for a denial of service and, where address-space randomization is disabled or bypassed, potentially running code. They affect non-default configurations across NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. F5 has not seen exploitation yet, but its products are frequent attacker targets.
Researchers at Cyera have disclosed six vulnerabilities, collectively named Proto6, in protobuf.js, a JavaScript and TypeScript library for Google's Protocol Buffers data format that sees more than 50 million downloads a week. The flaws stem from the library trusting schema and metadata by default, so a single malicious schema or crafted payload can crash a service, inject code, or lead to remote code execution. Cyera demonstrated real attacks including poisoning CI/CD pipelines to leak build secrets and crashing WhatsApp automation bots. Because protobuf.js is embedded across cloud services, AI platforms, and build systems, the reach is broad. Fixed versions are 7.5.6 and 8.0.2.
CISA has warned that attackers are actively exploiting CVE-2026-28318, a high-severity SolarWinds Serv-U denial-of-service flaw, and added it to the Known Exploited Vulnerabilities catalog. Serv-U is SolarWinds' Windows and Linux managed-file-transfer and FTP software. The flaw is an uncontrolled-resource-consumption weakness: specially crafted POST requests using Content-Encoding: deflate crash the Serv-U service without authentication, in low-complexity attacks needing no user interaction. SolarWinds shipped Serv-U 15.5.4 Hotfix 1 and advised admins who cannot patch to restrict access and block POST requests containing content-encoding. Shodan tracks over 12,000 exposed Serv-U servers (Shadowserver around 3,100). FCEB agencies must patch by June 19 under BOD 22-01.
Offensive-security firm Calif, with discovery work performed by OpenAI's Codex software agent, has disclosed HTTP/2 Bomb, a denial-of-service attack that crashes web servers from a single machine in seconds. It works against default HTTP/2 configurations of NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. The technique combines HPACK header-compression amplification (one attacker byte triggering thousands of bytes of server allocation, up to 5,700:1 on Envoy) with Slowloris-style flow-control stalling via zero-byte windows that prevents the memory from ever being freed. A home computer on a 100 Mbps link can force Apache or Envoy to hold 32 GB of RAM in roughly 20 seconds, bypassing existing header-size defenses.
Recorded Future News has connected last summer's three-hour POST Luxembourg outage - which took down landline, 4G, and 5G networks across the country and left residents unable to dial emergency services - to a zero-day in Huawei enterprise routers running VRP. Specially crafted network traffic merely passing through caused the routers to enter a continuous restart loop. Luxembourg's prosecutor concluded no one had targeted Luxembourg specifically; the data was just transit traffic. Huawei has not assigned a CVE for the bug and routes its enterprise advisories through a restricted customer portal rather than publicly, leaving operators with little ability to track exposure.
Cisco patched a high-severity denial-of-service flaw in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) that lets unauthenticated remote attackers exhaust connection resources and force the system into an unresponsive state. CVE-2026-20188. Recovery requires manual reboot. Cisco's PSIRT has not seen exploitation in the wild yet, but Cisco previously patched similar DoS bugs (CVE-2025-20362, CVE-2025-20333) that ended up being weaponized to force ASA and FTD firewalls into reboot loops, which CISA addressed with an emergency directive in November 2025.
Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.