Netcrook
22 June 2026
QNAP’s 14-Fix Sweep Exposes a Familiar Weak Point: the Management Plane
A single maintenance release across NAS, cloud NAS, and surveillance appliances shows how quickly web-facing admin features can turn into a broad attack surface.
Flowise Flaw Puts AI Workflow Builders on the Same Playing Field as Server Exploits
A critical Flowise vulnerability is a reminder that no-code AI tools can turn ordinary integrations into high-value targets for remote code execution.
Four Product Lines, One Patch Alarm: QNAP Closes 14 Important-Severity Flaws
A single advisory spans NAS, cloud NAS, and surveillance appliances, showing how shared management code can turn one update cycle into a fleet-wide security event.
Squidbleed Turns a Legacy Proxy Path Into a Confidentiality Problem
A decades-old Squid flaw shows how one compatibility feature, if it reads past its bounds, can turn routine proxy traffic into a data exposure risk.
Craft CMS Advisory Points to a Familiar Trap: Authenticated Requests Turning Dangerous
An ACN CSIRT Italia notice on two Craft CMS vulnerabilities, including one high-severity flaw, highlights how a crafted request from a logged-in user can sometimes become a route to remote code execution.
Squidbleed Turns a Shared Proxy Into a Secret Whisper Channel
A 29-year-old read-past-end bug in Squid shows how legacy protocol glue can still leak sensitive request data between users who share the same proxy boundary.
When Patch Backlogs Become Attack Surface
The real challenge in modern vulnerability management is not the number of fixes available, but how fast teams can decide what matters, roll it out safely, and avoid breaking the business while doing it.
A High-Severity Patch Lands on PaperCut’s Windows Print Agent
A security update for PaperCut Print Deploy Client on Windows turns a routine print-management fix into a reminder that endpoint agents can sit on the edge of enterprise trust.
Mitel’s Patch Wave Lands Hard on MiCollab and MiVB SVI
Security updates address 12 vulnerabilities across two Mitel products, with 11 rated critical and one rated high.
SQL Injection Still Survives Where Code and Data Get Mixed
A long-recognized web flaw keeps returning for one simple reason: too many applications still build SQL with untrusted input instead of separating values from logic.
When Windows Enters KEV, Patch Slack Disappears
A Windows flaw flagged by CISA turns patching into a time-bound security decision, with federal compliance and enterprise risk now moving closer together.
Unpatchable at the Root: Why a USB Boot Bypass Matters More Than Another iPhone Bug
A reported exploit called Usbliter8 points at Apple’s earliest trust layer, where software updates may not be enough and hardware lineage starts to matter.
Apache NiFi’s Permission Model Comes Under Pressure After Four Fresh Flaws
A new security notice around Apache NiFi puts the spotlight on control-plane weaknesses, where a single authorization lapse can matter as much as a code bug in the data path.
Public PoC Turns a Trusted Antivirus Into a Local Escalation Question
A proof of concept for CVE-2025-71326 puts Avast Antivirus under scrutiny and shows why privileged security software can become a high-value target when local boundaries are weak.
When a Mail Plugin Starts Whispering Secrets
A flaw in Gravity SMTP has put WordPress operators on notice: sensitive data tied to email routing, system details, and stored secrets can leak through an exposed plugin path.
When Earbuds Become a Listening Post: A Bluetooth Bug With a Short but Serious Reach
A disclosed flaw in Beats Studio Buds, tracked as CVE-2025-20701, shows how a nearby attacker can turn wireless convenience into a microphone privacy risk.
Node.js Fixes Land After a Hidden Split Between Uptime and Access
A security update for Node.js closed 12 flaws, including two high-severity issues that could affect service availability and authentication paths if left unpatched.
pgAdmin 4 Patch Wave Exposes the Fault Lines Hidden in Database Admin Tools
Version 9.16 closes seven CVEs across SQL handling, browser rendering, authentication, and the AI Assistant, showing how quickly admin consoles can turn fragile at the seams.
pgAdmin’s Latest Patch Pack Shows How Small Web Bugs Can Reach the Database Core
Version 9.16 closes seven security holes in a tool many administrators use as a bridge to PostgreSQL, where a browser bug can quickly become a privileged problem.
Why a Pairing Bug in Beats Studio Buds Became a Privacy Story
A firmware fix for CVE-2025-20701 shows how a weakness at the Bluetooth trust boundary can matter long before a user thinks a headset is "connected."