13 Feb 2026
Week in review
Greetings,
A critical security vulnerability has been uncovered in the WPvivid Backup & Migration plugin for WordPress, a tool installed on more than 900,000 websites to help with backups and migrations. The flaw, tracked as CVE-2026-1357 and rated with a CVSS score of 9.8, could allow attackers to execute arbitrary code on affected sites without needing to log in by simply uploading specially crafted files.
According to WordPress security researchers, the bug stems from improper error handling during RSA decryption and inadequate sanitisation of uploaded filenames. When certain operations failed, the plugin passed flawed data to encryption routines, resulting in predictable keys that could be exploited. The lack of directory path validation further made it possible for malicious files to be written outside their intended locations, potentially giving attackers full control of a site’s code.
Fortunately, the vulnerability only poses a critical risk when a specific “receive backup from another site” setting is enabled, which isn’t a default feature but is commonly used during migrations and other maintenance tasks.
The plugin’s developers were alerted in January 2026 and released a fix in version 0.9.124 later that month. This update adds proper decryption checks, filename sanitisation, and restricts uploads to known safe backup types, such as ZIP and SQL files. Website owners using WPvivid Backup & Migration are strongly urged to update immediately to protect their installations from potential compromise.
BeyondTrust warns of critical RCE flaw in remote support software
Date: 2026-02-09
Author: Bleeping Computer
[AusCERT has informed the affected members via Critical MSINs]
BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.
Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
Critical Gogs Vulnerability Enables Remote Command Execution and 2FA Bypass
Date: 2026-02-10
Author: Cyber Press
[AUSCERT has contacted affected members where applicable]
A severe flaw in Gogs, a lightweight self-hosted Git service, allows attackers to run commands remotely and skip two-factor authentication.
This critical issue affects many organizations using Gogs for private code hosting.
Gogs versions up to 0.13.3 suffer from CVE-2025-64111, an OS command injection bug with a CVSS score of 9.3.
Apple fixes zero-day flaw used in 'extremely sophisticated' attacks
Date: 2026-02-11
Author: Bleeping Computer
[AUSCERT has published security bulletins for these Apple updates]
Apple has released security updates to fix a zero-day vulnerability that was exploited in an "extremely sophisticated attack" targeting specific individuals.
Tracked as CVE-2026-20700, the flaw is an arbitrary code execution vulnerability in dyld, the Dynamic Link Editor used by Apple operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
Apple's security bulletin warns that an attacker with memory write capability may be able to execute arbitrary code on affected devices.
Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
Date: 2026-02-10
Author: Bleeping Computer
[AUSCERT has released security bulletins covering these patches]
Today is Microsoft's February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities.
This Patch Tuesday also addresses five "Critical" vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws.
Over 60 Software Vendors Issue Security Fixes Across OS, Cloud, and Network Platforms
Date: 2026-02-11
Author: The Hacker News
It's Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services.
Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition.
ESB-2026.1203 – GitLab AI Gateway: CVSS (Max): 9.9
GitLab has released versions 18.6.2, 18.7.1, and 18.8.1 to address a critical insecure template expansion vulnerability affecting self-hosted GitLab Duo AI Gateway installations.
ESB-2026.1204 – FortiClientEMS: CVSS (Max): 9.8
Fortinet has addressed a critical SQL injection vulnerability in FortiClientEMS that could allow an unauthenticated attacker to execute malicious SQL commands over the network.
Users are advised to upgrade to FortiClientEMS 7.4.5 or later to mitigate the risk.
ESB-2026.1382 – Atlassian Products: CVSS (Max): 9.8
Atlassian has released fixes for 30 high-severity and 2 critical-severity vulnerabilities affecting multiple Data Center and Server products, including Bamboo, Bitbucket, Confluence, Crowd, Jira, and Jira Service Management.
ESB-2026.1413 – Prisma Access Browser: CVSS (Max): 9.8
Palo Alto Networks released specified patched Prisma Browser versions to address numerous CVEs including memory safety and implementation issues.
ESB-2026.1416 – Apple macOS Tahoe: CVSS (Max): 8.8*
Apple addresses vulnerabilities that could allow apps to access sensitive data, gain elevated privileges, or perform denial-of-service attack in macOS Tahoe.
Users should update to macOS Tahoe 26.3 or later to mitigate these issues and enhance overall system security.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
