Top stories.
- Patch Tuesday notes: Microsoft fixes a record 200 flaws.
- Nightmare Eclipse leaks another Windows zero-day.
- Researchers disclose two critical flaws in AI Chrome extensions.
- Business news: Cyera closes a $600 million Series G round.
Patch Tuesday notes: Microsoft fixes a record 200 flaws.
Microsoft yesterday issued patches for a record 200 Windows vulnerabilities, including three publicly disclosed zero-days, KrebsOnSecurity reports. Two of the zero-days (CVE-2026-45586 and CVE-2026-50507) were exposed by disgruntled researcher Nightmare Eclipse. The third zero-day (CVE-2026-49160) is a denial-of-service flaw in HTTP.sys that was discovered by Codex earlier this month. Krebs cites Tenable researcher Satnam Narang as noting that Microsoft has been using AI tools to uncover vulnerabilities, and this high volume of patches may become the norm.
Adobe has fixed 123 flaws, nearly half of which affected the company's Experience Manager product, SecurityWeek reports. Two arbitrary code execution flaws affecting Adobe Campaign Classic were assigned a maximum CVSS score of 10.
SAP has addressed fifteen vulnerabilities, including four critical flaws affecting NetWeaver, ABAP Platform, Commerce Cloud, and Data Hub, Cyber Security News says. The most serious (CVE-2026-44748) is an XML Signature Wrapping flaw that "may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage."
Nightmare Eclipse leaks another Windows zero-day.
Nightmare Eclipse, the disgruntled researcher mentioned above, released another zero-day exploit for Windows yesterday, just after Microsoft's Patch Tuesday updates, SecurityWeek reports. The flaw leads to a local privilege escalation by exploiting a race condition issue in Microsoft Defender, enabling an attacker to spawn a command shell with SYSTEM-level privileges. According to Help Net Security, several researchers have independently verified that the exploit works.
Researchers disclose two critical flaws in AI Chrome extensions.
Researchers at Rebora Security discovered two critical vulnerabilities in the SiderAI and MaxAI agentic side panel Chrome extensions, which are jointly installed across more than 10,000,000 devices. Rebora decided to disclose the flaws after failing to get a response from either vendor.
The researchers explain, "Abusing these vulnerabilities allows attackers to compromise all browser sessions across any website, leading to the leakage of sensitive information, the invocation of arbitrary commands, and even account takeover. Furthermore, there was a potential risk of stealing files from the underlying operating system."
Business news: Cyera closes a $600 million Series G round.
Israeli data storage security firm Cyera has raised $600 million in a Series G round led by Evolution Equity Partners, with participation from Cyberstarts, Temasek, and all existing investors including Accel, AT&T Ventures, Blackstone, Coatue, Spark Capital, and others. The company landed $400 million in a Series F round just five months ago at a valuation of $9 billion, and the new funding raises its valuation to $12 billion. The company stated, "Cyera is now positioned as one of the most valuable privately held security companies in the world with total funding over $2 billion."
TechCrunch cites sources as saying Cyera is still "far from profitable," and the new deal values the company far above its annual recurring revenue (ARR). A Cyera spokesperson told the publication that "the numbers cited are factually and significantly inaccurate."
Read more in the Business Briefing at 4pm ET.