Network Performance Insight has vulnerabilities in included third-party software. CVSSv3 scores of 9.8
More info. And here. And here.

IBM Cloud Pak for Integration is affected by multiple Node.js vulnerabilities.  Highest CVSSv3 score of 9.8
More info.

A vulnerability was found in Red Hat CloudForms which allows malicious attacker to impersonate any user. An attacker can even create non-existent user with any entitlement in the appliance and performing an API request.  CVSSv3 score of 9.9
More info.

SUSE has updated xen, firefox, the kernel, and others.  More info.
OpenSUSE has updated opera, firefox, and others.  More info.
RedHat has updated python, dbus, postgresql, and others.  More info.
Ubuntu has updated tomcat, libssh, and others. More info.
Scientific Linux has updated postgresql.  More info.

Qualcomm's monthly bulletin is out, with 10 Critical vulnerability patches and 31 rated High.  Twelve have an access vector of Remote.
More info.

Google has published the Android monthly bulletin.  There are 23 CVEs addressed, all rated High, plus the Qualcomm vulnerabilities.
More info.

Google Pixel montly bulletin is out, with one CVE rated High, in addition to the Qualcomm and Android vulnerabilities.
More info.

Samsung's monthly bulletin is out, with Google's Android patches and 39 additional vulnerabilities, with four issues rated High.
More info.

A vulnerability in OpenSSH may affect IBM Spectrum Protect Plus. CVSSv3 score of 9.8
More info.

Rsyslog is vulnerable to heap-based buffer overflows which may affect IBM Spectrum Protect Plus. CVSSv3 score of 9.8
More info.

Node.js is vulnerable to buffer overflows, bypass of security restrictions, and denial of service which may affect IBM Spectrum Protect Plus. Highest CVSSv3 score of 9.8
More info.

Multiple vulnerabilities affect IBM Jazz Team Server and IBM Jazz Team Server based Applications.  Highest CVSSv3 score of 9.8
More info.

SUSE has updated the kernel.  More info.
RedHat has updated python, dbus, postgresql, and others.  More info.
Oracle Linux has updated postgresql.  More info.
Ubuntu has updated sqlite, squid, and others. More info.
Scientific Linux has updated libvncserver and firefox.  More info.

NETGEAR has released a fix for a pre-authentication command injection security vulnerability in the R8300 Wireless NightHawk Routers. CVSSv3 score of 9.6, attack vector of Adjacent.
More info.

ABB has published a security advisory (as opposed to the previously published security notification) outlining products vulnerable to Ripple20.  No patches, just a list of vulnerable products.
More info.

SUSE has updated the kernel, firefox, and others.  More info.
Arch Linux has updated libjcat, mbedtls, and one other.  More info.
RedHat has updated libvncserver, bind, grub2 (to fix the broken parts) and others.  More info.
Gentoo Linux has updated thunderbird, python, and others.  More info.
Debian has updated thunderbird.  More info.
Mageia has updated freerdp, thunderbird, java, and others.  More info.

Inductive Automation has published an update for Ignition 8 that corrects a Missing Authorization vulnerability. An HTTP request to the unprotected API could be used to determine whether an arbitrary file path exists on the filesystem. No authentication is required to perform this exploit. CVSSv3 score of 7.5
More info.

Vulnerabilities have been found in CAMS for HIS of CENTUM. These vulnerabilities may allow a remote unauthenticated attacker to create or overwrite any file, run any commands. CVSSv3 score of 8.1
More info.

A vulnerability exists in FactoryTalk Services Platform that prevents user passwords from being hashed properly. A successful exploit could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console, allowing the attacker to modify or delete configuration and application data in other FactoryTalk software connected to FactoryTalk Services Platform. CVSSv3 score of 10
More info.

Microsoft has updated chromium-based Edge for the latest chromium updates.
More info.

Apple has published an update for iTunes for Windows that includes several security fixes.
More info.

NetApp has published eight new bulletins identifying vulnerabilities in third-party software included in NetApp products.
More info.

Several Linux flavors have pushed out patches to "Boothole", that breaks boot.  Take a look, delay updates.
More info.

Oracle Linux has updated the firefox.  More info.
Ubuntu has updated the kernel.  More info.
Scientific Linux has updated the kernel, grub2, and firefox.  More info.

Cisco has published ten new security bulletins, and three updated bulletins.  Two new bulletins and two updated bulletins are rated Critical, five new bulletins are rated High, the rest are Medium or Informational.
More info.

A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. A successful exploit could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user. CVSSv3 score of 9.8
More info.

A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) due to installations sharing a static encryption key that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges. CVSSv3 score of 9.8
More info.

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system. CVSSv3 score of 9.9 even though it requires Local privileges.
More info.

Mitsubishi Electric has published three new bulletins, outlining multiple FA product vulnerabilities that a malicious attacker could use to execute arbitrary code, obtain information, tamper the information, cause a DoS.
More info.

Multiple components within Dell EMC VxRail Appliance require a security update to address various vulnerabilities.  Dell rates this Critical.
More info.

Multiple components within Dell EMC SRS Virtual Edition require a security update to address various vulnerabilities.  Dell rates this Critical.
More info.

Grandstream ATA HT800 Series contains multiple vulnerabilities, including remote DoS and an SSH backdoor to root.  No fixes. Highest CVSSv3 score of 10.
More info.

All Linux (and Microsoft) flavors are vulnerable to "Boothole", a problem with the GRUB2 boot loader, even with Secure Boot.  Linux flavors are coming out with updates.
More info.

SUSE has updated grub2. More info.
OpenSUSE has updated tomcat and knot.  More info.
Arch Linux has updated libjcat and mbedtls.  More info.
RedHat has updated firefox, the kernel, and grub2. More info.
CentOS has updated the kernel, grub2, and others.  More info.
Oracle Linux has updated the kernel, grub2, and postgresql.  More info.
Debian has updated firefox-esr, grub2, and xrdp.  More info.
Ubuntu has updated firefox and grub2.  More info.
Gentoo Linux has updated chromium and firefox.  More info.
Amazon Linux has updated tomcat, mysql, python, openvpn, and others.  More info.

Secomea has published a new version of GateManager, a VPN server, to correct several security vulnerabilities, including Improper Neutralization of Null Byte or NUL Character, Off-by-one Error, Use of Hard-coded Credentials, Use of Password Hash with Insufficient Computational Effort. Successful exploitation of these vulnerabilities could allow a remote attacker to gain remote code execution on the device. Highest CVSSv3 score of 10.
More info. And here. CISA advisory here.  And an article about the risks to the oil and gas industry.

Softing Industrial Automation has provided an update for OPC that corrects two vulnerabilities, including a Heap-based Buffer Overflow and Uncontrolled Resource Consumption. Successful exploitation of these vulnerabilities could crash the device being accessed. A buffer-overflow condition may also allow remote code execution. Highest CVSSv3 score of 9.8
More info.

SICK has released a new version of the SICK Package Analytics software to correct multiple security vulnerabilities. Successful exploitation of these vulnerabilities could allow an unauthorized remote attacker to read and write the configuration of the software, read data directly from the file system and view passwords in plain text. Highest CVSSv3 score of 9.1
More info.

Mozilla has published updates for Firefox, Firefox ESR, Firefox for iOS, and Thunderbird that fixes several security vulnerabilities.
More info.

Adobe has released updates for Magento Commerce 2 and Magento Open Source 2. These updates resolve vulnerabilities rated Important and Critical. Successful exploitation could lead to arbitrary code execution and signature verification bypass.
More info.

NETGEAR has published updates for pre-authentication stack overflow, buffer overflow, and command injection in R6700v3 routers.  Highest CVSSv3 score of 8.8
More info. And here. And here.

SUSE has updated freerdp, samba, and others. More info.
RedHat has updated postgresql and others.  More info.
Ubuntu has updated the mysql and sympa.  More info.

Google has published a new version of Chrome for the Desktop with eight security fixes, 6 rated High.  The most severe of these could allow for arbitrary code execution.
More info.

Dell EMC OpenManage Server Administrator (OMSA) contains multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
More info.

SUSE has updated python bits. More info.
OpenSUSE has updated tomcat, cacti, go, and others.  More info.
Debian has updated openjdk and qemu.  More info.
Ubuntu has updated the kernel, clamav, sqlite, and others.  More info.

Cosminexus has updates for Java and XML vulnerabilities.
More info.

SUSE has updated tomcat, mailman, and others. More info.
OpenSUSE has updated cacti, the kernel, go, and others.  More info.
Oracle Linux has updated the kernel and others.  More info.
Ubuntu has updated the kernel.  More info.
Gentoo Linux has updated 57 packages, something for everyone.  More info.

Cisco has updated their bulletin to identify active exploitation of a vulnerability in the web services interface of Cisco ASA Software and Cisco FTD Software reported yesterday.
More info.

NetApp has published seven new security bulletins outlining vulnerabilities in third-party software included in NetApp products.  No patches yet.
More info.

The server management software module of ZTE products has an authentication issue vulnerability, which allows users to skip the authentication of the server and execute some commands for high-level users. CVSSv3 score of 8.5
More info.

SUSE has updated the kernel, freerdp, and others. More info.
OpenSUSE has updated tomcat and others.  More info.

A vulnerability in the web services interface of Cisco ASA Software and Cisco FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
More info.

Specifically crafted requests sent to the CODESYS Control runtime system can allocate arbitrary amounts of memory, causing the system to run out of memory and possibly crash. CVSSv3 score of 8.6
More info.

Artica Proxy Community Edition allows SQL Injection via the input fields Netmask,Hostname and Alias field.
More info.

SUSE has updated java and qemu. More info.
OpenSUSE has updated firefox and others.  More info.
RedHat has updated thorntail and samba.  More info.
Oracle Linux has updated thunderbird and others.  More info.
Debian has updated squid. More info.
Ubuntu has updated python, the kernel, and others.  More info.

Adobe has published updates to resolve an Important vulnerability in Adobe Bridge, and Critical vulnerabilities in Adobe Photoshop, Adobe Prelude and Adobe Reader Mobile. Exploitation of these vulnerabilities could result in information disclosure and arbitrary code execution.
More info.

OpenSUSE has updated libvncserver and openconnect.  More info.
RedHat has updated java, nodejs, and others.  More info.
Ubuntu has updated the kernel.  More info.
Scientific Linux has updated java.  More info.

The latest version of NetIQ Self Service Password Reset resolves a potential XSS vulnerability.
More info. And here.

WML CE component Tensorflow has been updated to correct vulnerabilities in SQLite. Highest CVSSv3 score of 9.8
More info. And here.

IBM Sterling B2B Integrator has addressed multiple security vulnerabilities in jackson-databind. Highest CVSSv3 score of 9.8
More info.

Multiple components within Dell EMC CloudBoost Virtual Appliance require a security update to address various vulnerabilities.  Dell rates this Critical.
More info.

SUSE has updated tomcat, firefox, and others. More info.
OpenSUSE has updated firefox, chromium, samba, and others.  More info.

Moodle has released four vulnerability fixes, three of which are rated Serious, one Minor.  Vulnerabilities patched include XSS and DoS.
More info.

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Rails that could allow a remote attacker to execute arbitrary code on the system. CVSSv3 score of 9.8
More info.

OpenSUSE has updated ntp, pdns-recursor, samba, and others.  More info.
Arch Linux has updated ffmpeg, nasm, wireshark, and others.  More info.
Debian has updated nss, tomcat, and others.  More info.
Amazon Linux has updated the kernel and others.  More info.

Microsoft has updated the chrome-based Edge to include the latest updates.  Highest Severity is Critical.
More info.

ClamAV has been updated to fix three security vulnerabilities that could lead to DoS, one of them could remove critical system files.
More info.

ABB has identified a few more products vulnerable to Ripple20, including more Protection Relays and an Ethernet Adapter.
More info.

Dojo could allow a remote attacker to inject arbitrary code on the system which affects IBM Spectrum Protect for Virtual Environments. CVSSv3 score of 7.5
More info.

Apache Camel is a dependency component shipped with the IBM Netcool/OMNIbus Probe DSL Factory Framework. Apache Camel contains RCE vulnerabilities, CVSSv3  of 9.8
More info.

Mozilla has published an update for thunderbird that fixes several vulnerabilities rated High, as well as more rated Medium and Low.
More info.

NetApp has published five bulletins for vulnerabilities in third-party software included in NetApp products.  No patches yet.
More info.

SUSE has updated squid and others.  More info.
RedHat has updated java, thunderbird, and others.  More info.
Oracle Linux has updated java, the kernel, and thunderbird.  More info.
Scientific Linux has updated java.  More info.

Cisco has 29 new bulletins and one updated bulletin.  Nine are rated Critical, 11 High, and the rest Medium.
More info.

A vulnerabilities in the Telnet service of Cisco Small Business RV110W Wireless-N VPN Firewall Routers could allow an unauthenticated, remote attacker to take full control of the device with a high-privileged account. CVSSv3 score of 9.8
More info.

A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to bypass authentication to execute arbitrary administrative commands, execute arbitrary code on an affected device. CVSSv3 score of 9.8
More info. And here.

A vulnerability in the web-based management interface of Cisco RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. CVSSv3 score of 9.8
More info.

A vulnerability in the SSL VPN feature of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device or cause the device to reload, resulting in a DoS condition. CVSSv3 score of 9.8 (although rated Medium).
More info.

Apple has published security updates for Safari, iOS and iPadOS, tvOS, watchOS, and macOS.  Several RCE and DoS vulnerabilities in each product.
More info.

Dell has updated EMC VxRail Appliance, EMC Data Protection Central, and EMC PowerProtect Cyber Recovery to correct vulnerabilities in third-party software included in these products. Dell rates these as Critical.
More info. And here. And here.

Multiple vulnerabilities allow remote attackers to conduct man-in-the-middle attacks via a susceptible version of Synology DiskStation Manager (DSM). Patches for DSM, patches for SkyNAS are pending.
More info.

Google has update Chrome for Desktop to correct several security vulnerabilties, including one rated Critical and seven High.
More info.

RedHat has updated java, thunderbird, and others.  More info.
Scientific Linux has updated the kernel.  More info.

Oracle Quarterly Critical Patch Update is out, and contains 443 new security patches across the product families.  286 of these vulnerabilities may be remotely exploitable without authentication. Two have a CVSSv3 score of 10, 66 are scored 9.8.
More info.

Schneider Electric Monthly Patches are out.  There are two new bulletins and three updated bulletins.  New bulletins cover SESU and Floating License Manager.  There are updates for the Ripple20,  ZombieLoad, and BlueKeep bulletins.
More info.

Advantech iView contains multiple vulnerabilities that could allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application. CVSSv3 score of 9.8
More info.

HMS has patched a vulnerability in eCatcher. This vulnerability could be remotely exploited to gain remote code execution. CVSSv3 score of 9.8
More info.

Apache has updated Kylin to fix SQL Injection vulnerabilities.
More info. And here.

Tomcat has been updated to fix two DoS vulnerabilities.
More info.

SUSE has updates for java, bind, and several others. More info.
OpenSUSE has updates for thunderbird and xen.  More info.
Arch Linux has updated webkit2gtk.  More info.
Oracle Linux has updated the kernel, nodejs, thunderbird, and others.  More info.
RedHat has updated .NET core and others.  More info.
Ubuntu has updated firefox and webkitgtk+.  More info.
Scientific Linux has updated thunderbird and dbus.  More info.

Adobe has released Monthly Patch updates for Download Manager, ColdFusion, Genuine Service, Media Encoder, and Creative Cloud Desktop.
More info.

The Adobe Download Manager for Windows update resolves a critical vulnerability that could lead to arbitrary code execution. 
More info.

The Adobe Media Encoder update resolves two critical out-of-bounds write vulnerabilities and an important out-of-bound read vulnerability that could lead to arbitrary code execution and information disclosure.
More info.

A Creative Cloud Desktop Application for Windows update addresses critical and important vulnerabilities.  Successful exploitation could lead to arbitrary file system write and privilege escalation.
More info.

Microsoft Monthly Patches are out, with fixes for 123 vulnerabilities. Of these, 17 are critical and 2 were previously disclosed.  Patches are provided for Windows, Edge, ChakraCore, IE, Office and Office Services and Web Apps, Defender, Skype for Business, Visual Studio, OneDrive, Open Source Software, .NET Framework, and Azure DevOps. Highest CVSSv3 score of 10.
More info.

There is a critical RCE vulnerability affecting Windows DNS Server on multiple Windows Server versions, including 2008, 2012, 2016 and 2019. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.  CVSSv3 score of 10 and wormable.
More info. And here.

SAP Security Patch Day saw the release of 8 Security Notes. There are 2 updates to previously released Security Notes.  One new bulletin is rated Hot News, with a CVSSv3 score 10, one rated High, the rest Medium or Low.
More info.

The Hot News bulletin highlights a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through HTTP to take control of trusted SAP applications.  CVSSv3 score of 10.
More info.

Siemens Monthly Patches are out, with seven new bulletins and 12 updated bulletins.  Highest CVSSv3 score of 9.8
More info.

SICAM MMU, SICAM T and the discontinued SICAM SGU devices are affected by multiple security vulnerabilities which could allow an attacker to perform a variety of attacks. This may include unauthenticated firmware installation, remote code execution and leakage of confidential data like passwords. Siemens recommends additional mitigations in addition to patching. CVSSv3 score of 9.8
More info.

The latest update for LOGO! 8 BM devices fixes a buffer overflow vulnerability that could allow remote code execution in the web server functionality. CVSSv3 score of 9.8
More info.

The latest update for SIMATIC S7-200 SMART fixes a vulnerability that could allow an attacker to cause a permanent Denial-of-Service of an affected device by sending a large number of crafted packets. CVSSv3 score of 7.5
More info.

SPPA-T3000 solutions are affected by Ripple20 for the TCP/IP stack used in APC UPS systems, and by Intel for the Server Platform Services(SPS) used in SPPA-T3000 Application Server and Terminal Server hardware. CVSSv3 score of 10
More info.

Big-IQ and Traffix SDC contains several vulnerabilities in Netty which allows an HTTP header that lacks a colon. This vulnerability may result in HTTP request smuggling. When malformed or abnormal HTTP requests are interpreted, the system may interpret them inconsistently, allowing the attacker to 'smuggle' a request to one device while the other device is unaware of it. Highest CVSSv3 score of 9.1
More info. And here.

SUSE has updated firefox and thunderbird.  More info.
OpenSUSE has updated openldap, libvncserver, and others.  More info.
RedHat has updated thunderbird and others.  More info.
Debian has updated xen.  More info.

Smiths Medical CADD-Solis Pump Wireless Communication Modules are impacted by the Treck TCP/IP vulnerabilities known as Ripple20. They are working on a patch, and have listed mitigation steps.
More info.

HPE has produced updated firmware for Integrated Lights-Out 5 (iLO 5) for HPE/ProLiant Gen10 Servers, to remediate for Ripple20.
More info.

NetApp has published four bulletins covering vulnerabilities in third-party software included in NetApp products.  No patches yet.
More info.

SUSE has updated xen.  More info.
RedHat has updated bind, nodejs, and others.  More info.
Oracle Linux has updated the kernel.  More info.