Oracle Quarterly Patches are out, with 419 security patches addressing multiple vulnerabilities in Oracle products, the worst of which could allow for remote code execution. 229 of these vulnerabilities may be remotely exploitable without authentication.
More info.

AUVESY Versiondog contains multiple vulnerabilities that could allow a remote attacker to achieve remote code execution, and acquire complete remote control over the machine. Highest CVSSv3 score of 9.8
More info.

Google has published an update for Chrome for Desktop that includes 19 security fixes.
More info.

Dell EMC PowerFlex rack updates are available for a Cisco switch (Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches) security vulnerability. Dell rates this Critical.
More info.

Tenable.sc has been updated to correct Apache vulnerabilities.  Highest CVSSv3 score of 9.0
More info.

The vRealize Operations Tenant App for VMware Cloud Director contains an information disclosure vulnerability. A malicious actor with network access to port 443 on the vRealize Operations Tenant App may access any set system environment variables, leading to information disclosure. CVSSv3 score of 5.3.
More info.

Traffix SDC is vulnerable to a DoS in apache httpd. CVSSv3 score of 7.5
More info.

SUSE has updates for util-linux and others. More info.
OpenSUSE has updates for util-linux, xstream, and others. More info.
Red Hat has updated advanced cluster management and others. More info.
Ubuntu has updated the kernel. More info.

A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting (XSS) because the Session Cookie is missing an HttpOnly Attribute. CVSSv3 score of 4.2
More info.

OpenSUSE has updated the kernel, systemd, glibc, and others. More info.
Red Hat has updated the kernel and systemd. More info.

The Weidmueller Remote I/O fieldbus couplers are affected by several vulnerabilities of the third-party TCP/IP Niche stack. An attacker may use crafted IP packets to cause a denial of service or breach of integrity of the affected products. CVSSv3 score of 7.5
More info.

Multiple security vulnerabilities in third-party software have been fixed in  IBM Security Access Manager. Highest CVSSv3 score of 9.1
More info.

An integer overflow bug in the in-memory certificate cache may lead to a denial-of-service attack.
More info.

Vulnerabilities in node.js affect BIG-IP and BIG-IQ products. An attacker may be able to exploit the vulnerabilities to perform domain hijacking or injection attacks. CVSSv3 score of 5.0
More info.

Vulnerabilities in Eclipse Jetty affect Traffix SDC. Affected systems may experience resource exhaustion when receiving an invalid large TLS frame. CVSSv3 score of 7.5
More info.

Multiple vulnerabilities in WebSphere Application Server and Apache Tomcat affect HCL Commerce. Highest CVSSv3 score of 8.8
More info. And here.

There are multiple Ruby vulnerabilities that affect IBM Cloud Foundry Migration Runtime that could allow a remote attacker to cause a DoS, HTTP response splitting, bypass security restrictions, or obtain sensitive information. Highest CVSSv3 score of 9.1
More info.

Security vulnerabilities have been addressed in IBM Cognos Analytics with Watson. Highest CVSSv3 score of 9.8
More info.

Cloud Pak for Security uses third-party software that contain multiple vulnerabilities. Highest CVSSv3 score of 9.8
More info.

A Host Header Redirection vulnerability in SonicOS potentially allows a remote attacker to redirect firewall management users to arbitrary web domains.
More info.

HCL Digital Experience is susceptible to Server Side Request Forgery. CVSSv3 score of 9.3
More info.

VMware vRealize Orchestrator contains an open redirect vulnerability due to improper path handling. CVSSv3 score of 6.5
More info.

SUSE has updated the kernel and rpm. More info.
OpenSUSE has updated the kernel. More info.
Oracle Linux has updated the kernel. More info.

Palo Alto Networks Monthly Patches are out, with only 2 bulletins, 1 rated High and 1 rated Low. 
More info.

A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. CVSSv3 score of 8.1
More info.

Juniper has released their Quarterly Patches with 44 bulletins for JunOS, 2 rated Critical.
More info.

Multiple vulnerabilities have been resolved in Juniper Networks Contrail Service Orchestration (CSO), by updating dnsmasq software. CVSSv3 score of 8.2
More info.

The usage of an internal HTTP header created an authentication bypass vulnerability, allowing an attacker to view internal files, change settings, manipulate services and execute arbitrary code. CVSSv3 score of 9.8
More info.

Multiple vulnerabilities in OpenSSL have been resolved in Juniper Networks Juniper Secure Connect Application. Highest CVSSv3 score of 8.1
More info.

Multiple vulnerabilities have been resolved in Contrail Insights  by updating third party software. CVSSv3 score of 9.8
More info.

TIBCO EBX products contain a vulnerability that under certain specific conditions allows an attacker to enter a password other than the legitimate password and it will be accepted as valid. CVSSv3 score of 9.8
More info.

BigIP, F5 OS, and Traffix SDC are affected by a NULL pointer dereference in httpd, which allows an unauthenticated remote attacker to cause httpd to terminate by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability. CVSSv3 score of 7.5
More info.

Clustered Data ONTAP is missing an X-Frame-Options header which could allow a clickjacking attack. CVSSv3 score of 6.5
More info.

NetApp has published 5 new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

A DoS vulnerability has been fixed in Tomcat.
More info.

Microsoft Monthly Patches are out, with 81 vulnerabilities. Of these, 3 are critical, 3 were previously disclosed and 1 is being exploited according to Microsoft. The exploited vulnerability is an elevation of privilege affecting Win32k. The critical vulnerabilities include two Windows Hyper-V Remote Code Execution vulnerabilities and a Microsoft Word RCE vulnerability. Highest CVSS V3 of 9.0
More info. And here. And here.

Adobe has released their Monthly Patches with updates for Acrobat and Reader, Connect, Reader Mobile, ops-cli, Commerce, and Campaign Standard.
More info.

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. Highest CVSSv3 score of 7.8
More info.

Adobe has released a security update for Adobe Connect. This update resolves critical and  important vulnerabilities. Successful exploitation could lead to arbitrary code execution. Highest CVSSv3 score of 9.8
More info.

Adobe has released an update for Adobe ops-cli. This update resolves a critical vulnerability.  Successful exploitation could lead to arbitrary code execution in the context of the current user. Highest CVSSv3 score of 9.8
More info.

Adobe has released security updates for Adobe Campaign Standard. These updates address a critical cross-site scripting vulnerability that could result in arbitrary code execution.
More info.

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities, including Exploitation of Encryption Endpoint and Information Disclosure leading to remote authentication bypass. Highest CVSSv3 score of 9.8
More info.  Bulletin from HPE here.

Advantech WebAccess has been updated to correct Heap-based Buffer Overflow and Stack-based Buffer Overflow vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to gain remote code execution. Highest CVSSv3 score of 9.8
More info.

Multiple vulnerabilities in Draytek VigorConnect allow unauthenticated attacker to download or upload arbitrary files from the underlying operating system with root privileges. Highest CVSSv3 score of 9.8
More info.

SUSE has updated the kernel and systemd. More info.
OpenSUSE has updated the kernel and systemd. More info.
Scientific Linux has updated the kernel and others. More info.

Apple has published updates for iOS and iPadOS to fix an actively exploited security vulnerability that would allow an application to execute arbitrary code with kernel privileges.
More info.

Siemens Monthly Patches are out, with 5 new bulletins and 16 updated bulletins. Of the new bulletins, 2 have a CVSSv3 score of 9.8, 1 is 8.8, and 2 are 7.5
More info.

The latest update for RUGGEDCOM ROX devices fixes a vulnerability that could allow an unauthenticated attacker to cause a permanent Denial-of-Service condition under certain conditions. CVSSv3 score of 7.5
More info.

A Denial-of-Service vulnerability found in SINUMERIK Controllers could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. CVSSv3 score of 7.5
More info.

The Scalance W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or trigger buffer overflows. CVSSv3 score of 9.8
More info.

The latest update for SIMATIC Process Historian (PH) fixes an authentication vulnerability in the configuration interface of redundant PH instances that could enable the execution of admin operations on the database. CVSSv3 score of 9.8
More info.

Schneider Electric Monthly Patches contain 6 bulletins, covering *LYnk, CNM, IGSS, Modicon, and Conext products.
More info.

The Modicon TM5 modules are affected by two “AMNESIA:33” embedded TCP/IP stacks vulnerabilities. Highest CVSSv3 score of 9.8
More info.

Schneider Electric is aware of a vulnerability in its spaceLYnk, Wiser For KNX, and fellerLYnk products, that could allow data exfiltration and unauthorized access when accessing a malicious website. CVSSv3 score of 8.2
More info.

Multiple vulnerabilities exist in Data Collector module for IGSS product. Highest CVSSv3 score of 9.8
More info.

Modicon M218 Logic Controller contains a vulnerability that could cause a DoS when a crafted packet is sent to the controller over network port 1105/TCP. CVSSv3 score of 7.5
More info.

Multiple Microsoft Windows vulnerabilities exist in Schneider Conext Advisor 2 & Conext Control V2 products. Highest CVSSv3 score of 9.8
More info.

Microsoft has updated chromium-based Edge to include the latest security fixes from chromium.
More info.

SAP Security Patch Day includes 13 Security Notes. There was 1 update to previously released Security Note. Of the new notes, 2 are rated Hot News, 1 rated High, and the rest Medium.  Highest CVSSv3 score of 9.8
More info.

Red Hat has updated the kernel. More info.

IBM App Connect Enterprise Certified Container may be vulnerable to arbitrary code execution. CVSSv3 score of 9.8
More info.

IBM Sterling B2B Integrator has integrated multiple security vulnerability fixes from TIBCO JasperReports, Jackson Databind, Apache Log4j, and Bouncy Castle. Highest CVSSv3 score of 9.9
More info. And here. And here. And here.

Dell EMC Enterprise Hybrid Cloud updates are available for multiple VMware security vulnerabilities. Dell rates this Critical.
More info.

Multiple vulnerabilities have been found in JP1/IT Desktop Management 2, JP1/NETM/DM, JP1/Remote Control and Hitachi IT Operations Director, including Local Privilege Escalation and Remote Code Execution.
More info.

NetApp Cloud Manager is susceptible to a vulnerability which could allow a remote unauthenticated attacker to retrieve sensitive data via the web proxy. CVSSv3 score of 7.5
More info.

NetApp has published 6 bulletins identifying vulnerabilities in third-party software that affects their products. No patches yet.
More info.

Oracle Linux has updated the kernel. More info.

Mobile Industrial Robots (MiR) has reported several vulnerabilities in MiR100, MiR200, MiR250, MiR500, MiR1000, and MiR Fleet products. Successful exploitation of these vulnerabilities could lead to privilege escalation, data exfiltration, control of the robot, and a denial-of-service condition. Highest CVSSv3 score of 9.8
Patches were provided in May.
More info. And here.

InHand Networks IR615 Router contains multiple vulnerabilities. Successful exploitation of these vulnerabilities may allow an attacker to have full control over the product, remotely perform actions on the product, intercept communication and steal sensitive information, session hijacking, and successful brute-force against user passwords. Additional successful exploitation may allow for the uploading of malicious files, deletion of system files, execution of remote code, and enumeration of user accounts and passwords. Highest CVSSv3 score of 9.8
Vendor is not responding to CISA.
More info.

FATEK Automation Communication Server contains a Stack-based Buffer Overflow. Successful exploitation of this vulnerability may allow remote code execution. CVSSv3 score of 9.8
Fatek is not responding to CISA.
More info.

Apache has released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities incompletely fixed in 2.4.50. These vulnerabilities have been exploited in the wild.
More info.

Google has updated Chrome to fix 4 security vulnerabilities, all rated High.
More info.

Cisco has published 16 new bulletins, 6 rated High, the rest Medium.
More info.

A vulnerability in the proxy service of Cisco AsyncOS for Cisco Web Security Appliance could allow an unauthenticated, remote attacker to exhaust system memory and cause a DoS condition on an affected device. CVSSv3 score of 8.6
More info.

A vulnerability in the REST API of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform a command injection attack and elevate privileges to root. CVSSv3 score of 7.5
More info.

Multiple vulnerabilities in the Cisco ATA 190 Series Analog Telephone Adapter Software could allow an attacker to perform a command injection attack resulting in remote code execution or cause a  DoS condition on an affected device. CVSSv3 score of 8.8
More info.

A DoS vulnerability exists in MELSEC iQ-R series C Controller Module due to uncontrolled resource consumption. A remote attacker could prevent the module from starting up  by sending a large number of packets to the module starting up in a short time. CVSSv3 score of 6.8
Only Mitigations, no patches.
More info.

Johnson Controls has confirmed a vulnerability impacting Exacq Technologies exacqVision. An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause DoS. 
More info.

Johnson Controls has confirmed a vulnerability impacting Exacq Technologies exacqVision Web Service. Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.
More info.

Honeywell Experion PKS and ACE Controllers contain multiple vulnerabilities. A CCL may be modified by a bad actor and loaded to a controller such that malicious code is executed by the controller, allowing remote code execution or DoS. Highest CVSSv3 score of 10
Note this original bulletin is dated February.
More info. And here.

Updates are available Dell EMC Integrated Data Protection Appliance that corrects multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell rates this Critical.
More info.

Mozilla has published three new bulletins Firefox and Firefox ESR, all rated High.
More info.

Fortinet has published 7 new bulletins, one of which is remotely exploitable.
More info.

An insufficient session expiration vulnerability in FortiClientEMS may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID. CVSSv3 score of 7.9
More info.

A potential security vulnerability has been identified in HPE 3PAR StoreServ, HPE Primera Storage and HPE Alletra 9000 Storage array firmware. An unauthenticated user could remotely execute code as administrator. CVSSv3 score of 10
More info.

The IBM TS7700 Management Interface is vulnerable to unauthenticated access. By accessing a specially-crafted URL, an attacker may gain administrative access to the Management Interface without authentication. CVSSv3 score of 9.1
More info.

In response to a security issue with BMC's IPMI LAN+ interface, a new Power System firmware update is being released. CVSSv3 score of 10
More info.

Aruba has released patches for Aruba Instant that address multiple security vulnerabilities. Highest CVSSv3 score of 9.8
More info. HPE bulletin here.

A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine.
More info.

Qualcomm Monthly Patches are out, with 33 patched vulnerabiltiies.  Twenty are in Qualcomm software, all rated High, while 11 are in third-party software.  Highest CVSSv3 score of 8.6.
More info.

Google's Monthly Patches for Android are out.  There are 17 vulnerabilties addressed, plus the Qualcomm patches. One vulnerability is rated Critical, the rest High.
More info.

Pixel Monthly Patches are out as well, with two additional vulnerabilities, one rated High and one Moderate.
More info.

Samsung Monthly Patches are out, with 32 Samsung vulnerabilities plus Google's Android updates. Three are rated Critical.
More info.

Xerox has updated FreeFlow Print Server to include Oracle, Java, and Firefox security updates.
More info.

NetApp has published five new bulletins identifying vulnerabilities in third-party software included in their products.  No patches yet.
More info.

Apache has been updated to correct a null pointer dereference and a path traversal vulnerabilities, allowing a remote attacker to DoS the server or access files outside the document root. The path traversal is known to be exploited in the wild.
More info.

Red Hat has updated the kernel. More info.
Mageia has updated the kernel. More info.
Amazon Linux has updated the kernel. More info.

Microsoft has updated Edge with the chromium security fixes for two vulnerabilities which have exploits in the wild.
More info.

Promass 83 devices utilizing 499ES EtherNet/IP Stack by Real Time Automation are vulnerable to a stack-based buffer overflow. CVSSv3 score of 9.8
More info.

Several Lenze products contain a CODESYS Control runtime system and are affected by the vulnerability described in CODESYS Advisory 2021-06. Highest CVSSv3 score of 9.8
Products are either EOL or scheduled for update Q2 2022.
More info.

The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which – in combination – ultimately enable an attacker to log in to the system. Highest CVSSv3 score of 10
More info.

NETGEAR has released a firmware update for RAX200 to refine code and update third party software packages to reduce potential security vulnerabilities.  No further details available.
More info.

When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust when the trust is not valid. This indication of trust may be passed along to clients allowing access to unsafe or hijacked services. This problem is guaranteed to occur when multiple CA have signed the TLS server certificate. It may also occur in cases of broken server certificate chains. CVSSv3 score of 8.4
More info.

A remote attacker can exploit a vulnerability in OpenSSL by triggering an application to create an ASN1_STRING and process it with an affected OpenSSL function to access restricted information or cause a denial-of-service (DoS). This impacts all F5 products using OpenSSL. Highest CVSSv3 score of 6.5
More info.

Oracle Linux has updated the kernel. More info.