cybr.cx Daily Digest – March 19, 2026

Critical Vulnerabilities

CVE-2026-32698 – OpenProject (CVSS 9.1 CRITICAL)
SQL injection in OpenProject's custom field handling allows attackers to inject arbitrary SQL commands when custom fields are used in Cost Reports. If you're running OpenProject for project management, an attacker with the ability to create or modify custom fields can fully compromise your database. Patch immediately to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1.

CVE-2025-71260 – BMC FootPrints ITSM (CVSS 8.8 HIGH)
Deserialization vulnerability in the ASP.NET VIEWSTATE handling gives authenticated attackers a straight path to remote code execution. If you're running BMC FootPrints versions 20.20.02 through 20.24.01.001, any authenticated user can craft a malicious serialized payload and fully compromise the application. Apply the vendor hotfixes immediately.

CVE-2026-32728 – Parse Server (CVSS 7.6 HIGH)
Attackers can bypass Parse Server's file extension blocklist by appending MIME parameters to the Content-Type header, enabling upload of active content like HTML or SVG files. This affects anyone allowing file uploads through Parse Server. Upgrade to 9.6.0-alpha.15 or 8.6.41. Note: Three additional Parse Server DoS/prototype pollution CVEs (CVE-2026-32878, CVE-2026-32886, CVE-2026-32944) dropped this week—bundle your patching.

CVE-2026-28461 – OpenClaw (CVSS 7.5 HIGH)
Unbounded memory growth in the Zalo webhook endpoint allows unauthenticated attackers to exhaust server memory via varied query strings. Classic resource exhaustion DoS. Upgrade to 2026.3.1.

Headline News

CISA Warns Organizations After Stryker Breach Exposes Microsoft Intune Risks
CISA has issued guidance urging U.S. organizations to review and harden their Microsoft Intune configurations following a significant breach at medical device manufacturer Stryker. The incident, which generated substantial discussion on r/cybersecurity (494 upvotes), reportedly stemmed from misconfigured Intune policies that gave attackers a foothold into enterprise device management. For practitioners, this is a wake-up call: Intune's power as an MDM platform makes it a high-value target, and default configurations often aren't sufficient. Review conditional access policies, enrollment restrictions, and compliance policies—particularly around device trust and certificate handling.

GlassWorm Malware Spreads Across 400+ Code Repositories Using Invisible Characters
The GlassWorm campaign has metastasized, now infecting over 413 repositories across npm, VSCode Marketplace, OpenVSX, and GitHub. The malware uses invisible Unicode characters to hide malicious payloads in seemingly clean code—a technique that evades casual review and many automated scanners. Originally Windows-only, GlassWorm pivoted to macOS targeting in January. If your CI/CD pulls from public repositories, this is your reminder to pin dependencies, verify checksums, and consider tooling that detects obfuscated or anomalous character usage in source files.

Crime Stoppers Breach Exposes Millions of "Anonymous" Tips
Hacktivists have leaked a database containing millions of tips submitted to Crime Stoppers, a service explicitly marketed as anonymous. The breach, confirmed by Cybernews, potentially exposes informants who reported on criminal activity under the assumption of confidentiality. This is a worst-case scenario for whistleblower infrastructure—the chilling effect on future reporting could be significant. For security teams managing similar sensitive tip lines or anonymous reporting systems: audit your data retention policies, encryption at rest, and access controls. Anonymity promises require anonymity architecture.

Nerdy Corner

Astral, the team behind the beloved Python tooling suite including Ruff (the "fast enough to run on save" linter), is joining OpenAI. The announcement hit 1,041 points on Hacker News, sparking the predictable mix of congratulations and mild existential dread about what happens when your favorite open-source project gets acqui-hired. On the bright side, maybe GPT-5 will finally stop suggesting import * in code completions. We can dream.