Supporting‑stack vulnerabilities rise

The weak spots getting patched this week were not flashy consumer apps. They were the plumbing: mobile device management, image libraries, and database engines that sit underneath thousands of other systems. (cisa.gov) (debian.org) (linuxcompatible.org) One of those plumbing tools is Ivanti Endpoint Manager Mobile, a product companies use to enroll phones, push settings, and wipe lost devices. On April 8, 2026, the Cybersecurity and Infrastructure Security Agency added Ivanti flaw CVE-2026-1340 to its Known Exploited Vulnerabilities catalog, which is the federal government’s list of bugs already being used in real attacks. (cisa.gov 1) (cisa.gov 2) Ivanti said CVE-2026-1340 and CVE-2026-1281 are both critical code-injection bugs, both can lead to unauthenticated remote code execution, and both were exploited against a “very limited number” of customers at disclosure. In plain English, that means an attacker may not need a password to make the server run their commands. (ivanti.com) That kind of software is a high-value target because it already has keys to the building. A mobile device management server can talk to employee phones, enforce policy, and often connects to identity and corporate network systems, so one compromised admin box can become a bridge into everything around it. (ivanti.com) (cisa.gov) A second patch came from Slackware, one of the oldest Linux distributions still maintained. On April 9, 2026, Slackware shipped libpng 1.6.57 packages for version 15.0 and the current branch to fix a medium-severity use-after-free issue. (linuxsecurity.com) (linuxcompatible.org) Libpng is the code many programs rely on to read and write Portable Network Graphics image files. A use-after-free bug is like a program throwing away a note, then later trusting the same scrap of paper as if nothing changed, which can expose heap data or corrupt processing. (linuxcompatible.org) (cvefeed.io) Debian’s PostgreSQL update is the same pattern in a different layer. Debian’s long-term support notice for postgresql-13 says CVE-2026-2006 lets a database user send crafted queries that trigger a buffer overrun and execute arbitrary code as the operating-system user running the database. (lists.debian.org) Debian also summarized a cluster of PostgreSQL flaws as CVE-2026-2003 through CVE-2026-2006, with impacts ranging from memory disclosure to arbitrary code execution. For stable Debian 13 “trixie,” the fixed package version is 17.8-0+deb13u1, and for oldstable Debian 12 “bookworm,” Debian previously pointed users to 15.16-0+deb12u1. (debian.org) (linuxcompatible.org 1) (linuxcompatible.org 2) Put those three updates together and the pattern is hard to miss. Attackers keep aiming at support-stack software that handles devices, parses files, or runs shared data stores, because one bug in those layers can ripple into every app that depends on them. (cisa.gov) (ivanti.com) (debian.org) That changes what “patch your systems” means in 2026. It no longer starts with the app your customers see; it starts with the quiet servers that manage phones, decode images, and answer database queries behind the scenes. (cisa.gov) (linuxcompatible.org) (lists.debian.org)