Critical Patches & Exploits

A bug in the software that protects sign-ins and secrets pushed Microsoft to ship.NET 10.0.7 on April 21, while a separate Nginx UI flaw is already being exploited. (devblogs.microsoft.com) In Microsoft’s case, the affected component is Microsoft.AspNetCore.DataProtection, a package many ASP.NET Core apps use to seal cookies, session data, and other sensitive payloads. Microsoft said versions 10.0.0 through 10.0.6 could let an attacker forge authentication cookies and decrypt some protected data. (github.com) Microsoft tied the bug to CVE-2026-40372 and gave it a CVSS severity score of 9.1. The company said administrators should move to version 10.0.7 “as soon as possible,” then rebuild and redeploy apps and updated container images. (github.com) (devblogs.microsoft.com) The flaw is more than a bad login check. Microsoft said forged requests made during the vulnerable window could have triggered the app to mint valid tokens such as refreshed sessions, application programming interface keys, or password-reset links, and those tokens can remain valid after patching unless the Data Protection key ring is rotated. (github.com) The Nginx UI issue sits on the same fault line: web interfaces that control infrastructure. Nginx UI is a browser-based control panel for Nginx servers, and National Vulnerability Database records show two critical 2026 bugs in that product expose backup and management functions to attackers. (nvd.nist.gov 1) (nvd.nist.gov 2) One of them, CVE-2026-27944, affects versions before 2.3.3. GitHub’s advisory says the `/api/backup` endpoint could be reached without authentication and leaked the decryption key in an HTTP header, letting an outsider pull a full backup with user credentials, session tokens, Secure Sockets Layer private keys, and Nginx configuration files. (github.com) The other, CVE-2026-33032, affects Nginx UI 2.3.5 and earlier. The National Vulnerability Database says the `/mcp_message` endpoint applied only Internet Protocol whitelisting, and the default whitelist behavior effectively allowed any network attacker to call management tools that can restart Nginx, edit config files, and reload services. (nvd.nist.gov) That leaves defenders with two different jobs this week. On.NET, the work is package hygiene and token cleanup; on Nginx UI, the work is upgrading past 2.3.3 for the backup bug and locking down or isolating management endpoints exposed to the network while the newer MCP issue remains unpatched in the National Vulnerability Database entry. (devblogs.microsoft.com) (nvd.nist.gov 1) (nvd.nist.gov 2) The common thread is the same piece of plumbing: the code that decides who gets in and what they can touch. When those checks fail on admin panels or token systems, a routine April update turns into an incident response sprint. (github.com) (nvd.nist.gov)