Supply-Chain

🟠 High | Source: Microsoft Security Response Center CVE-2026-42506 is a vulnerability in the golang.org/x/net/html package where namespaced elements in foreign content (such as SVG or MathML within HTML) are handled incorrectly, potentially allowing malformed input to bypass parsing expectations. This could be exploited to conduct cross-site scripting (XSS) or HTML injection attacks in applications that rely on this Go library for HTML parsing or sanitisation. It is particularly relevant to Azure-hosted Go applications and services that process user-supplied HTML content. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-25681 is a vulnerability in the Go standard library package golang.org/x/net/html, where character references within DOCTYPE nodes are handled incorrectly. This can lead to unexpected parsing behaviour that may be exploited to bypass security controls or cause application-level issues in services built with Go. It is relevant to Azure and any cloud-hosted workload using this widely adopted Go HTML parsing library. Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version as soon as it is available. Pay particular attention to services that parse untrusted HTML input, as these carry the highest exploitation risk. ...

🟠 High | Source: Microsoft Security Response Center A memory leak vulnerability in the Go standard library’s SSH package (golang.org/x/crypto/ssh) can be triggered when SSH channels are rejected, potentially allowing an attacker to exhaust server memory and cause a Denial of Service. This affects any service or application built with the affected Go crypto library, including Azure-hosted workloads. Because SSH is a foundational protocol for remote access and automation, the blast radius across cloud infrastructure can be significant. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-39835 is a vulnerability in the Go standard cryptography library (golang.org/x/crypto/ssh) that allows a remote attacker to trigger a server panic — effectively crashing the SSH server — during the host key check or authentication phase. This is a denial-of-service risk affecting any service or application built with this Go SSH package, including components deployed on Azure. It matters because a crash during authentication can be exploited without valid credentials, making it trivially weaponisable. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-25680 is a denial-of-service vulnerability in the golang.org/x/net/html package, which is widely used by Go applications to parse HTML. An attacker can trigger the flaw by supplying specially crafted HTML input, causing the parser to consume excessive resources and crash or become unresponsive. Any Azure-hosted or Azure-integrated Go application that processes untrusted HTML content may be at risk. Architect’s Take: Audit your Go-based workloads and container images for dependencies on golang.org/x/net and update to the patched version immediately; pay particular attention to internet-facing services that accept user-supplied or third-party HTML input, as these are the most directly exposed. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-42502 is a vulnerability in the golang.org/x/net/html package affecting how HTML elements in foreign content (such as SVG or MathML) are handled. Incorrect parsing behaviour could potentially be exploited to bypass security controls or cause unintended application behaviour in Go-based services. This is relevant to Azure workloads and any cloud-hosted applications built with Go that rely on this HTML parsing library. Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version immediately. Pay particular attention to services that parse or render user-supplied HTML, as these carry the highest risk of exploitation. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected. Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-41140 is a path traversal vulnerability in Poetry, a Python dependency management tool, affecting Python versions 3.10.0–3.10.12 and 3.11.0–3.11.4. The flaw occurs during tar archive extraction, potentially allowing a malicious package to write files outside the intended directory. This could lead to arbitrary file overwrite or code execution on systems that process untrusted Python packages. Architect’s Take: Audit any Azure-hosted pipelines or build environments using Poetry with the affected Python versions and upgrade to patched releases immediately. Pay particular attention to CI/CD systems that install dependencies from external or untrusted sources, as these represent the highest-risk attack surface. ...

🟢 Low | Source: Microsoft Security Response Center CVE-2025-1149 is a memory leak vulnerability in the GNU Binutils linker tool (ld), specifically within the xstrdup function in xmalloc.c. While memory leaks can cause service instability or denial of service, this issue has been flagged by Microsoft in the context of Azure, suggesting relevance to workloads or toolchains running on Azure infrastructure. The practical security impact is generally low unless an attacker can trigger repeated allocations to exhaust memory resources. ...

🟠 High | Source: The Hacker News A one-click attack targeting GitHub.dev, the browser-based VS Code environment, allows an attacker to steal a victim’s GitHub OAuth token simply by having them click a crafted link. The stolen token grants full read and write access to both public and private repositories. This is particularly dangerous because it requires no malware installation and exploits a legitimate GitHub feature. Architect’s Take: Audit OAuth token scopes granted to GitHub.dev within your organisation and consider enforcing fine-grained personal access tokens with minimal repository permissions instead of broad OAuth tokens. Ensure developer awareness training covers the risk of clicking unsolicited GitHub.dev links, and review whether your GitHub organisation policies can restrict OAuth app access. ...