Read more at:
Add these Microsoft updates to your standard developer update release schedule.
Adobe (and third-party updates)
I keep promising that this section should be retired (and it should), but Microsoft released a sizable third-party sweep through Azure Linux 3.0 and CBL Mariner 2.0 this month: 191 open-source CVEs spanning the Linux kernel, the Go runtime, Apache httpd, PHP, CoreDNS, valkey, Ruby, gnutls, Apache Thrift across its Node.js, Rust, and Java implementations, plus vim, postfix, expat, nmap, Prometheus, KEDA, and PgBouncer. This is a lot for anyone.
In addition to all this, Microsoft issued a patch (CVE-2026-41103) for its own SSO Plugin for Jira and Confluence. This vulnerability allows an attacker to forge a Microsoft Entra ID identity via a crafted SAML response; patching requires updating the plugin within Atlassian rather than on a Microsoft platform. In other words, the Microsoft attack surface now extends to other vendors’ application stacks, with patching responsibilities split across vendors.
