Service Advisory

Important Notice: Microsoft 365 Licence Change for Staff No Longer Employed at 91亚色.听

As part of 91亚色鈥檚 ongoing commitment to responsible resource management, UIT will be downgrading the Microsoft 365 licencing for staff who are no longer employed at 91亚色.

Overview:

All offboarded and inactive Staff accounts with A3 licences will be converted to A1 licences starting May 11, 2026.

• Accounts will be downgraded to the free A1 licence type.
• No Impact expected as the users are no longer active employees.
• Managers who have been granted access to departed staff will retain their existing access, ensuring continued oversight and data management.

Learn More:

Detailed information about the differences between A1 and A3 licenses can be found on the UIT website: /uit/faculty-and-staff-services/microsoft-365-for-faculty-and-staff/#license

Thank you for your understanding as we optimize our Microsoft 365 environment.

Contact
IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY听触听VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web

Information Security Advisory

Apache has released a security update to address a vulnerability (CVE鈥�2026鈥�23918) in Apache HTTP Server that may result in denial鈥憃f鈥憇ervice and potential remote code execution under specific configurations.

Severity level:
CVSS Score: 8.8/High.

Description:
CVE鈥�2026鈥�23918 is a double鈥慺ree vulnerability in the mod_http2 module of Apache HTTP Server that occurs during HTTP/2 stream handling. A specially crafted sequence of HTTP/2 frames can cause improper memory deallocation, leading to worker process crashes. In certain deployments鈥攑articularly those using Apache Portable Runtime (APR) with the mmap allocator鈥攖his flaw may be leveraged to achieve remote code execution in addition to denial鈥憃f鈥憇ervice.

Affected Versions:
Apache HTTP Server version 2.4.66 with mod_http2_enabled.

Impact:
Successful exploitation may allow attackers to potentially execute arbitrary code remotely on vulnerable systems.

Resolution:
Please upgrade to Apache HTTP Server 2.4.67 or later.

Reference:

Information Security 

Contact
IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A recently disclosed vulnerability (CVE鈥�2026鈥�31431), commonly referred to as 鈥淐opy Fail鈥�, affects the Linux kernel and may allow a local, unprivileged attacker to escalate privileges and gain full root access on affected systems.

Severity level:
CVSS Score: 7.8/High.

Description:
CVE鈥�2026鈥�31431 is a local privilege escalation vulnerability caused by a logic flaw in the Linux kernel鈥檚 cryptographic subsystem, specifically the algif_aead module within the AF_ALG interface. Due to improper handling of in鈥憄lace cryptographic operations, an unprivileged local user can perform a controlled write to the kernel鈥檚 page cache of readable files. The attack vector is local (AV:L) and requires low privileges with no user interaction.

Affected Versions:
Linux Kernel: All kernel versions released from August 2017 up to the availability of vendor patches.

Impacted Linux Distribution:
Ubuntu (all supported releases prior to patched kernels).
Debian.
Red Hat Enterprise Linux (RHEL).
Amazon Linux.
SUSE Linux Enterprise.
Fedora, Arch Linux, AlmaLinux, Rocky Linux, Oracle Linux

Impact:
Successful exploitation may allow attackers to escalate from an unprivileged local user to full root access.

Resolution:
Please update the Linux kernel to the fixed version released by the distribution vendor.

Mitigations:
Where immediate patching is not possible:
Disable or restrict access to the AF_ALG interface.
Prevent loading of the vulnerable algif_aead module where supported.
Limit local shell access and enforce least鈥憄rivilege controls.

Reference:

Information Security 

Contact
IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A critical security vulnerability (CVE-2026-41940) has been identified in cPanel, Web Host Manager (WHM) and WP Squared which may allow unauthenticated attackers to completely compromise affected systems through an authentication bypass in the login process.

Severity level:
CVSS Score: 9.8/Critical.

Description:
CVE鈥�2026鈥�41940 is a critical authentication bypass vulnerability in cPanel, WHM, and WP Squared caused by improper session handling during the login process. Unsanitized user鈥慶ontrolled input can be injected into pre鈥慳uthentication session files, allowing an unauthenticated attacker to escalate privileges. Successful exploitation results in full administrative or root鈥憀evel access to the affected server.

Affected Versions:
cPanel & WHM:- All versions after 11.40.
WP Squared:- all versions prior to 11.136.1.7. 

Impact:
Successful exploitation may allow attackers to bypass authentication without valid credentials and gain full admin access to cPanel/WHM.

Resolution:
Administrators must upgrade immediately to one of the following patched versions or later:

cPanel & WHM patched versions:
11.86.0.41
11.110.0.97
11.118.0.63
11.126.0.54
11.130.0.19
11.132.0.29
11.134.0.20
11.136.0.5

WP Squared patched version:
11.136.1.7

Reference:

Information Security 

Contact

IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A recently disclosed vulnerability (CVE-2026-3854) affects GitHub.com and GitHub Enterprise Server and may allow unauthenticated attackers to achieve remote code execution (RCE)on GitHub Infrastructure.

Severity level
CVSS Score: 8.8/High

Description:
CVE鈥�2026鈥�3854 is a sever security vulnerability caused by improper sanitization of user鈥憇upplied git push options within GitHub鈥檚 internal Git processing pipeline. During a git push operation, certain user-controlled push option values were incorporated into internal service metadata headers without sufficient validation. As a result, specially crafted push options could break the expected metadata format and introduce attacker-controlled fields that were trusted by downstream services.

An authenticated attacker with push access to a repository could exploit this flaw by submitting a single malicious git push request. By chaining injected values, the attacker could bypass sandboxing mechanisms used to constrain server-side Git hook execution and ultimately execute arbitrary commands on backend systems.

Affected Versions:
GitHub.com

GitHub Enterprise Server (GHES) versions prior to:
3.14.25.
3.15.20.
3.16.16.
3.17.13.
3.18.8.
3.19.4.
3.20.0.

Impact:
Successful exploitation may allow an attacker to Execute arbitrary commands on GitHub backend systems.

Resolution:
GitHub Enterprise Server administrators must upgrade immediately to one of the following patched versions or later:
3.14.25.
3.15.20.
3.16.16.
3.17.13.
3.18.8.
3.19.4.
3.20.0.

After upgrading:

• Rebuild and redeploy affected GitHub Enterprise Server instances.
• Rotate internal secrets and credentials stored on GHES.
• Review audit logs for suspicious git push activity prior to patching.

Reference:

Information Security 

Contact

IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A recently disclosed vulnerability (CVE-2026-40372) affects a Windows-based application and may allow unauthenticated remote attackers to escalate privileges.

Severity level
CVSS Score: 9.1/Critical.

Description:
CVE鈥�2026鈥�40372 is a critical security vulnerability that arises from improper control of file names or file paths within a Windows-based application. The affected component processes user-supplied file path inputs without adequately validating or restricting them. Due to this insufficient validation, an unauthenticated remote attacker can supply specially crafted path inputs to manipulate underlying file system operations. This may allow file access or modification outside the intended directory scope, ultimately enabling the attacker to perform actions with elevated privileges.

Affected Versions:
Microsoft AspNetCore.DataProtection Package versions (10.0.0 鈥� 10.0.6)

Impact:
Successful exploitation may allow attacker to Escalate privileges on the affected system.

Resolution:

Upgrade the affected package to:

• Microsoft.AspNetCore.DataProtection version 10.0.7.

Rebuild and redeploy affected applications.

Rotate Data Protection keys and invalidate existing sessions/tokens to remove forged credentials.

Mitigations:

• Restrict external/network access to affected applications.
• Identify applications with direct or transitive dependencies on vulnerable Data Protection packages.
• Monitor application and authentication logs for anomalous behaviour.

Reference:

Information Security 

Contact

IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A recently disclosed high鈥憇everity vulnerability in Adobe Acrobat and Acrobat Reader (颁痴贰鈥�2026鈥�34621) allows attackers to execute arbitrary code on affected systems by tricking users into opening a specially crafted PDF file.

Severity level:
CVSS Score: 8.6/High

Description:
Adobe Acrobat and Acrobat Reader contain an improperly controlled modification of object prototype attributes (Prototype Pollution) vulnerability. The flaw exists in the handling of JavaScript objects within PDF documents. In vulnerable versions, opening a maliciously crafted PDF allows an attacker to manipulate JavaScript object prototypes and invoke privileged APIs. This can result in arbitrary code execution in the context of the current user.

Affected Versions:
Acrobat DC: 26.001.21367 and earlier.
Acrobat Reader DC: 26.001.21367 and earlier.
Acrobat 2024: 24.001.30356 and earlier.
Platforms: Windows and macOS.

Impact:
Successful exploitation may result in arbitrary code execution on the affected system.

Resolution:
Adobe strongly recommends immediately upgrading to the latest patched versions:

Acrobat DC / Acrobat Reader DC: 26.001.21411 or later.
Acrobat 2024: Windows: 24.001.30362 or later and macOS: 24.001.30360 or later.

Reference:

Information Security 

Contact

IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A recently disclosed critical vulnerability in the Ninja Forms 鈥� File Uploads plugin for WordPress (CVE鈥�2026鈥�0740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise.

Severity level:
CVSS Score: 9.8/Critical

Description:
The Ninja Forms 鈥� File Uploads plugin for WordPress fails to properly validate uploaded file types in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. In vulnerable versions, this flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts. Due to insufficient filename sanitization, attackers may also leverage path traversal techniques to place files in sensitive directories, such as the web root. Successful exploitation can result in remote code execution, web shell deployment, and complete takeover of the affected WordPress site.

Affected Versions:
All versions up to and including 3.3.26.

Impact:
Successful exploitation may result in Remote code execution on the server.

Resolution:
Upgrade immediately to Ninja Forms 鈥� File Uploads plugin version 3.3.27 or later.

Reference:

Information Security 

Contact

IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web 

Information Security Advisory

A recently disclosed critical vulnerability in the Ninja Forms 鈥� File Uploads plugin for WordPress (CVE鈥�2026鈥�0740) allows unauthenticated remote attackers to upload arbitrary files, potentially leading to remote code execution and full site compromise.

Severity level:
CVSS Score: 9.8/Critical

Description:
The Ninja Forms 鈥� File Uploads plugin for WordPress fails to properly validate uploaded file types in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. In vulnerable versions, this flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts. Due to insufficient filename sanitization, attackers may also leverage path traversal techniques to place files in sensitive directories, such as the web root. Successful exploitation can result in remote code execution, web shell deployment, and complete takeover of the affected WordPress site.

Affected Versions:
All versions up to and including 3.3.26.

Impact:
Successful exploitation may result in Remote code execution on the server.

Resolution:
Upgrade immediately to Ninja Forms 鈥� File Uploads plugin version 3.3.27 or later.

Reference:

Information Security 

Contact

IT Client Services at askIT@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: 91亚色, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web