(TLP CLEAR) Weekly Vulnerabilities to Prioritize – March 26, 2026

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Citrix Netscaler Insufficient Input Validation Leading to Memory Overread
CVSS v4.0: 9.3
CVE: CVE-2026-3055
Description: Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread.
Source: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

Citrix Netscaler Race Condition leading to User Session Mixup
CVSS v4.0: 7.7
CVE: CVE-2026-4368
Description: Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup.
Source: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

Aqua Security Trivy Embedded Malicious Code Vulnerability
CVSS v4.0: 9.4
CVE: CVE-2026-33634
Description: This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. CISA has added this vulnerability to its KEV catalog.
Source: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6×23

Langflow Code Injection Vulnerability
CVSS v4.0: 9.3
CVE: CVE-2026-33017
Description: Langflow versions prior to 1.9.0 contain an unauthenticated endpoint that allows attackers to submit malicious flow data containing arbitrary Python code, which is executed without sandboxing. This results in unauthenticated remote code execution and has been patched in version 1.9.0. CISA has added this vulnerability to its KEV catalog.
Source: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx

Multiple Apple Product Vulnerabilities, including Buffer Overflow
CVSS: N/A
CVEs: CVE-2025-31277, CVE-2025-43510, CVE-2025-43520
Description: Multiple Apple vulnerabilities, now patched, involved memory corruption issues that could be triggered by malicious web content or applications. These flaws may allow unexpected memory changes, system crashes, or kernel memory access. Apple addressed the issues through improved memory handling and lock state validation across affected operating systems. CISA has added these vulnerabilities to its KEV catalog.
Original Source: https://support.apple.com/en-us/100100