1. CVE-2026-32285: Denial of service in github.com/buger/jsonparser
- CVSSv3.1: 7.5 (High)
- Deep Security/SWP: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that SWP/Deep Security Agent is not affected or impacted by this vulnerability as it does not use the Delete function in jsonparser.
- As part of a regular component updates, the jsonparser component in the product will be upgraded as part of the Deep Security 20.0.3-14910 (June 2026) scheduled release.
2. CVE-2026-32287: Go: Infinite loop in github.com/antchfx/xpath
- CVSSv3.1: 7.5 (High)
- Deep Security/SWP: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that SWP/Deep Security Agent is not affected or impacted by this vulnerability.
- Endpoint Sensor: one of the components used by the sensor (wmdtool.exe) is affected by this vulnerability and will be updated with its associated repo in July 2026.
3. CVE-2026-40021: Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
- CVSSv3.1: 5.3 (Medium)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp is not affected or impacted by this vulnerability due to an attack not being able to reach the code path needed to exploit the vulnerability.
4. CVE-2026-3805: curl use after free in SMB connection reuse
- CVSSv3.1: 7.5 (High)
- Deep Security/SWP: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that SWP/Deep Security Agent is not affected or impacted by this vulnerability due to not using the curl SMB protocol.
5. CVE-2026-39825: Go library: ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
- CVSSv3.1: 5.3 (Medium)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp (tmxbc) was affected by this vulnerability, but has been resolved in the June 2026 updated tmxbc (version 1.2.0.1865).
6. CVE-2026-33811: Go Project: Crash when handling long CNAME response in net
- CVSSv3.1: 7.5 (High)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp (tmxbc) is not affected by this vulnerability, but the version of the Go Library has been updated in the June 2026 updated tmxbc (version 1.2.0.1865).
7. CVE-2026-33814: Go Project: Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/
- CVSSv3.1: 7.5 (High)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp (tmxbc) is not affected by this vulnerability, but the version of the Go Library has been updated in the June 2026 updated tmxbc (version 1.2.0.1865).
8. CVE-2026-39820: Go Project: Quadratic string concatentation in consumeComment in net/mail
- CVSSv3.1: 7.5 (High)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp (tmxbc) is not affected by this vulnerability, but the version of the Go Library has been updated in the June 2026 updated tmxbc (version 1.2.0.1865).
9. CVE-2026-39836: Go Project: Panic in Dial and LookupPort when handling NUL byte on Windows in net
- CVSSv3.1: 7.5 (High)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp (tmxbc) is not affected by this vulnerability, but the version of the Go Library has been updated in the June 2026 updated tmxbc (version 1.2.0.1865).
10. CVE-2026-42499: Go Project: Quadratic string concatenation in consumePhrase in net/mail
- CVSSv3.1: 7.5 (High)
- Endpoint Basecamp: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that Endpoint Basecamp (tmxbc) is not affected by this vulnerability, but the version of the Go Library has been updated in the June 2026 updated tmxbc (version 1.2.0.1865).
11. CVE-2026-5545: curl: wrong reuse of HTTP Negotiate connection
- CVSSv3.1: 6.5 (Medium)
- Deep Security/SWP: Based on the analysis of the vulnerability by the TrendAI development team, it has been confirmed that SWP/Deep Security Agent is not affected or impacted by this vulnerability as it does not use HTTP Negotiate in the application.
