Daily CVE Report: Zero New Flaws, Yet Two CRITICAL 10-Score Vulnerabilities Loom in Bouncy Castle & OpenRemote

A daily vulnerability scan reports zero new CVEs, yet the immediate threat landscape is dominated by two existing, critical-rated vulnerabilities with maximum severity scores. This juxtaposition highlights the persistent danger of known, unpatched flaws in widely used software libraries and platforms, posing a direct risk to cryptographic security and IoT infrastructure.

The most severe is CVE-2026-5598, a CVSS 10.0-rated covert timing channel vulnerability in the Legion of the Bouncy Castle Inc.'s BC-JAVA core. This flaw, present in all core modules, involves non-constant time comparisons that risk the leakage of private keys within the post-quantum FrodoKEM implementation. Simultaneously, CVE-2026-39842, scored 9.9, exposes a critical expression injection vulnerability in the OpenRemote open-source IoT platform, affecting versions 1.21.0 and below. This flaw in the rules engine allows for arbitrary code execution on the server.

These vulnerabilities represent acute pressure points for organizations relying on Bouncy Castle for cryptographic operations and those deploying OpenRemote for IoT management. The absence of new CVEs does not equate to safety; instead, it shifts scrutiny to the urgent remediation of these already-published, high-impact flaws. The private key leakage risk in a core cryptographic library and the remote code execution in an IoT platform underscore the severe operational and security consequences of delayed patching cycles, even on a 'quiet' day for new disclosures.