Vulnerabilities Patched in CrowdStrike, Tenable Products

Summary

CrowdStrike disclosed CVE-2026-40050, a critical unauthenticated path traversal vulnerability in LogScale that allows remote attackers to read arbitrary files, with no evidence of active exploitation. Tenable published advisories for CVE-2026-33694, a high-severity vulnerability in Nessus on Windows that could enable arbitrary file deletion and code execution via junctions with System privileges.

Full text

CrowdStrike and Tenable informed customers this week about potentially serious vulnerabilities found and patched in their products. CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting its LogScale product. The flaw can allow a remote attacker to read arbitrary files from the server filesystem. The cybersecurity giant pointed out that Next-Gen SIEM customers are not affected and the vulnerability has been mitigated for LogScale SaaS customers. LogScale Self-hosted customers have been advised to update to a patched version. CrowdStrike said the vulnerability was discovered internally and there is no evidence of exploitation in the wild based on a review of log data. Tenable published two new advisories on Thursday. They describe the same high-severity vulnerability found in the company’s Nessus vulnerability scanner, specifically on Windows.Advertisement. Scroll to continue reading. The vulnerability is tracked as CVE-2026-33694 and an attacker could exploit it via junctions to delete arbitrary files with System privileges. Exploitation could also lead to arbitrary code execution with elevated privileges. Tenable published separate advisories for Nessus and Nessus Agent. Related: Claude’s New AI Vulnerability Scanner Sends Cybersecurity Shares Plunging Related: CISA: Hackers Exploiting Vulnerability in Product of Taiwan Security Firm TeamT5 Related: Trend Micro Patches Critical Apex One Vulnerabilities Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs After Bluesky, Mastodon Targeted in DDoS AttackClaude Mythos Finds 271 Firefox VulnerabilitiesGoogle Antigravity in Crosshairs of Security Researchers, CybercriminalsThird US Security Expert Admits Helping Ransomware GangUnsecured Perforce Servers Expose Sensitive Data From Major OrgsData Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to HackingBluesky Disrupted by Sophisticated DDoS Attack Latest News Bitwarden NPM Package Hit in Supply Chain AttackCopperhelm Raises $7 Million for Agentic Cloud Security PlatformCloudsmith Raises $72 Million in Series C FundingChinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude MythosRilian Raises $17.5 Million for AI-Native Security OrchestrationThe Behavioral Shift: Why Trusted Relationships Are the Newest Attack SurfaceLuxury Cosmetics Giant Rituals Discloses Data BreachAI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-40050
• cve — CVE-2026-33694

Entities