Add these Microsoft updates to your standard developer update release schedule.
Adobe (and third-party updates)
I keep promising that this section needs to be retired (and it should), but Microsoft released a large third-party sweep through Azure Linux 3.0 and CBL Mariner 2.0 this month: 191 open-source CVEs spanning the Linux kernel, the Go runtime, Apache httpd, PHP, CoreDNS, valkey, Ruby, gnutls, Apache Thrift across its Node.js, Rust, and Java implementations, plus vim, postfix, expat, nmap, Prometheus, KEDA, and PgBouncer. That is lots for anyone.
Along with all this, Microsoft issued a patch (CVE-2026-41103) for its own SSO Plugin for Jira and Confluence. This vulnerability allows an attacker to forge a Microsoft Entra ID identity via a crafted SAML response; patching requires updating the plugin inside Atlassian quite than on a Microsoft platform. In other words, the Microsoft attack surface now extends to other vendors’ application stacks, with patching responsibilities split across vendors.