Patch Tuesday: March 2026 (Expel’s version)

This Patch Tuesday briefing covers 79 new CVEs (three critical), calls out three high-priority fixes — an SQL Server elevation-of-privilege (CVE-2026-21262), a .NET denial-of-service (CVE-2026-26127), and a zero-click Excel information disclosure that can cause Microsoft Copilot to leak data (CVE-2026-26144) — and documents active exploitation of the abandoned Kaswara WPBakery Page Builder plugin (CVE-2021-24284) being used to deploy XMRig cryptomining software; recommended actions include applying updates, removing unsupported plugins, and auditing upload directories for malicious PHP files.