|
|
DAILY BRIEF · APRIL 27, 2026
|
|
Five CVEs today. All scored 9.8. None exploited in the wild yet, but public exploits already exist for the Totolink router bugs, and the two Apache MINA deserialization bypasses are the kind of thing that gets weaponized fast. If you run MINA with IoBuffer.getObject() in your stack, that's your priority.
|
|
TOP THREAT TODAY
|
|
An attacker can inject OS commands remotely through the UPnP configuration handler on Totolink A8000RU routers running firmware 7.1cu.643_b20200521. No authentication is needed, and a public exploit already exists. CVSS 9.8, so this is full remote takeover of the device.
Who's affected: Anyone running a Totolink A8000RU with firmware 7.1cu.643_b20200521
| |
Patch immediately.
Update the A8000RU firmware to the latest available version from Totolink. If no patch exists yet, pull the device off the public internet and block remote access to the CGI interface.
|
|
|
|
CVE-2026-7121
CVSS 9.8
|
CRITICAL
|
Same router, different function. The wizard configuration handler on the Totolink A8000RU also accepts unsanitized input, letting a remote attacker inject arbitrary OS commands. A public exploit is available. CVSS 9.8.
Affects: Anyone running a Totolink A8000RU with firmware 7.1cu.643_b20200521
| |
Patch immediately.
Apply the latest Totolink firmware. If none is available, isolate the router from the internet and disable remote management until a fix ships.
|
|
|
CVE-2026-22337
CVSS 9.8
|
CRITICAL
|
The Directorist Social Login plugin for WordPress has a privilege escalation bug that lets an attacker promote themselves to a higher role, potentially full admin. No special access is required. CVSS 9.8.
Affects: WordPress site owners running the Directorist Social Login plugin before version 2.1.4
| |
Patch immediately.
Update the Directorist Social Login plugin to version 2.1.4 or later through the WordPress dashboard right now.
|
|
|
CVE-2026-41409
CVSS 9.8
|
CRITICAL
|
The earlier fix for CVE-2024-52046 in Apache MINA was incomplete. The classname allowlist that's supposed to block dangerous deserialization kicks in too late: a malicious class's static initializer can run before the filter ever checks it. If your app calls IoBuffer.getObject(), a remote attacker can execute arbitrary code. CVSS 9.8.
Affects: Java developers and teams running applications that use Apache MINA 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, or 2.2.0 through 2.2.5, specifically if the app calls IoBuffer.getObject()
| |
Patch immediately.
Upgrade Apache MINA to 2.0.28, 2.1.11, or 2.2.6 depending on your branch.
|
|
|
CVE-2026-41635
CVSS 9.8
|
CRITICAL
|
Another deserialization bypass in Apache MINA. The resolveClass() method has a code path for static classes and primitives that skips the allowlist entirely, letting an attacker sneak arbitrary classes past the filter and get remote code execution. This is a separate bypass from CVE-2026-41409, fixed in the same release. CVSS 9.8.
Affects: Java developers and teams running applications that use Apache MINA 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, or 2.2.0 through 2.2.5, specifically if the app calls IoBuffer.getObject()
| |
Patch immediately.
Upgrade Apache MINA to 2.0.28, 2.1.11, or 2.2.6 depending on your branch. This single upgrade covers both CVE-2026-41409 and this bug.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
