|
|
DAILY BRIEF · APRIL 22, 2026
|
|
Five critical bugs today, none exploited in the wild yet, but a CVSS 10 in AVideo's WebSocket plugin deserves your attention first. An unauthenticated attacker can hijack every connected browser session, including admins, with zero interaction required. Firefox also has a 9.8 DOM security bypass that could compromise browsers just by visiting a malicious page, so push that update to your fleet now.
|
|
TOP THREAT TODAY
|
|
An unauthenticated attacker can send a crafted WebSocket message to AVideo's YPTSocket plugin, and the server will relay it straight to every connected browser. Two eval() calls on the client side execute the attacker's JavaScript in the context of every viewer, including admins. That means instant session theft, account takeover, and full control of the platform with zero interaction required from victims.
Who's affected: Anyone self-hosting AVideo (WWBN) version 29.0 or earlier with the YPTSocket plugin enabled
| |
Patch immediately.
Apply commit c08694bf6264eb4decceb78c711baee2609b4efd or pull the latest main branch. If you can't patch right now, disable the YPTSocket plugin until you can.
|
|
|
|
CVE-2026-40933
CVSS 9.9
|
CRITICAL
|
Flowise's "Custom MCP" feature lets any authenticated user add a stdio-based MCP server with an arbitrary command. The input sanitization checks are easy to bypass: you can pass something like 'npx -c touch /tmp/pwn' through the allow-listed 'npx' command. That gives you OS-level command execution on the Flowise host. You need a valid login, but any user role can pull it off.
Affects: Anyone running Flowise versions before 3.1.0, especially instances exposed to the internet or shared with untrusted users
| |
Patch immediately.
Upgrade Flowise to 3.1.0 or later. Until you do, restrict who can access the MCP configuration UI and audit existing MCP stdio entries for suspicious commands.
|
|
|
CVE-2026-40906
CVSS 9.9
|
CRITICAL
|
The order_by parameter in ElectricSQL's /v1/shape API doesn't sanitize input, so any authenticated user can inject SQL through crafted ORDER BY expressions. This isn't read-only: an attacker can read, write, and delete everything in your PostgreSQL database. If your Electric instance is reachable by untrusted users, your entire database is exposed.
Affects: Anyone running ElectricSQL (Electric) versions 1.1.12 through 1.4.x with the /v1/shape API exposed
| |
Patch immediately.
Upgrade Electric to 1.5.0 or later. Review your PostgreSQL logs for unusual ORDER BY patterns that might indicate prior exploitation.
|
|
|
CVE-2026-6235
CVSS 9.8
|
CRITICAL
|
The Sendmachine for WordPress plugin doesn't check whether the caller is actually authorized when handling admin requests. An unauthenticated attacker can overwrite your SMTP configuration, rerouting all outbound email through a server they control. That includes password reset emails, which means full site takeover is one "forgot password" click away.
Affects: WordPress site owners running the Sendmachine plugin version 1.0.20 or earlier
| |
Patch immediately.
Update the Sendmachine plugin past version 1.0.20. If no update is available yet, deactivate the plugin and switch to a different SMTP plugin. Check your current SMTP settings to confirm they haven't already been tampered with.
|
|
|
CVE-2026-6771
CVSS 9.8
|
CRITICAL
|
A bypass in Firefox's DOM Security component lets attackers get around protections that are supposed to prevent malicious page content from executing privileged actions. Mozilla's description is sparse, but a CVSS 9.8 on a DOM security mitigation bypass typically means a crafted webpage could compromise your browser without much user interaction beyond visiting the page.
Affects: Anyone running Firefox before 150, Firefox ESR before 140.10, Thunderbird before 150, or Thunderbird ESR before 140.10
| |
Patch within 24 hours.
Update Firefox to 150+, Firefox ESR to 140.10+, Thunderbird to 150+, or Thunderbird ESR to 140.10+ through your standard browser update channel or package manager.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
