|
|
DAILY BRIEF · MAY 6, 2026
|
|
Five fresh CVEs today, none exploited in the wild yet, but the severity scores are loud. The headliner is CVE-2026-7411: a CVSS 10.0 unauthenticated RCE in Eclipse BaSyx Java Server SDK that lets anyone write files anywhere on your filesystem via path traversal. Right behind it, OpenCTI and MeiG Smart devices both have unauth bugs north of 9.0. Nothing on fire yet, but if any of these face the internet, don't wait.
|
|
TOP THREAT TODAY
|
|
An attacker can run arbitrary OS commands on MeiG Smart FORGE_SLT711 devices without any authentication by hitting the /action/SetRemoteAccessCfg endpoint on the built-in GoAhead web server. No credentials, no user interaction, just a crafted HTTP request gives full command execution. If these devices are reachable from the internet, you're already exposed.
Who's affected: Anyone running MeiG Smart FORGE_SLT711 devices with firmware MDM9607.LE.1.0-00110-STD.PROD-1
| |
Patch immediately.
Check with MeiG for a firmware update. If no patch is available yet, block all external access to the GoAhead web interface on these devices immediately.
|
NVD
Ref 1
Ref 2
|
|
|
CVE-2026-7598
CVSS 7.3
EPSS 0.05%
|
HIGH
|
An integer overflow in libssh2's password authentication code could let an attacker corrupt memory during SSH authentication. Exploitation isn't trivial, but a successful attack could lead to code execution or a crash in any application that uses libssh2 for SSH connections. This affects libssh2 packages on Azure Linux 3.0 and CBL Mariner 2.0, including nmap builds that bundle it.
Affects: Teams running Azure Linux 3.0 or CBL Mariner 2.0 systems with libssh2 or nmap installed
| |
Patch this week.
Update libssh2 and nmap packages via your distro's package manager. On Azure Linux 3.0: update libssh2 past 1.11.1-1 and nmap past 7.95-3. On CBL Mariner 2.0: update libssh2 past 1.9.0-4 and nmap past 7.93-4.
|
NVD
MSRC
Ref 1
|
|
CVE-2026-36355
CVSS 7.7
|
HIGH
|
The Realtek rtl8192cd Wi-Fi kernel driver ships debug ioctl handlers (read_mem and write_mem) in production builds with zero access control. A local attacker can use these to read or write arbitrary kernel memory, which is a straight path to privilege escalation or full device compromise. This affects all known versions of the Realtek rtl819x Jungle SDK through v3.4.14B, which means a huge number of consumer and embedded routers and access points.
Affects: Anyone managing routers, access points, or embedded devices built on the Realtek rtl819x Jungle SDK (v3.4.14B and earlier)
| |
Patch this week.
Check with your device vendor for a firmware update that patches or removes the debug ioctl handlers. If no update is available, restrict local network access to affected devices and monitor for vendor advisories.
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-7411
CVSS 10.0
|
CRITICAL
|
An unauthenticated attacker can upload files to any location on the filesystem by abusing a path traversal bug in the Eclipse BaSyx Java Server SDK's Submodel HTTP API. A crafted fileName parameter during file upload lets the attacker write outside the intended directory, which leads directly to remote code execution. This is a CVSS 10.0: no authentication, no user interaction, full system compromise.
Affects: Anyone running Eclipse BaSyx Java Server SDK prior to version 2.0.0-milestone-10
| |
Patch immediately.
Upgrade Eclipse BaSyx Java Server SDK to 2.0.0-milestone-10 or later immediately.
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-27960
CVSS 9.8
|
CRITICAL
|
OpenCTI versions 6.6.0 through 6.9.12 have a privilege escalation bug that lets an unauthenticated attacker query the API as any existing user, including the default admin account. No credentials needed. If your OpenCTI instance is reachable, an attacker gets full admin access to your threat intelligence platform.
Affects: Anyone running OpenCTI 6.6.0 through 6.9.12
| |
Patch immediately.
Upgrade OpenCTI to version 6.9.13 or later. As an immediate workaround, disable the default admin account by setting APP__ADMIN__EXTERNALLY_MANAGED in your configuration.
|
NVD
Ref 1
|
|
Community Signal Check
|
PAN-OS User-ID Portal buffer overflow (CVE-2026-0300): unauthenticated RCE, exploited in the wild
Unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls, hitting internet-facing User-ID Authentication Portals. Attackers are already exploiting this in limited, confirmed attacks. Restrict the portal to trusted internal networks right now, or disable it entirely. Patches roll out between May 13 and May 28.
Palo Alto Networks
•
active_exploitation
|
|
cPanel authentication bypass (CVE-2026-41940) under mass exploitation, ransomware and botnet payloads observed
Multiple attackers are mass-exploiting a critical auth bypass in cPanel/WHM across hosting, government, and military targets. Over 8,800 hosts show signs of automated exploitation. Payloads include ransomware (.sorry extension), Mirai variants, and full data exfil with backup wipes. If you run cPanel, patch or isolate it today.
HelpNet Security
•
active_exploitation
|
|
Linux kernel privilege escalation (CVE-2026-31431) exploited in containers and Kubernetes clusters
A local privilege escalation bug in the Linux kernel's AF_ALG crypto API is being exploited in the wild with public PoC code. Unprivileged users can corrupt page cache and escalate to root, even inside restricted containers. CISA added it to the KEV catalog. Patch your Ubuntu, RHEL, SUSE, and Amazon Linux hosts, especially any running shared or containerized workloads.
Microsoft Security Blog
•
active_exploitation
|
|
.NET 10.0.6 regression breaks ASP.NET Core auth cookies (CVE-2026-40372), emergency fix in 10.0.7
If you deployed .NET 10.0.6 after May Patch Tuesday, heads up: a regression in DataProtection HMAC validation breaks authentication cookie decryption and also lets attackers forge payloads that pass auth checks. Microsoft shipped an emergency out-of-band fix in .NET 10.0.7. Update immediately, because this one is both broken and exploitable.
BleepingComputer
•
regression
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
