|
|
DAILY BRIEF · APRIL 23, 2026
|
|
Five fresh CVEs today, and the top one deserves your full attention. CVE-2026-41679 is an unauthenticated RCE in Paperclip scoring a perfect CVSS 10.0. No creds, no user interaction, just 6 API calls. It's not exploited in the wild yet, but the attack is trivially automatable, so expect scanners to light up fast. Below that: a WordPress plugin RCE, a Froxlor path traversal to code execution, and two CVSS 9.8s in a product that's been dead since 2008.
|
|
TOP THREAT TODAY
|
|
An unauthenticated attacker can get full remote code execution on any network-reachable Paperclip instance running the default 'authenticated' mode config. No credentials, no user interaction: just 6 API calls and the target's address. CVSS 10.0, and the attack is trivially automatable, so expect scanners to pick this up fast.
Who's affected: Anyone running Paperclip (Node.js/React AI agent platform) versions prior to 2026.416.0, especially instances exposed to the internet
| |
Patch immediately.
Upgrade Paperclip to version 2026.416.0 right now. If you can't upgrade immediately, pull the instance off the network until you can.
|
|
|
|
CVE-2026-39440
CVSS 9.9
|
CRITICAL
|
An attacker can inject and execute arbitrary code remotely through FunnelFormsPro, the WordPress plugin. This is a code injection bug with a CVSS of 9.9. All versions through 3.8.1 are vulnerable.
Affects: WordPress site owners and hosts running FunnelFormsPro plugin version 3.8.1 or earlier
| |
Patch immediately.
Update FunnelFormsPro to the latest patched version above 3.8.1 immediately. If no patch is available yet, deactivate and remove the plugin until one ships.
|
|
|
CVE-2026-41228
CVSS 9.9
|
CRITICAL
|
An authenticated Froxlor customer (not just admins) can set their language preference to a path traversal payload. Froxlor then blindly passes that value into a PHP 'require' call on the next request, which lets the attacker execute arbitrary PHP code as the web server user. This requires a valid customer account and the ability to upload a file to a known path, but the exploitation itself is straightforward once those conditions are met. CVSS 9.9.
Affects: Anyone running Froxlor server management panel versions prior to 2.3.6
| |
Patch within 24 hours.
Upgrade Froxlor to version 2.3.6. Review your customer accounts for any suspicious 'def_language' values in the database as a sign of prior exploitation.
|
|
|
CVE-2026-6887
CVSS 9.8
|
CRITICAL
|
Borg SPM 2007 has an unauthenticated SQL injection bug that lets a remote attacker read, modify, or delete anything in the database. No credentials needed. CVSS 9.8. This product's sales ended in 2008, so there will be no patch.
Affects: Anyone still running Borg SPM 2007 by BorG Technology Corporation
| |
Patch immediately.
Take Borg SPM 2007 offline permanently. This product is end-of-life since 2008 and will not receive a fix. Migrate to a supported alternative.
|
|
|
CVE-2026-6886
CVSS 9.8
|
CRITICAL
|
Borg SPM 2007 has an authentication bypass that lets any remote attacker log in as any user without credentials. CVSS 9.8. Combined with CVE-2026-6887 (SQL injection in the same product), this thing is completely wide open. No patch is coming since the product has been end-of-life since 2008.
Affects: Anyone still running Borg SPM 2007 by BorG Technology Corporation
| |
Patch immediately.
Decommission Borg SPM 2007 immediately. No fix will be released for this end-of-life product. If you absolutely cannot shut it down today, block all external access to it at the firewall level as a stopgap.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
