|
|
DAILY BRIEF · APRIL 20, 2026
|
|
Two CVSS 9.8 SQL injection bugs in Digiwin EasyFlow .NET hit today, both unauthenticated, both requiring zero user interaction. Neither is exploited in the wild yet, but public-facing SQLi is about as easy to weaponize as it gets. If you run EasyFlow, stop reading this intro and go patch.
|
|
TOP THREAT TODAY
|
|
An unauthenticated attacker can send crafted SQL queries to Digiwin EasyFlow .NET and read, modify, or wipe your entire database. No login required, no user interaction needed. CVSS 9.8, so this is about as bad as SQL injection gets.
Who's affected: Anyone running Digiwin EasyFlow .NET
| |
Patch immediately.
Apply the latest patch from Digiwin for EasyFlow .NET and audit your database for signs of unauthorized access or modification.
|
|
|
|
CVE-2026-5963
CVSS 9.8
|
CRITICAL
|
This is a second SQL injection bug in Digiwin EasyFlow .NET, separate from CVE-2026-5964 but equally dangerous. An unauthenticated remote attacker can read, modify, or delete database contents without any credentials. CVSS 9.8, no exploitation reported in the wild yet, but public-facing SQL injection is trivial to exploit.
Affects: Anyone running Digiwin EasyFlow .NET
| |
Patch immediately.
Apply the latest Digiwin patch that covers both CVE-2026-5963 and CVE-2026-5964 in a single maintenance window.
|
|
|
CVE-2026-32956
CVSS 9.8
|
CRITICAL
|
A heap-based buffer overflow in silex SD-330AC devices and AMC Manager lets an attacker execute arbitrary code on the device by sending a crafted redirect URL. CVSS 9.8. These are typically network infrastructure devices, so a compromised one could give an attacker a foothold on your LAN.
Affects: Anyone running silex SD-330AC devices or silex AMC Manager
| |
Patch within 24 hours.
Update firmware on all silex SD-330AC units and upgrade AMC Manager to the latest version from silex technology. If no patch is available yet, isolate these devices from untrusted networks.
|
|
|
CVE-2026-6632
CVSS 8.8
|
HIGH
|
A buffer overflow in the Tenda F451 router's httpd service lets a remote attacker crash or potentially take over the device by sending crafted input to the SafeClientFilter endpoint. CVSS 8.8. A public exploit already exists, which lowers the bar for attackers significantly.
Affects: Anyone running Tenda F451 routers on firmware 1.0.0.7_cn_svn7958
| |
Patch within 24 hours.
Check Tenda's support site for a firmware update. If none is available, restrict management interface access to trusted IPs only and disable remote management.
|
|
|
CVE-2026-6631
CVSS 8.8
|
HIGH
|
Another buffer overflow in the same Tenda F451 firmware, this time in the webExcptypemanFilter function. A remote attacker can trigger it by manipulating the page parameter. CVSS 8.8, and the exploit is already public. Combined with CVE-2026-6632, this firmware version has multiple remotely exploitable bugs.
Affects: Anyone running Tenda F451 routers on firmware 1.0.0.7_cn_svn7958
| |
Patch within 24 hours.
Update Tenda F451 firmware to cover both CVE-2026-6631 and CVE-2026-6632. If no update exists, lock down the management interface to a trusted VLAN and block external access to the router's web UI.
|
|
|
That's your patch day digest. Reply to this email with questions, war stories, or broken-patch reports. They may end up in tomorrow's edition.
|
|
Got a broken-patch report? Reply to this email.
patchdayalert.com
|
