|
|
DAILY BRIEF · MAY 1, 2026
|
|
One ugly WordPress plugin bug sits at the top of today's list. CVE-2026-7567 is a CVSS 9.8 authentication bypass in the Temporary Login plugin that lets an unauthenticated attacker log in as any temporary user with a single crafted GET request. Not exploited in the wild yet, but the bar to exploit it is basically on the floor. Four more CVEs round out the day, including RCE in Krayin CRM and CSRF in two consumer routers.
|
|
TOP THREAT TODAY
|
|
The U-SPEED N300 Router V1.0.0 has zero CSRF protection on its admin web interface. If an admin is logged in and visits a malicious page, an attacker can silently change router settings (Wi-Fi config, DNS, firewall rules, you name it) through the admin's browser session. The admin doesn't need to click anything special: just loading the attacker's page is enough.
Who's affected: Anyone running a U-SPEED N300 Router on firmware V1.0.0
| |
Patch this week.
Check the vendor's support page for a firmware update. If none exists, restrict management interface access to a dedicated VLAN or wired-only connection, and log out of the router admin panel when you're done.
|
|
|
|
CVE-2026-36956
CVSS 8.8
|
HIGH
|
Same story, different router. The Dbit N300 T1 Pro V1.0.0 ships with no CSRF tokens or origin validation on its admin API. An attacker can trick a logged-in admin into visiting a crafted page that silently fires requests to endpoints like /api/setWlan, changing wireless settings or anything else the admin can do. No user interaction beyond visiting the malicious page is required.
Affects: Anyone running a Dbit N300 T1 Pro wireless router on firmware V1.0.0
| |
Patch this week.
Check the Dbit vendor site for a firmware update. If none is available, restrict the management interface to a trusted wired connection and never browse the internet from the same session where you manage the router.
|
|
|
CVE-2026-36340
CVSS 8.1
|
HIGH
|
Krayin CRM v2.1.5 has a remote code execution bug in the compose email function. A remote attacker can run arbitrary code on your CRM server by exploiting this feature. The fix is in v2.1.6. Details are thin, but RCE in a CRM email function likely means a crafted email payload can break out of the application and hit the underlying OS.
Affects: Anyone running Krayin CRM v2.1.5 or earlier
| |
Patch within 24 hours.
Upgrade Krayin CRM to v2.1.6 or later immediately.
|
|
|
CVE-2026-7246
CVSS 7.2
|
HIGH
|
The Pallets Click library (versions 8.3.2 and below) has a command injection bug in the click.edit() function. An attacker with an unprivileged account on the system can pass OS commands through this function and get them executed. If any of your Python apps or internal tools use click.edit(), they're potentially a stepping stone to full system compromise.
Affects: Python developers and sysadmins running applications that depend on the Pallets Click library at version 8.3.2 or earlier
| |
Patch this week.
Upgrade the click package to a version above 8.3.2 using `pip install --upgrade click` and redeploy affected applications.
|
|
|
CVE-2026-7567
CVSS 9.8
|
CRITICAL
|
This is a nasty one. The Temporary Login WordPress plugin (v1.0.0 and below) has an authentication bypass that lets an unauthenticated attacker log in as any temporary user with a single crafted GET request. The bug is a type-juggling issue: sending the login token as an array instead of a string tricks the code into returning any user with a temporary login token. No credentials needed, no brute force, just one HTTP request.
Affects: Anyone running a WordPress site with the Temporary Login plugin at version 1.0.0 or earlier
| |
Patch immediately.
Update the Temporary Login plugin immediately. If no patched version is available yet, deactivate and delete the plugin right now, then revoke all temporary login accounts.
|
|
|
Community Signal Check
|
Windows Shell zero-day CVE-2026-32202 exploited for NTLM hash theft, CISA sets May 12 deadline
Attackers are exploiting a zero-click NTLM hash leak in Windows Explorer via malicious LNK files. This is a follow-on from Microsoft's incomplete February fix for CVE-2026-21510, which Russian APT28 already used against Ukraine and EU targets. CISA is ordering federal agencies to patch by May 12, so treat this as urgent in your environment too.
BleepingComputer
•
active_exploitation
|
|
cPanel and WHM authentication bypass CVE-2026-41940 exploited as zero-day since February
If you run cPanel or WHM, stop and read this. CVE-2026-41940 is a critical auth bypass in cpsrvd that gives unauthenticated attackers full control of your hosting panel, configs, and managed sites. Attackers have been hitting this since at least late February. Patch immediately and audit for signs of compromise.
Help Net Security
•
active_exploitation
|
|
April 2026 updates crash LSASS on domain controllers in PAM environments, causing reboot loops
KB5082142 (Server 2022) and KB5083769 (Windows 11) are crashing LSASS on non-Global Catalog domain controllers in Privileged Access Management environments. Affected DCs go into reboot loops and stop handling authentication entirely. If you run PAM, hold these patches on your DCs and contact Microsoft Support for the mitigation before bringing them back online.
Microsoft Learn
•
broken_patch
|
|
KB5082063 triggers BitLocker recovery prompts on Windows Server 2025
The April 2026 security update for Windows Server 2025 is sending some machines straight to a BitLocker recovery key prompt on first reboot. Microsoft says it's tied to non-default BitLocker Group Policy configs and has shipped an out-of-band fix. Check your BitLocker GPO settings before rolling this one out, or you'll be fielding panicked calls from the server room.
BleepingComputer
•
broken_patch
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
