|
|
DAILY BRIEF · APRIL 17, 2026
|
|
Heads up: the Accordion and Accordion Slider WordPress plugin (v1.4.6) was sold to a malicious party who planted a backdoor in it. Every install of that version is compromised out of the box, CVSS 9.8. No reports of exploitation in the wild yet, but the malicious code ships with the plugin itself, so "in the wild" is a technicality here. Four more high-severity bugs round out the list, including a forged-SAML bypass in Cloud Foundry UAA and two SiYuan flaws.
|
|
TOP THREAT TODAY
|
|
The Accordion and Accordion Slider WordPress plugin (version 1.4.6) was sold to a malicious party who planted a backdoor in it. That backdoor gives the attacker persistent access to any site running the plugin and lets them inject spam. CVSS 9.8, and since the malicious code ships with the plugin itself, every install of this version is compromised out of the box.
Who's affected: WordPress site owners or hosts running the Accordion and Accordion Slider plugin version 1.4.6
| |
Patch immediately.
Deactivate and delete the Accordion and Accordion Slider plugin immediately, then audit the site for injected spam, unexpected admin accounts, and modified files before considering any replacement plugin.
|
|
|
|
CVE-2026-40322
CVSS 9.0
|
CRITICAL
|
SiYuan's desktop app (Electron-based) renders Mermaid diagrams with security turned down to 'loose' and injects the result straight into the page. An attacker can craft a note with a malicious Mermaid block containing a javascript: URL. Because the Electron windows run with Node.js integration enabled and context isolation off, clicking the rendered diagram gives the attacker full code execution on the victim's machine. CVSS 9.0. Exploitation requires the victim to open the note and click the diagram, but that's a low bar in a note-sharing workflow.
Affects: Anyone running SiYuan desktop (Electron) version 3.6.3 or earlier, especially teams sharing notebooks
| |
Patch immediately.
Update SiYuan to version 3.6.4, and avoid opening shared notes from untrusted sources until you've upgraded.
|
|
|
CVE-2026-40262
CVSS 8.7
|
HIGH
|
Note Mark's file upload handler serves uploaded assets inline without a proper Content-Type header and without the nosniff directive. An authenticated user can upload an HTML or SVG file containing JavaScript, and when any other user visits that asset's URL, the script runs under the app's origin with full access to the victim's session. CVSS 8.7. The attacker needs a valid account to upload the payload, but after that, any user who clicks the link is compromised.
Affects: Anyone self-hosting Note Mark version 0.19.1 or earlier
| |
Patch within 24 hours.
Update Note Mark to version 0.19.2 and review recently uploaded assets for suspicious HTML, SVG, or XHTML files.
|
|
|
CVE-2026-22734
CVSS 8.6
|
HIGH
|
Cloud Foundry's UAA accepts unsigned, unencrypted SAML 2.0 bearer assertions when SAML bearer grants are enabled for a client. An attacker can forge a SAML assertion for any user and get a valid token, giving them access to every UAA-protected system in your deployment. CVSS 8.6. The only prerequisite is that SAML 2.0 bearer assertions are enabled on at least one client, which is a common configuration.
Affects: Cloud Foundry operators running UAA v77.30.0 through v78.7.0, or CF Deployment v48.7.0 through v54.14.0, with SAML bearer assertions enabled
| |
Patch immediately.
Upgrade UAA past v78.7.0 (or CF Deployment past v54.14.0), then review access logs for unexpected token grants tied to SAML bearer assertions.
|
|
|
CVE-2026-40318
CVSS 8.5
|
HIGH
|
SiYuan's API endpoint for removing unused attribute views takes a user-supplied ID and builds a file path from it with zero validation. An attacker can send path traversal sequences (like ../) to escape the intended directory and delete any .json file on the server, including global config and workspace metadata. CVSS 8.5. This is a network-accessible API call with no special privileges required beyond basic access.
Affects: Anyone running SiYuan version 3.6.3 or earlier, especially instances exposed to a network
| |
Patch within 24 hours.
Update SiYuan to version 3.6.4 and verify that your instance is not directly exposed to the internet without authentication.
|
|
|
That's your patch day digest. Reply to this email with questions, war stories, or broken-patch reports. They may end up in tomorrow's edition.
|
|
Got a broken-patch report? Reply to this email.
patchdayalert.com
|
|
