cybr.cx Daily Digest — April 1, 2026

Critical Vulnerabilities

CVE-2026-20094 — Cisco IMC (CVSS 8.8): An authenticated attacker with read-only privileges can inject arbitrary commands via the web management interface of Cisco Integrated Management Controller, ultimately executing code as root. The low privilege bar makes this particularly dangerous in shared or outsourced server management environments — patch or restrict IMC interface access immediately.

CVE-2026-5212 / CVE-2026-5213 / CVE-2026-5214 — D-Link NAS Devices (CVSS 8.8 each): Three separate vulnerabilities affect a wide swath of D-Link DNS and DNR series NAS devices through firmware dated 20260205. CVE-2026-5212 enables file manipulation via the WebDAV upload handler; CVE-2026-5213 and CVE-2026-5214 target account management functions with argument injection. D-Link has a poor patch cadence for legacy hardware — if these devices are internet-facing, assume they're a target.

CVE-2026-34430 — ByteDance Deer-Flow (CVSS 8.8): A sandbox escape in Deer-Flow's bash tool handler allows attackers to bypass regex-based input validation using basic shell features like directory traversal and relative paths. This is a textbook case of incomplete threat modelling around shell semantics. Any deployment prior to commit 92c7a20 should be considered compromised-capable — update immediately.

CVE-2025-71278 — XenForo < 2.3.5 (CVSS 8.8): OAuth2 client applications can request scopes beyond their authorised level, potentially escalating access to forum data, user accounts, or administrative functions. Forum operators running XenForo 2.3.x with any OAuth2 integrations should treat this as urgent — upgrade to 2.3.5.

CVE-2026-35093 — libinput (CVSS 8.8): A local attacker can drop a crafted Lua bytecode file into system or user config directories to execute arbitrary code with the permissions of the calling process — often a graphical compositor. The practical impact includes keylogging and input injection. Particularly relevant for shared Linux desktop or kiosk environments.

CVE-2026-35091 — Corosync (CVSS 8.2): A remote unauthenticated attacker can trigger an out-of-bounds read via a malformed UDP packet targeting the membership commit token sanity check, causing denial of service and potential memory disclosure. Corosync underpins many high-availability Linux clusters — a DoS here can take down production infrastructure. Restrict UDP exposure at the network perimeter.

Headline News

PyPI Supply Chain Attack Hits LiteLLM
A malicious version of LiteLLM — a widely used Python library for interfacing with AI/LLM APIs — was distributed via PyPI and downloaded over 40,000 times before detection. The compromised package installed a payload designed to harvest and exfiltrate sensitive information, likely including API keys for services such as OpenAI, Anthropic, and others that LiteLLM is routinely configured to access. Given LiteLLM's common deployment in internal tooling and agentic AI pipelines, the blast radius could extend well beyond individual developers into production environments. Security teams should audit dependency trees for affected versions and rotate any credentials present in environments where the compromised package was installed.

Iran Signals Intent to Target U.S. Tech Infrastructure — Starting Today
Iranian threat actors have publicly threatened attacks against U.S. technology companies beginning April 1 — which is, to be precise, today. Whether this materialises as opportunistic reconnaissance, DDoS campaigns, or targeted intrusion attempts, the signalling itself warrants heightened monitoring. U.S. tech firms and their suppliers should treat this as an active threat window: review perimeter exposure, ensure incident response playbooks are current, and increase log retention and alerting thresholds. Nation-state threats that telegraph timing are rare — take the gift seriously.

axios npm Package Hijacked for Three Hours
The popular JavaScript HTTP library axios was briefly compromised in what appears to be a hijacking of the package's publish credentials, giving attackers a window of roughly three hours to distribute a malicious version. The more under-discussed problem is persistence: container images and CI/CD pipelines that pulled the package during that window may still be running the compromised version in production without any indication in current advisories. Practitioners should check build timestamps against the hijack window, scan running containers, and not assume that pulling a clean version today retroactively cleans existing deployments. This is yet another reminder that npm's publish model remains a structurally attractive target.

Nerdy Corner

Cloudflare has quietly shipped EmDash, pitched as a spiritual successor to WordPress that bakes security into the platform architecture rather than bolting it on via a plugin ecosystem held together by hope and outdated PHP. Given that WordPress plugins account for a frankly embarrassing proportion of web compromises annually, the bar isn't exactly high. Whether EmDash will actually displace the incumbent — which powers roughly 40% of the internet, security nightmares and all — remains deeply questionable, but the ambition is appreciated. It's also April 1st, so we're choosing to believe this one is real.