Critical Edge Flaw Lets Hackers Strike With a Single Click
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 19, 2026
cybr.cx | Daily Digest — May 19, 2026
Critical Vulnerabilities
CVE-2026-45495 — Microsoft Edge (Chromium-based) | CVSS 8.8
A remote code execution vulnerability in Microsoft Edge's Chromium engine that could allow an attacker to execute arbitrary code simply by getting a target to visit a malicious page. Given Edge's enterprise deployment footprint, this is a high-priority patch — push the update, don't wait for the next patch cycle.
CVE-2026-8775 & CVE-2026-8776 — Edimax BR-6428NS Router (v1.10) | CVSS 8.8 (both)
Two buffer overflow vulnerabilities in the L2TP and PPTP setup handlers of this consumer/SOHO router. Both are remotely exploitable, both have public exploits, and the vendor has gone silent on disclosure. If you have these devices in any managed environment — decommission or segment them now. There is no patch and no indication one is coming.
CVE-2026-7498 — DernekWeb (through 30122025) | CVSS 8.8
A stored cross-site scripting flaw in this association management web platform. Stored XSS at 8.8 means attacker-supplied scripts persist and execute for any user who loads the affected page — think session hijacking and credential theft at scale. Update to a patched release immediately.
CVE-2026-47092 — Claude HUD (through 0.0.12) | CVSS 7.8
A command injection vulnerability in the Claude HUD developer tool: a local attacker can manipulate the COMSPEC environment variable before the app performs its version check, causing it to execute an arbitrary binary with cmd.exe arguments. If this tool is running in shared developer environments or CI pipelines, that's a meaningful privilege escalation surface. Patch is in commit 234d9aa.
CVE-2026-41948 — Dify (≤1.14.1) | CVSS 7.7
A path traversal flaw in the AI application platform Dify allows authenticated users to escape their authorised tenant path via unencoded dot sequences, reaching internal Plugin Daemon REST API endpoints. With Dify gaining rapid adoption in enterprise AI pipelines, tenant isolation being bypassable is a serious concern. No patch released at time of writing — restrict network access to the Plugin Daemon where possible.
CVE-2026-42009 — GnuTLS | CVSS 7.5
A denial-of-service vulnerability in GnuTLS's DTLS packet reordering logic: duplicate sequence numbers cause undefined behaviour in the comparator function, potentially crashing the TLS stack. Any service using GnuTLS for DTLS — VPN gateways, SIP infrastructure, embedded devices — should treat this as a priority update.
CVE-2026-41947 — Dify (≤1.14.1) | CVSS 7.4
A second Dify vulnerability this cycle: editor-role users can set and enable trace configurations for applications belonging to other tenants, redirecting all LLM messages and responses to attacker-controlled trace providers. This is a data exfiltration risk dressed up as a misconfiguration. Same mitigation applies until a patch lands.
Headline News
Windows 'MiniPlasma' Zero-Day: SYSTEM Access, PoC in the Wild
A new Windows local privilege escalation zero-day, dubbed MiniPlasma, has surfaced with a public proof-of-concept already circulating. The exploit grants SYSTEM-level access, and its public release compresses the window between disclosure and active weaponisation to essentially zero. This lands in the same week that a Microsoft Exchange Server vulnerability was confirmed under active exploitation — with CISA urging organisations to prioritise remediation as a matter of urgency. Two high-severity Windows-ecosystem issues in one week is not a coincidence to hand-wave; it's a signal that threat actors are working the Microsoft surface aggressively right now. Defenders should be validating patch status across both Exchange and Windows endpoints today, not at the end of the sprint.
A Million Cameras, Wide Open
Roughly one million baby monitors and home security cameras manufactured by Meari Technology were found to be trivially accessible to external parties due to weak cloud infrastructure controls. Devices marketed under various white-label brands were affected, meaning many consumers had no idea their camera was Meari hardware underneath. The core issue — hardcoded or guessable credentials combined with a shared cloud relay infrastructure — is a pattern that the IoT industry has failed to solve for over a decade. For practitioners managing BYOD or home-worker environments, this is another reminder that consumer-grade cameras on home networks represent a real lateral movement risk if those networks touch corporate resources in any way.
AI Bug Hunters Are Breaking the Linux Security Process
Linus Torvalds has publicly described the Linux kernel security mailing list as "almost entirely unmanageable" due to a flood of AI-generated vulnerability reports. Automated tools are churning out low-quality, speculative, or outright hallucinated bug reports at a volume that is overwhelming human reviewers and burying legitimate disclosures. The signal-to-noise ratio has collapsed to the point where genuine vulnerabilities risk being lost in the noise — which is, perversely, a security risk in itself. This is an early and concrete example of AI tooling creating systemic harm to open-source security infrastructure, and it raises urgent questions about disclosure norms and intake filtering that the industry hasn't yet answered.
Schrödinger's Feed
NIST has advanced nine post-quantum digital signature candidates to a third evaluation round — a quiet but significant milestone in the long road to replacing RSA and ECDSA across the internet's signing infrastructure. Digital signatures underpin TLS certificates, code signing, firmware validation, and software update chains, making this selection round arguably more operationally impactful than the already-finalised key encapsulation standards. The candidates span a range of mathematical foundations — lattices, hash-based schemes, and others — reflecting a deliberate diversification strategy against the possibility that a single mathematical family proves vulnerable. Practitioners with long-lived PKI infrastructure or hardware security modules in the procurement pipeline should be watching this round closely: the algorithms selected here will define what "secure signing" looks like for the next twenty years.
/dev/random
Anthropic has acquired Stainless, a company that auto-generates polished SDK wrappers from API specifications. On the surface: a developer tooling acquisition. In practice: the company building arguably the most capable AI assistant on the market now also owns the tooling that makes it trivially easy to embed that assistant into any application via a clean, auto-generated SDK. Nothing says "we want to be deeply integrated into every software stack on earth" quite like buying the company that smooths out the last mile of that integration. Somewhere, a prompt injection researcher just smiled and opened a new tab.