cybr.cx | Daily Digest — April 30, 2026

Critical Vulnerabilities

CVE-2026-6849 | Pardus OS My Computer | CVSS 8.8 | OS Command Injection
Versions ≤0.7.5 of the Pardus OS My Computer component — part of Turkey's nationally developed Linux distribution — allow unauthenticated OS command injection. If you're running Pardus in enterprise or government environments (its primary deployment context), patch to 0.8.0 immediately. The attack surface here is meaningful given Pardus's adoption in Turkish public sector infrastructure.

CVE-2026-5140 | Pardus | CVSS 8.8 | CRLF Injection / Authentication Bypass
A second Pardus flaw, this one a CRLF injection in versions ≤0.6.4, enables authentication bypass. Paired with CVE-2026-6849, an attacker who bypasses auth can chain directly into command execution. Both issues are resolved in 0.8.0 — update now and treat these as a single threat chain.

CVE-2026-5161 | Pardus About | CVSS 8.8 | Symlink Attack
A link-following vulnerability in Pardus About before v1.2.1 allows a local attacker to perform a symlink attack, potentially overwriting privileged files. Less flashy than RCE, but dangerous in shared or multi-user environments. Patch to v1.2.1.

CVE-2026-7466 | AgentFlow | CVSS 8.8 | Arbitrary Code Execution
AgentFlow's POST /api/runs and /api/runs/validate endpoints accept a user-controlled pipeline_path parameter without sanitisation, allowing any attacker who can reach the local API to load and execute arbitrary Python pipeline files on disk. In agentic AI deployment architectures where AgentFlow is exposed — even internally — this is a serious lateral movement risk. Restrict API access and apply vendor patches.

CVE-2026-34965 | Cockpit CMS | CVSS 8.8 | Authenticated RCE
Authenticated users with collection management privileges can inject arbitrary PHP into rule parameters via the /cockpit/collections/save_collection endpoint. The injected code is written directly to server-side PHP files and executed on inclusion. "Authenticated" is the only barrier here, and in many CMS deployments that bar is low. Audit user privilege assignments and check for available patches.

CVE-2018-25308 / CVE-2018-25299 / CVE-2018-25301 | Legacy Software | CVSS 8.4–8.8
Three old CVEs from 2018 are receiving fresh NVD entries this cycle: a file deletion/RCE bug in BuddyPress Xprofile Custom Fields Type 2.6.3, and SEH-based local buffer overflows in Prime95 29.4b8 and Easy MPEG to DVD Burner 1.7.11. These are legacy issues, but if any of this software exists in your environment — particularly on unmanaged endpoints — the renewed attention may signal active exploitation interest. Inventory and retire where possible.

Headline News

GitHub RCE via git push — CVE-2026-3854
A critical command injection vulnerability in GitHub infrastructure allows an attacker to achieve remote code execution with nothing more than a crafted git push. The flaw, CVE-2026-3854, sits in a component that processes repository events, meaning the attack surface touches virtually any workflow that accepts external contributions. The implications for CI/CD pipelines and open-source supply chain integrity are significant — a malicious push to a public repo could theoretically become an execution primitive. GitHub has issued patches, but practitioners should audit pipeline triggers, review webhook security, and treat any unreviewed external contributions with elevated suspicion until their environments are confirmed clean.

CISA Funding Crisis Leaves US Cyber Defence Exposed
The Cybersecurity and Infrastructure Security Agency is reported to be operating in a de facto standby mode following a funding shortfall, with staff reductions and operational pauses affecting core programmes. For an agency responsible for coordinating federal incident response, maintaining the KEV catalogue, and providing free threat-hunting services to critical infrastructure operators, even a partial operational freeze carries real downstream risk. Threat actors — particularly state-sponsored groups — routinely time operations to coincide with defender distraction or reduced capacity. Practitioners who rely on CISA advisories, joint cybersecurity advisories, or CISA-provided tooling should establish fallback intelligence sources and not assume normal service continuity.

Apple Patches iOS Bug That Exposed "Deleted" Signal Messages
Apple has patched a flaw that allowed forensic tools used by law enforcement — including the FBI — to extract Signal messages that users believed had been permanently deleted. The bug undermined Signal's disappearing message functionality at the OS level, meaning the encryption itself was never the weak point; the vulnerability lived in how iOS handled file deletion and storage. This is a significant finding for high-risk users — journalists, activists, attorneys, and anyone who depends on ephemeral messaging for genuine operational security. The patch is available now, and the incident is a useful reminder that application-layer security guarantees are only as strong as the underlying OS they run on.

Schrödinger's Feed

A new MIT-developed chip is demonstrating the ability to protect wireless biomedical devices — pacemakers, implantables, continuous glucose monitors — against quantum computing attacks using lightweight post-quantum cryptographic primitives. The work is notable because biomedical devices represent one of the hardest PQC migration targets: constrained power budgets, minimal compute headroom, and update mechanisms that range from difficult to nonexistent. Getting PQC onto silicon purpose-built for implantables suggests the field is maturing beyond server-room migration and into genuinely hostile edge environments. Practitioners involved in medical device security or critical embedded systems should watch this space — the techniques developed here will likely inform regulatory guidance on quantum-resistant medical device standards within the next few years.

/dev/random

A Hacker News favourite this week: CVE-2026-31431, documented at the delightfully named copy.fail — a vulnerability in the humble act of copying text. Without spoiling the specifics, the site demonstrates how clipboard behaviour in browsers can be silently hijacked to replace what you think you copied with something else entirely. It's a beautifully targeted attack vector for anyone who copies shell commands, crypto addresses, or API keys from the web. The domain alone deserves a bookmark. Paste carefully out there.