cybr.cx | Daily Digest — May 15, 2026

Critical Vulnerabilities

CVE-2026-45229 — Quark Drive < 0.8.5 | CVSS 8.8
A mass assignment flaw in Quark Drive's POST /update endpoint lets any authenticated user overwrite administrator credentials by injecting an arbitrary webui object into the config_data dictionary. The insufficient deny-list means an attacker with basic access can permanently lock out legitimate admins and establish persistent control. Upgrade to 0.8.5 immediately; treat any Quark Drive instance running an older version as potentially compromised.

CVE-2026-44446 / CVE-2026-44447 — ERPNext < 15.104.3 / 16.14.0 / 16.9.0 | CVSS 8.8
Two closely related SQL injection vulnerabilities affect multiple endpoint families in ERPNext. Specially crafted requests can extract sensitive business and personal data from the underlying database without requiring elevated privileges. If you're running ERPNext, patch to 15.104.3, 16.14.0, or 16.9.0 depending on your branch — and audit query logs for anomalous SELECT patterns in the meantime.

CVE-2026-6506 — InfusedWoo Pro WordPress Plugin ≤ 5.1.2 | CVSS 8.8
The infusedwoo_gdpr_upddata() function performs zero authorization or capability checks, allowing any subscriber-level WordPress user to update arbitrary user meta fields — including those that control role assignments. This is a straightforward privilege escalation to administrator. Any WordPress e-commerce site running InfusedWoo Pro should update or deactivate the plugin now.

CVE-2025-15024 — Yordam Library Automation System v19.5–v22.1 | CVSS 8.8
A code injection vulnerability in Yordam's Library Automation System allows remote code inclusion via improperly controlled code generation. Combined with two companion flaws in the same product — an authorization bypass (CVE-2025-15023) and exploitation of misconfigured ACL levels (CVE-2025-15025) — this creates a serious attack chain in library and institutional environments. Patch to v22.1 and restrict external access to the management interface.

Headline News

Two Former Contractors Deleted 96 Federal Databases in Insider Attack
A pair of brothers, recently terminated from a federal contractor role, allegedly wiped 96 government databases in what appears to be a deliberate act of destructive sabotage. One of them subsequently used a search engine to look up how to conceal forensic evidence — a detail that both confirmed intent and ultimately aided investigators. The incident is a stark reminder that offboarding procedures, especially credential revocation and access termination at the moment of dismissal, remain chronically underprioritised in government and contractor environments. For practitioners, the takeaway is uncomfortable but familiar: insider threat is rarely a sophisticated technical problem — it's a process failure that privilege management and immutable audit logging can significantly mitigate.

Critical Exim RCE Flaw Threatens Exposed Mail Servers Globally
A newly disclosed critical vulnerability in the Exim mail transfer agent allows unauthenticated remote attackers to execute arbitrary code on affected servers in certain configurations. Exim is one of the most widely deployed MTAs on the internet, making the attack surface substantial — previous critical Exim flaws have seen active exploitation begin within days of disclosure. Administrators should identify exposed Exim instances immediately, apply available patches, and verify that configurations matching the vulnerable profile are not present in production. Any internet-facing mail infrastructure that hasn't been audited recently should be treated as a priority.

18-Year-Old NGINX Rewrite Module Flaw Yields Heap Buffer Overflow and RCE
A published writeup and proof-of-concept detail a heap buffer overflow in NGINX's rewrite module — tracked as CVE-2026-42945 — that has apparently existed in the codebase for roughly 18 years. The vulnerability enables remote code execution under exploitable conditions, and the existence of a working PoC substantially raises the threat level for any unpatched deployment. NGINX's ubiquity across reverse proxies, load balancers, and web infrastructure makes this particularly significant. Practitioners should verify their NGINX versions against affected ranges, apply patches without delay, and review WAF or network-level controls that might limit rewrite module exposure.

Schrödinger's Feed

China's Origin Wukong-180 Joins the Global Quantum Cloud
Origin Quantum has officially launched the Wukong-180, its fourth-generation superconducting quantum computer, integrating it directly into a globally accessible cloud platform for external computational workloads. The system comes from a Hefei-based firm that sits at the centre of China's state-backed quantum programme, and its cloud availability marks a meaningful step in accessible, high-qubit computation outside Western provider ecosystems. While 180 qubits doesn't yet threaten current asymmetric cryptographic standards, the trajectory — combined with geopolitical context — is worth watching closely. Practitioners implementing or planning post-quantum cryptography migrations should note that the competitive landscape is accelerating faster than most enterprise timelines.

/dev/random

Someone Connected an RTX 5090 to an M4 MacBook Air and Asked the Important Questions
In a piece that sits somewhere between engineering curiosity and performance art, one intrepid user connected an RTX 5090 — Nvidia's current flagship discrete GPU — to an M4 MacBook Air via an external GPU enclosure to find out if it could game. The answer, roughly, is "kind of, expensively, with caveats," which is either a triumph of human ingenuity or a monument to misaligned priorities. To be fair, the M4 MacBook Air has no fan, so at least one component in this setup maintains its dignity. No CVEs were discovered in the process, but the attack surface on that Thunderbolt connection remains spiritually concerning.