cybr.cx Daily Digest — March 23, 2026

Critical Vulnerabilities

CVE-2026-4565 & CVE-2026-4566 – Tenda AC21 / Belkin F9K1122 Routers (CVSS 8.8 HIGH)
Two consumer routers have remotely exploitable buffer overflow vulnerabilities with public exploits now circulating. The Tenda AC21 flaw targets the QoS band configuration endpoint, while the Belkin F9K1122 issue is a stack-based overflow in the 5GHz WISP configuration. Belkin has not responded to disclosure attempts. If you're running either device, isolate it immediately or replace it—these are trivial to exploit from the network.

CVE-2026-32845 – cgltf Library ≤1.15 (CVSS 8.4 HIGH)
An integer overflow in the glTF/GLB parsing library cgltf allows attackers to trigger out-of-bounds heap reads via malicious 3D model files. If your application processes untrusted glTF assets (games, AR/VR platforms, 3D viewers), upgrade immediately. This is a solid vector for information disclosure or crashing parsers.

CVE-2026-25075 – strongSwan 4.5.0 to <6.0.5 (CVSS 7.5 HIGH)
An integer underflow in strongSwan's EAP-TTLS AVP parser lets unauthenticated remote attackers cause denial of service during IKEv2 authentication. Given strongSwan's widespread use in enterprise VPNs, this is a priority patch—attackers can knock your VPN concentrators offline without credentials.

CVE-2026-2580 – WP Maps Plugin ≤4.9.1 (CVSS 7.5 HIGH)
Unauthenticated time-based SQL injection via the orderby parameter. If you're running this popular WordPress mapping plugin, update now or disable it. No authentication required means every script kiddie with sqlmap can dump your database.

CVE-2026-32969 – Pre-Auth SQL Injection (CVSS 7.5 HIGH)
A blind SQL injection in an unspecified product's userinfo authentication endpoint enables total confidentiality loss without authentication. Details are sparse—check your vendor advisories if you're running identity management or authentication platforms.

CVE-2026-4645 – antchfx/xpath Go Library (CVSS 7.5 HIGH)
Crafted XPath expressions can trigger infinite loops causing 100% CPU utilization. If you're using this popular Go XML library in any internet-facing service, validate your inputs or risk easy DoS conditions.

Headline News

Crunchyroll Supply Chain Breach: 100GB Exfiltrated

Anime streaming giant Crunchyroll has confirmed a supply chain compromise that resulted in approximately 100GB of data exfiltration. The attack reportedly leveraged malware inserted into a third-party component, allowing attackers to maintain persistent access and siphon data over an extended period. The scope of compromised data hasn't been fully disclosed, but supply chain attacks of this scale typically harvest credentials, internal documentation, and subscriber information. For defenders, this is another reminder that vendor risk management isn't optional—your security posture is only as strong as your weakest supplier. Incident response teams at streaming and media companies should be auditing their third-party integrations now.

GlassWorm Campaign Expands: 400+ Malicious Components, Scanner Released

Security researchers have published an open-source scanner targeting GlassWorm, a persistent supply chain attack campaign that has compromised over 400 software components across five distinct waves since October 2025. The technique focuses on injecting malicious code into legitimate packages in ways that evade standard detection. The scanner identifies the methodology itself rather than relying on IOC signatures, making it more resilient against variant mutations. If you maintain software that pulls dependencies from public registries, running this scanner against your supply chain should be on today's to-do list. The research gained significant traction in the security community, signaling practitioner interest in proactive detection tooling.

Chuck E. Cheese Kiosk: Admin Access, No Password

A Reddit post garnering nearly 400 upvotes documented a Chuck E. Cheese kiosk running with full administrator access and no password prompt—a delightful example of physical security theater meeting endpoint negligence. While this specific instance is more amusing than catastrophic, it underscores the persistent problem of retail and hospitality point-of-sale systems configured with minimal security controls. These kiosks often sit on flat networks with access to payment processing systems. For practitioners doing retail assessments, this is your reminder that the most sophisticated perimeter means nothing when someone can walk up to an unlocked admin session.

Nerdy Corner

A developer built an AI receptionist for her brother's mechanic shop, and the write-up is genuinely delightful. The system handles appointment booking, answers questions about services, and presumably doesn't put you on hold for 20 minutes while playing smooth jazz. It's a practical example of LLM integration that doesn't involve generating vulnerable code or hallucinating CVE numbers. Sometimes the best security is just keeping humans away from the phone so they can focus on not clicking phishing links.