cybr.cx | Monday, April 20, 2026

Critical Vulnerabilities

CVE-2026-6560 & CVE-2026-6563 — H3C Magic Routers (CVSS 8.8): Two remotely exploitable buffer overflow vulnerabilities affect the H3C Magic B0 (up to 100R002) and B1 (up to 100R004) routers, triggered via the Edit_BasicSSID and SetAPWifiorLedInfoById functions respectively through the /goform/aspForm endpoint. Both exploits are publicly disclosed, unauthenticated remote access is possible, and H3C has not responded to disclosure. If these devices are on your network perimeter or deployed in branch/home-office configurations, treat them as compromised until patched — no patch is currently confirmed available.

CVE-2026-6568 & CVE-2026-6569 — KodExplorer up to 4.52 (CVSS 7.3): Two distinct flaws in the popular self-hosted file manager: a path traversal in the Public Share Handler (initShareOld) allows remote attackers to read arbitrary files, while a separate improper authentication issue in the fileGet endpoint lets unauthenticated actors retrieve files by manipulating the fileUrl argument. Both are remotely exploitable with public exploits available. Teams running KodExplorer for internal file sharing should restrict external access immediately and prioritise upgrade or isolation.

CVE-2026-6574 — LightPicture up to 1.2.2 (CVSS 7.3): The image hosting application ships with hard-coded credentials exposed via its /public/install/lp.sql file at the API upload endpoint. A remote attacker with knowledge of this (now public) credential can likely achieve full application compromise. Any internet-facing LightPicture installation should be taken offline or firewalled until the vendor — who has not responded to disclosure — issues a fix.

CVE-2026-6562 — muucmf 1.9.5 (CVSS 7.3): A SQL injection vulnerability in the getListByPage function of the search endpoint allows remote attackers to manipulate the keyword argument and extract or manipulate backend database contents. The exploit is public. If you're running this CMS, rotate database credentials and restrict the search endpoint at the WAF level now.

CVE-2026-6577 — DjangoBlog up to 2.1.0 (CVSS 7.3): The logtracks endpoint in owntracks/views.py has no authentication requirement, allowing any remote actor to interact with it freely. The exploit is public. Django-based blog deployments should audit their exposed endpoints and apply authentication middleware as a temporary mitigation pending a vendor patch — which, again, the vendor has not committed to.

Headline News

$292 Million Drained from Kelp DAO in Year's Largest DeFi Exploit

In what stands as the largest single crypto exploit of 2026 so far, an attacker systematically drained approximately 116,500 rsETH — around 18% of the total circulating supply — from Kelp DAO's LayerZero-powered cross-chain bridge over the weekend. The attack triggered emergency protocol freezes across at least four major DeFi lending platforms: Aave, SparkLend, Fluid, and Upshift, leaving wrapped ether stranded and illiquid across 20 separate chains. The technical vector underscores a recurring architectural risk in cross-chain bridge designs: the aggregation of liquidity across interconnected protocols creates a blast radius that extends far beyond the primary target. For security practitioners working in or adjacent to Web3, this incident is a sharp reminder that bridge contracts represent some of the highest-value, highest-risk attack surfaces in the ecosystem — and that emergency freeze mechanisms, while necessary, are not a substitute for pre-deployment adversarial review.

The Two-Week Window: DeFi Losses Hit $450M as Bridge Security Failures Stack Up

Zooming out from the Kelp incident, the past two weeks have seen cumulative crypto hack losses reach a record $450 million — a figure that should concern anyone thinking seriously about the security maturity of decentralised finance infrastructure. The frequency and scale of these events suggests that exploit tooling, cross-chain attack patterns, and smart contract vulnerability research have matured significantly on the offensive side, while defensive practices — formal verification, real-time anomaly detection, access controls on privileged functions — continue to lag. What's notable from a threat intelligence perspective is the attacker sophistication: these aren't opportunistic script-kiddie attacks but coordinated exploits of complex multi-protocol interactions. Practitioners advising organisations with DeFi exposure should be pushing hard on third-party audit cadences, incident response playbooks specific to on-chain events, and the question of whether emergency pause authority is appropriately distributed.

Vercel Confirms Internal Systems Breach, Data Reportedly for Sale

Vercel, the widely-used cloud deployment and frontend infrastructure platform, has confirmed that internal systems were accessed by an unauthorised party, with threat actors subsequently claiming to be selling stolen data. The breach is significant beyond Vercel's own operations: as a platform underpinning deployments for a substantial portion of the modern web development ecosystem, any compromise of internal systems raises immediate questions about supply chain exposure — environment variables, deployment secrets, and customer configuration data are all plausible targets. At this stage, the full scope of what was accessed remains unclear, and Vercel has not published a detailed post-mortem. Practitioners with applications deployed on the platform should audit exposed secrets, consider rotating API keys and environment variables as a precaution, and monitor for any anomalous activity in downstream services while the investigation continues.

Schrödinger's Feed

Google Opens Willow Quantum Processor Access to External Researchers

Google Quantum AI has announced it will begin accepting proposals from external researchers for early access to its Willow quantum processor — a chip that made headlines in late 2024 for achieving benchmark results that would take classical supercomputers an astronomically long time to replicate. Until now, Willow has been essentially a closed system, accessible only within Google. Broadening access to high-impact research projects means the cryptographic research community will have a meaningful new tool for probing quantum algorithm performance against real-world problem sets, including those relevant to post-quantum cryptography validation. Practitioners implementing or evaluating PQC migration timelines should watch what emerges from this access program closely — empirical data on what Willow can and can't do will be far more useful than theoretical projections for informing "harvest now, decrypt later" threat modelling.

/dev/random

Somewhere in the overlap of "irony" and "information security," the Vercel breach has also claimed the top spot in today's weird-news column — because Vercel is, among other things, the platform that hosts a significant number of security tools, dashboards, and researcher side projects. There's something cosmically appropriate about the infrastructure security professionals casually trust with their own deployments quietly becoming a breach notification. No word yet on whether any of those hosted projects were anomaly detection tools. The universe, as always, has a dry sense of humour.