cybr.cx Daily Digest — March 24, 2026

Critical Vulnerabilities

CVE-2026-4687 & CVE-2026-4690 – Mozilla Firefox Sandbox Escapes (CVSS 8.6)
Two sandbox escape vulnerabilities in Firefox allow attackers to break out of browser isolation. CVE-2026-4687 affects the Telemetry component while CVE-2026-4690 involves an integer overflow in XPCOM. Both impact Firefox < 149 and multiple ESR branches. Patch immediately—sandbox escapes are prime targets for drive-by attacks and exploit chains.

CVE-2026-23480 – Blinko Privilege Escalation (CVSS 8.8)
The AI-powered note-taking app Blinko has a critical flaw in its upsertUser endpoint: missing admin middleware, optional password verification, and no ownership checks. Any authenticated user can escalate to admin. Update to version 1.8.4 or later.

CVE-2026-3533 – Jupiter X Core WordPress Plugin File Upload (CVSS 8.8)
WordPress sites using Jupiter X Core plugin (≤4.14.1) are vulnerable to authenticated file uploads with dangerous file types. Subscriber-level access is enough to exploit this. Given WordPress's attack surface, update or remove immediately.

CVE-2025-41660 – CODESYS Control Runtime Boot Replacement (CVSS 8.8)
Low-privileged remote attackers can replace the boot application on CODESYS Control runtime systems, enabling unauthorized code execution. OT/ICS environments running CODESYS should prioritise patching—this is the kind of vuln that ends up in targeted industrial attacks.

CVE-2026-4639 – Vitals ESP Authorization Bypass (CVSS 8.8)
Galaxy Software Services' Vitals ESP has an authorization flaw letting authenticated users perform admin functions. If you're running this in healthcare or enterprise environments, assess exposure and apply vendor guidance.

Headline News

"DarkSword" iPhone Exploit Kit Leaked to GitHub
A weaponised exploit kit targeting iPhones has been publicly leaked on GitHub, potentially putting millions of devices at risk. Dubbed "DarkSword," the toolkit enables attackers to deploy spyware against users running older iOS versions. Security researchers confirmed the exploits are functional and lower the barrier significantly for cybercriminals who previously lacked iOS exploitation capabilities. Apple has not yet commented on remediation timelines. If you manage a fleet of iOS devices, this is your reminder to enforce OS updates aggressively—older versions just became significantly more dangerous. The exploits reportedly chain multiple vulnerabilities for persistent access.

Crunchyroll Breach: ShinyHunters Allegedly Steal 6.8 Million User Records
Sony-owned anime streaming service Crunchyroll is investigating a breach after threat actor group ShinyHunters claimed to have exfiltrated approximately 100GB of user data. The stolen information reportedly includes email addresses, IP addresses, and payment details for nearly 6.8 million subscribers. The breach apparently originated through Telus Digital, an outsourcing partner with access to internal systems. Crunchyroll confirmed they're "working closely with leading cyber security experts" but hasn't verified the full scope. ShinyHunters has a well-documented history of high-profile breaches. Affected users should monitor for credential stuffing attacks and consider rotating passwords on any services sharing the same credentials.

Self-Propagating Wiper Malware Targets Open Source Supply Chain, Hits Iran
A novel self-propagating malware campaign has poisoned open source packages and deployed wiper payloads specifically targeting machines geolocated in Iran. The malware spreads through dependency confusion and typosquatting techniques, embedding itself in legitimate-looking packages before activating destructive payloads. This represents a concerning evolution: supply chain attacks combined with nation-state-style targeting. The wiper functionality activates based on system locale and IP geolocation. Developers should audit dependencies carefully and consider using lockfiles with integrity checks—this campaign shows how open source trust can be weaponised.

Nerdy Corner

GitHub went down. Again. The platform experienced yet another outage, leaving developers worldwide staring at error pages and contemplating whether their uncommitted changes truly exist if they can't push them. The incident page at githubstatus.com dutifully tracked the chaos. At this point, "GitHub is down" might qualify as its own recurring calendar event. On the bright side, it's a great excuse to finally take that coffee break—or dust off your local backup strategy.