cybr.cx Daily Digest — April 11, 2026

Critical Vulnerabilities

CVE-2026-5989 / CVE-2026-5990 / CVE-2026-5991 / CVE-2026-5992 — Tenda F451 1.0.0.7 | CVSS 8.8
Four stack-based buffer overflow vulnerabilities have been disclosed affecting the Tenda F451 router, firmware version 1.0.0.7. The affected functions — fromRouteStatic, fromSafeEmailFilter, formWrlExtraSet, and fromP2pListFilter — are all reachable remotely via manipulated POST arguments, and public exploits exist for all four. If you have Tenda F451 devices on your network, assume no patch is imminent and consider network segmentation or replacement. These are your weekend project.

CVE-2026-6012 / CVE-2026-6013 / CVE-2026-6014 — D-Link DIR-513 1.10 | CVSS 8.8
Three remotely exploitable buffer overflow vulnerabilities affect the end-of-life D-Link DIR-513 router across the formSetPassword, formSetRoute, and formAdvanceSetup POST handlers. D-Link will not patch these — the device is officially unsupported. Exploits are public. If DIR-513 units are still somewhere in your environment (including remote offices and home-worker setups), they need to come off the network now, not at the next refresh cycle.

CVE-2026-6015 — Tenda AC9 15.03.02.13 | CVSS 8.8
The formQuickIndex function in the Tenda AC9's /goform/QuickIndex endpoint is vulnerable to a stack-based buffer overflow triggered by a malformed PPPOEPassword argument. The attack is remotely executable with no authentication requirement implied by the disclosure, and the exploit is already public. Tenda AC9 units should be treated as compromised-pending until patched or replaced.

Headline News

Trivy Supply Chain Attack Harvests Secrets from Credential Stores
Researchers have detailed a supply chain attack leveraging malicious packages associated with Trivy, the widely used open-source container and filesystem vulnerability scanner. The attack was engineered specifically to target secrets managers — the very systems organisations rely on as their authoritative credential stores — making the impact potentially systemic rather than isolated. Because Trivy is heavily integrated into CI/CD pipelines, a compromised package flowing through a build process could silently exfiltrate credentials at scale before detection. This is a textbook example of why dependency trust chains matter: the security tooling itself became the attack surface. Teams using Trivy in automated pipelines should audit recent package pulls, verify checksums against known-good builds, and review secrets manager access logs for anomalous reads.

Browser Extension Grants Full M365 Tenant Access After User Install
A scenario that will be painfully familiar to many enterprise defenders surfaced this week: a single user installed a browser extension that subsequently obtained delegated OAuth permissions scoped to the organisation's entire Microsoft 365 tenant. The extension's consent prompt — likely buried in a standard-looking OAuth flow — effectively handed a third-party application broad access to email, files, and identity data across the organisation. This is not a novel attack class, but it remains devastatingly effective because browser extension installs often fall outside MDM and endpoint controls, and OAuth consent grants can persist long after the extension is removed. Practitioners should audit their M365 tenant's connected applications immediately via the Entra ID portal, enforce admin consent policies for OAuth scopes, and consider blocking extension installs from unmanaged browsers as a baseline control.

CPUZ and HWiNFO Served Malicious Builds via Compromised Infrastructure
Popular system diagnostics utilities CPU-Z and HWiNFO — standard tools in many IT and security teams' arsenals — were reported as serving compromised builds, with indicators pointing to infrastructure-level tampering rather than source code compromise. The exact delivery mechanism is still being confirmed, but the pattern is consistent with adversaries targeting trusted, low-suspicion utilities that users routinely download and execute with elevated privileges. The incident is a sharp reminder that even long-trusted, non-commercial tools can become delivery vehicles, and that hash verification against official published checksums is not optional. If either tool was downloaded recently, verify the binary and treat the host as a potential point of compromise until cleared.

Schrödinger's Feed

Quantum Sensing: The Strategic Advantage Nobody Is Talking About
While the cryptography community focuses — rightly — on post-quantum encryption timelines, quantum sensing is quietly maturing into a deployable capability with direct national security implications. Unlike quantum computing, which still demands fault-tolerant hardware at scale, quantum sensors are operational today: they can detect submarines via gravitational anomalies, enable GPS-independent navigation, and potentially defeat physical infrastructure concealment. The Hoover Institution's analysis this week frames this as a strategic window that nations should be racing to close. For security practitioners, the near-term relevance is clear: threat models built around GPS-dependent positioning, SIGINT blind spots, and physical perimeter assumptions may need revisiting sooner than the quantum computing timeline would suggest.

/dev/random

macOS Privacy & Security Settings: A Panel of Lights on an Unpiloted Aircraft
A deep-dive published this week argues that macOS's Privacy & Security settings panel is, in meaningful ways, not a reliable indicator of what your system is actually permitting — with certain permissions either inconsistently enforced, bypassed by specific process hierarchies, or simply decorative depending on context. It landed at the top of Hacker News with the kind of engagement usually reserved for genuine surprises, which is itself somewhat alarming given that macOS's privacy model is frequently cited as a selling point for security-conscious users. The practical implication: the green checkmarks and toggle switches may be telling you a confident story that the kernel isn't fully committed to. Trust, but verify — or in this case, just verify.