cybr.cx Daily Digest — April 08, 2026

Critical Vulnerabilities

CVE-2026-3357 | IBM Langflow Desktop | CVSS 8.8
Authenticated users on IBM Langflow Desktop versions 1.6.0–1.8.2 can achieve arbitrary code execution via insecure deserialization of untrusted data in the FAISS component — an insecure default, not a configuration edge case. Any authenticated user is a potential attacker here. Patch or disable FAISS deserialization immediately if you're running this in your AI/ML pipeline infrastructure.

CVE-2026-3499 | Product Feed PRO for WooCommerce (WordPress) | CVSS 8.8
Missing or incorrect nonce validation across multiple AJAX endpoints in versions 13.4.6–13.5.2.1 opens the door to Cross-Site Request Forgery attacks. An attacker can trick an authenticated admin into triggering data manipulation actions without any interaction beyond a malicious link. WooCommerce store operators should update to a patched release immediately.

CVE-2026-3243 | Advanced Members for ACF (WordPress) | CVSS 8.8
Insufficient file path validation in the create_crop function allows subscriber-level authenticated users to delete arbitrary files on the server — and arbitrary file deletion at that access level is a short road to remote code execution. Affects all versions up to and including 1.2.5. If you're running this plugin, treat it as a critical exposure and update or remove it now.

CVE-2026-1342 | IBM Verify Identity Access / IBM Security Verify Access | CVSS 8.5
Both container and non-container variants (versions 10.0–11.0.2) allow a locally authenticated user to execute malicious scripts originating outside the control sphere. For an identity and access management product, this is a particularly uncomfortable finding — compromise of the IAM layer can cascade across an entire environment.

CVE-2026-4788 | IBM Tivoli Netcool Impact 7.1.0.0–7.1.0.37 | CVSS 8.4
Sensitive information is written to log files readable by local users. In practice this means credentials, tokens, or PII could be harvested by any user with local filesystem access. Low complexity, high value for a lateral-movement attacker already inside the network.

CVE-2026-3396 | WCAPF – WooCommerce Ajax Product Filter (WordPress) | CVSS 7.5
Time-based SQL injection via the post-author parameter, exploitable by unauthenticated attackers. No login required makes this straightforward to automate. WooCommerce sites running versions up to 4.2.3 should patch immediately or consider the filter disabled until they can.

CVE-2026-5802 | idachev mcp-javadc ≤1.2.4 | CVSS 7.3
OS command injection via the jarFilePath argument in the HTTP interface — remotely exploitable, and a public proof-of-concept already exists. The vendor hasn't responded to disclosure. If you're running this MCP Java component anywhere in a Java toolchain or CI/CD pipeline, isolate or replace it now.

Headline News

Russia's Military Intelligence Targets Consumer Routers at Scale
Russian military intelligence operators have compromised thousands of consumer-grade routers, leveraging the access to harvest credentials from victim networks. The campaign follows a now well-established playbook: infiltrate edge devices with minimal logging and security tooling, use them as persistent relay infrastructure, and collect credentials passively over time. Consumer routers remain a blind spot for most enterprise security programmes, yet they frequently sit at the edge of home offices, small businesses, and remote workers connecting into corporate environments. Security teams should treat unmanaged edge devices as untrusted endpoints and enforce zero-trust controls accordingly — assuming the router itself may be hostile is no longer paranoid, it's prudent.

Iranian Hackers Actively Targeting U.S. Industrial Control Systems
Federal agencies have issued a formal warning that Iranian threat actors are actively compromising industrial control systems across U.S. critical infrastructure sectors. The intrusions appear aimed at disruption capability — establishing footholds that could be activated to interfere with industrial operations during periods of geopolitical tension. ICS and OT environments are historically under-patched and poorly segmented from IT networks, making them attractive and accessible targets. Operators of industrial systems should immediately audit external-facing access, enforce multi-factor authentication on all remote access points, and review network segmentation between IT and OT environments. This isn't a theoretical threat category anymore.

LAPD Breach Exposes Sensitive Police Documents
Threat actors have stolen and publicly leaked sensitive documents belonging to the Los Angeles Police Department, including material that could expose operational details, personnel information, or ongoing investigations. Law enforcement agencies hold exceptionally sensitive data — informant details, case files, surveillance records — that create serious real-world risk when exposed beyond a typical corporate breach. The incident is a reminder that public sector organisations remain high-value targets, often with security postures that lag behind the sensitivity of the data they hold. For practitioners, this reinforces the case for stringent data classification, least-privilege access controls, and assuming that any sensitive document repository is a target worth protecting to the highest standard.

Nerdy Corner

Researchers have published a method called MegaTrain that claims to enable full-precision training of large language models with 100 billion or more parameters on a single GPU — which, if it holds up, would be the kind of result that makes ML infrastructure teams do a slow double-take. The technique apparently sidesteps the memory wall that has long made multi-hundred-billion parameter training the exclusive domain of organisations with racks of expensive interconnected accelerators. Whether this democratises frontier model training or simply means the next generation of capable AI runs on a gaming PC in a basement is a question the security community probably should have an opinion on. Buckle up.