cybr.cx Daily Digest — March 18, 2026

CRITICAL VULNERABILITIES

CVE-2026-29056 | Kanboard | CVSS 8.8 (HIGH)
A privilege escalation flaw in Kanboard's user invite registration endpoint allows anyone with an invite link to become an administrator. The UserInviteController::register() function doesn't filter the role field, so an attacker can simply inject role=app-admin during registration. Update to version 1.2.51 immediately if you're running Kanboard — this is trivially exploitable.

CVE-2026-1463 | NextGEN Gallery (WordPress) | CVSS 8.8 (HIGH)
The popular NextGEN Gallery plugin (versions ≤4.0.3) has a Local File Inclusion vulnerability via the template parameter in gallery shortcodes. Attackers with Author-level access can execute arbitrary PHP files on your server. If you're running WordPress with this plugin, patch now — this gives authenticated attackers full code execution.

CVE-2026-2992 | KiviCare EHR Plugin (WordPress) | CVSS 8.2 (HIGH)
The KiviCare clinic management plugin has an unauthenticated privilege escalation bug. The setup wizard endpoint lacks authorization checks, letting anyone create a clinic and a WordPress user with admin privileges. Healthcare sites using this plugin are at significant risk — update past version 4.1.2.

CVE-2026-22171 | OpenClaw | CVSS 8.2 (HIGH)
Path traversal in OpenClaw's Feishu media download flow. Malicious media keys can escape the temp directory and write arbitrary files. Update to version 2026.2.19 or later.

CVE-2026-2092 | Keycloak | CVSS 7.7 (HIGH)
Keycloak's SAML broker doesn't properly validate encrypted assertions when the overall response isn't signed. Attackers with a valid signed assertion can inject encrypted assertions for arbitrary principals, leading to unauthorized access. Review your Keycloak SAML configurations and apply patches.

CVE-2026-27979 & CVE-2026-27980 | Next.js | CVSS 7.5 (HIGH)
Two DoS vectors in Next.js. The first involves unbounded request body buffering via the next-resume: 1 header in PPR requests. The second allows unbounded disk cache growth through the image optimization endpoint. Both fixed in version 16.1.7.

CVE-2026-32596 | Glances | CVSS 7.5 (HIGH)
Running glances -w exposes your system monitoring data to the network without authentication by default — including process command-lines that may contain credentials, API keys, and tokens. Update to version 4.5.2, which addresses this exposure.

HEADLINE NEWS

Apple Wins Landmark App Store Delisting Case

A federal judge has dismissed the lawsuit brought by Musi, the free music streaming app that Apple removed from the App Store in 2024. The ruling, delivered this week with prejudice, establishes that Apple can delist apps essentially at will — a decision that could have far-reaching implications for developers relying on App Store distribution. The case may set precedent for how courts view platform-developer relationships and the degree of control app stores can exercise. Developers and legal teams should pay attention to the reasoning here, particularly those operating in grey areas of App Store policy. Expect appeals and further litigation to test these boundaries.

Quiet Week on the Threat Intel Front

The news cycle this week is notably light on major cybersecurity incidents and threat actor activity. No significant breaches, ransomware campaigns, or nation-state operations have made headlines in the past 24 hours. This is either the calm before something ugly, or defenders are actually winning for once. Either way, use the breathing room to patch those CVEs above.

NERDY CORNER

Someone's done the lord's work and published the entire Hacker News archive as a Parquet dataset — 47 million+ items, 11.6GB, updated every 5 minutes. It's hosted on Hugging Face and scored 268 points on HN itself (naturally). If you've ever wanted to run sentiment analysis on a decade of "Actually, Rust would solve this" comments or build a model that predicts which Show HN posts will get traction, your dataset has arrived. The real question: how long until someone trains an LLM to generate perfectly mid HN comments indistinguishable from the real thing?