██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

macOS Media Player IINA Flaw Enables Remote Code Execution

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 22, 2026

Share

cybr.cx | Daily Digest — May 22, 2026


Critical Vulnerabilities

CVE-2026-47114 | IINA (macOS media player) | CVSS 8.8
Versions of IINA before 1.4.3 are vulnerable to user-assisted remote code execution via the iina://open custom URL scheme. Attackers can craft a malicious URL containing mpv_-prefixed query parameters that pass unsanitized input-commands directly into the mpv runtime. Delivering the URL through a browser is enough — patch to 1.4.3 immediately, and treat any unexpected iina:// links as hostile.

CVE-2026-48235 | Open ISES Tickets (pre-3.44.2) | CVSS 8.2
GPS telemetry data pulled from InstaMapper and Google Latitude integrations is concatenated raw into SQL UPDATE and INSERT statements. An attacker who can spoof or compromise the upstream GPS feed owns the database. If you're running this ticketing platform anywhere near public safety or dispatch workflows, update to 3.44.2 now.

CVE-2026-48241 / CVE-2026-48242 | Open ISES Tickets (pre-3.44.2) | CVSS 8.1 each
Two separate hardcoded credential disclosures in loader.php and import_mdb.php — both committed to the public repository. Anyone who can read the source or reach those files on a deployed instance has the MySQL hostname, username, password, and database name. Rotate all database credentials immediately and restrict filesystem access to these utilities.

CVE-2026-8632 | HP Linux Imaging and Printing (HPLIP) | CVSS 7.8
An OS command injection flaw in HPLIP on Linux can be abused for privilege escalation or arbitrary code execution. HPLIP runs with elevated permissions on many workstations and print servers, making this a credible local-to-root path. Check your Linux endpoints — HPLIP is often installed as a default dependency and forgotten.

CVE-2025-13479 | PosCube QR Menu | CVSS 7.5
An authorization bypass via user-controlled keys allows exploitation of trusted identifiers in QR Menu deployments through May 21, 2026. The vendor did not respond to disclosure. If you're running QR Menu in a hospitality or retail environment, assume access controls are trivially bypassable until a patch exists.

CVE-2025-13477 | WifiBurada (Digital Operations Services) | CVSS 7.1
Insufficiently protected credentials and exposure of private personal information allow authentication bypass in all current WifiBurada versions. The vendor also did not engage with the researcher. Anyone operating this Wi-Fi management platform should isolate it from sensitive network segments until a fix is available.


Headline News

Microsoft Defender Zero-Days Under Active Exploitation
Microsoft has disclosed multiple zero-day vulnerabilities in Microsoft Defender that are already being exploited in the wild. The flaws allow attackers to bypass endpoint detection or achieve code execution in contexts where Defender is expected to be providing a layer of trust. For defenders, this is a particularly uncomfortable class of vulnerability — the tool you rely on to detect compromise becomes the attack surface. Prioritise applying mitigations or patches through Windows Update immediately, and consider monitoring for anomalous Defender process behaviour as a compensating control while rollout proceeds.

YellowKey BitLocker Bypass: Microsoft Issues Mitigation for CVE-2026-45585
A BitLocker bypass tracked as CVE-2026-45585 and dubbed "YellowKey" has drawn significant practitioner attention, with Microsoft releasing an official mitigation after working exploit code circulated. The vulnerability undermines full-disk encryption at rest — a critical control for device theft scenarios, endpoint decommissioning, and regulated data environments. The mitigation falls short of a full patch, meaning the attack surface isn't fully closed. Organisations that depend on BitLocker as a primary encryption layer for laptops or sensitive workstations should apply the mitigation guidance immediately and review their FDE strategy more broadly.

PinTheft: Working Linux Privilege Escalation Exploit Targets RDS Subsystem
A new local privilege escalation vulnerability dubbed PinTheft has emerged in the Linux kernel's Reliable Datagram Sockets (RDS) subsystem, and working public exploit code is already available. Arch Linux users face immediate risk given the rolling-release model, but the underlying flaw affects any kernel configuration with RDS enabled — which is broader than many administrators assume. The availability of functional exploit code compresses the window between disclosure and weaponisation to near-zero, meaning patch cycles that assume days or weeks of lead time are dangerously optimistic here. This is at least the third Linux LPE with working public exploit code to surface in recent months; the pattern warrants a systematic review of kernel hardening posture across your Linux fleet.


Schrödinger's Feed

Researchers have built an ultra-sensitive quantum sensor capable of detecting energy below one zeptojoule — that's less than a billionth of a trillionth of a joule — by exploiting superconducting materials that react to the faintest thermal fluctuations. The precision involved is genuinely difficult to conceptualise, but the security-relevant implication is real: sensors at this sensitivity could eventually probe the physical side-channel emissions of cryptographic hardware at scales previously considered theoretical. That makes this relevant territory for anyone thinking about long-term hardware security and side-channel attack surfaces. As quantum sensing matures alongside quantum computing, practitioners building infrastructure intended to outlast current threat models should track both tracks — not just the cryptanalysis side of the quantum story.


/dev/random

Someone has built an interactive stellar navigation chart based on real Gaia spacecraft data — essentially the actual star map that features in Project Hail Mary, Andy Weir's novel about a lone astronaut doing celestial dead-reckoning to figure out where he is in the galaxy. The Gaia catalogue covers over a billion stars with extraordinary astrometric precision, which turns out to make for a genuinely beautiful browser visualisation. It's a rare case of a Hacker News project where the underlying dataset is more impressive than any exploit it might inspire. No CVEs in this one — just the quiet reassurance that not everything on the internet is trying to own your database.