Magento Cache Plugin Flaw Exploited; Patch Immediately
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 06, 2026
cybr.cx Daily Digest — June 06, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-45247 | Mirasvit Full Page Cache Warmer | CVSS: N/A
CISA's KEV due date was today — if you're running Magento with the Mirasvit Full Page Cache Warmer extension, treat this as a fire drill. Unauthenticated attackers can achieve remote code execution by supplying a crafted serialised PHP object in the CacheWarmer cookie. Deserialisaton RCE on a public-facing e-commerce component is about as bad as it gets. Patch or disable immediately.
⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U | CVSS: N/A
No authentication required — attackers are sending specially crafted POST requests with a Content-Encoding: deflate header to crash the Serv-U service outright. It's a denial-of-service at minimum, and given SolarWinds' history, the blast radius from disrupted managed file transfer infrastructure shouldn't be underestimated. CISA's remediation deadline was June 19; get ahead of it now.
⚠️ Actively exploited — CVE-2022-0492 | Linux Kernel | CVSS: N/A
Yes, this is a 2022 CVE, and yes, it's still being actively exploited in 2026. The cgroups v1 release_agent privilege escalation path remains viable in unpatched or misconfigured Linux environments — particularly relevant for container escape scenarios. If you haven't audited your kernel versions and cgroup configurations, this is your reminder.
⚠️ Actively exploited — CVE-2025-48595 | Android Framework | CVSS: N/A
An integer overflow in the Android Framework is enabling local privilege escalation in the wild. With exploitation confirmed, any unpatched Android devices in your fleet — especially those used for corporate access — should be considered at elevated risk. Push June patches where available.
⚠️ Actively exploited — CVE-2024-21182 | Oracle WebLogic Server | CVSS: N/A
Unauthenticated remote access via the T3 and IIOP protocols can yield complete compromise of WebLogic Server. CISA's due date has already passed (June 4). If you have internet-exposed WebLogic instances that haven't been patched, assume they've been scanned — and likely found.
CVE-2026-48579 | Microsoft Exchange Online | CVSS: 9.1 (Critical)
An improper authorisation flaw in Exchange Online allows unauthenticated network attackers to disclose information. In a cloud email context, "information disclosure" can mean mailbox contents, calendar data, or internal communications. No on-premises patching required, but monitoring for anomalous access patterns is prudent while Microsoft remediates.
CVE-2026-49492 & CVE-2026-49493 | Markdown Preview Enhanced (VS Code / Atom) | CVSS: 8.8 each
Two distinct RCE bugs in Markdown Preview Enhanced before 0.8.28. The first (CVE-2026-49492) allows command injection on Windows through unsanitised diagram filenames and LaTeX engine attributes — triggered just by previewing a document. The second (CVE-2026-49493) evaluates bitfield fenced code blocks via vm.runInNewContext(), which is not a sandbox. Both are exploitable by anyone who can get a crafted .md file in front of a developer. Update to 0.8.28 now; this is a supply chain threat vector.
CVE-2026-5415 & CVE-2026-5411 | WP Captcha PRO (WordPress) | CVSS: 8.8 each
Two critical bugs in the WP Captcha PRO plugin (versions up to 5.38). CVE-2026-5415 is an authentication bypass — the AJAX handler checks a nonce but performs no capability check, allowing privilege escalation to admin. CVE-2026-5411 chains a misconfigured capability check with unrestricted file extraction to achieve arbitrary file upload. Together, they're a full site takeover path. Update or deactivate.
CVE-2026-11332 | ansible-core | CVSS: 7.8
The ansible-galaxy role install command processes meta/requirements.yml from third-party roles without properly neutralising argument delimiters in the src field. A malicious role author can inject arbitrary git flags, leading to code execution on the installing machine. Vet your Galaxy role sources and consider pinning to known-good versions.
Headline News
Magecart Actors Weaponise Stripe's API for Skimming Infrastructure
A newly documented Magecart campaign has inverted the usual skimmer model by abusing Stripe's legitimate API infrastructure — both to serve the card-stealing payload and to exfiltrate harvested payment data. By routing through a trusted payment processor's endpoints, the malicious traffic blends into what defenders would normally consider benign HTTPS traffic to a known-good domain. The technique significantly undermines network-based detections and allowlist strategies that rely on domain reputation. Retailers and e-commerce operators should audit their checkout page JavaScript for unexpected Stripe API calls, particularly any that transmit data outside normal payment flow contexts — and consider implementing strict Content Security Policies to limit what scripts can execute on payment pages.
NSA Deploys Anthropic's AI for Offensive Cyber Operations
Reports have confirmed that the NSA is operationally using Anthropic's Claude-based "Mythos" model to support offensive cyber activities. The disclosure marks a significant moment: a major commercial large language model, purpose-adapted, being used by a signals intelligence agency not just for analysis but for active operations. For practitioners, this raises immediate questions about the attack surface that AI-assisted adversaries can now cover — faster vulnerability research, more scalable spearphishing content generation, and potentially automated exploit development. It also forces a harder conversation about the dual-use nature of frontier AI models and what "responsible deployment" actually means when the customer is an intelligence agency.
Schrödinger's Feed
C12 Quantum has unveiled "Pick & Place," a patented nanoassembly process that deposits single-walled carbon nanotubes onto pre-fabricated quantum circuits with micrometric precision — effectively creating a repeatable manufacturing pipeline for CNT-based qubits. The significance here is decoupling qubit fabrication from the underlying circuit substrate, which has historically been one of the bottlenecks preventing quantum hardware from scaling like conventional semiconductors. Carbon nanotube qubits offer long coherence times and compatibility with existing semiconductor fabrication infrastructure, which could accelerate the timeline to fault-tolerant quantum systems. For security practitioners: the faster quantum hardware matures, the sooner "harvest now, decrypt later" campaigns against today's RSA and ECC traffic become genuinely threatening — PQC migration timelines should be treated as live, not theoretical.
/dev/random
The ISS had a week. Crew members who had been sheltering in the Russian segment due to an air leak were cleared to return to the main station after repairs — which is the kind of sentence that sounds routine until you remember it involves humans sealed in a metal tube 400km above Earth. The leak itself reportedly originated from a known crack in a module hatch seal, a recurring issue that has been patched and re-patched over the years like a particularly stubborn legacy system. There's a certain universally relatable IT energy in "the fix we applied earlier is holding, probably, go ahead and move back in." The ISS: 99.9% uptime since 2000, scheduled for deorbit 2030, currently running on vibes and duct tape.