cybr.cx | Daily Digest — May 10, 2026

Critical Vulnerabilities

CVE-2026-44400 | MailEnable Enterprise Premium ≤ 10.55 | CVSS 8.1 (HIGH)
An improper authorisation flaw in MailEnable's WebAdmin mobile portal allows attackers to bypass authentication entirely by recycling AuthenticationToken cookies originally issued to low-privileged WebMail users. An attacker logs into WebMail using the PersistentLogin parameter to harvest a valid token, then replays it against the elevated WebAdmin interface — effectively laundering a standard user session into administrative access. Any organisation running MailEnable Enterprise Premium on-premises should treat this as urgent; WebAdmin exposure to untrusted networks significantly raises the blast radius. Patch or restrict portal access at the network boundary immediately.

Headline News

Dirty Frag: A New Linux Zero-Day That Roots Every Major Distro
A newly disclosed vulnerability class dubbed "Dirty Frag" — first identified by researcher Hyunwoo Kim — enables local privilege escalation to root on all major Linux distributions by chaining two page-cache write vulnerabilities: one in the xfrm/ESP subsystem and one in the RxRPC stack. The exploit chain is conceptually reminiscent of the original Dirty COW and Dirty Pipe bugs, weaponising kernel memory handling quirks to overwrite privileged pages without proper permissions. What makes this particularly uncomfortable is the breadth of exposure: virtually any unpatched Linux host with local user access — including shared servers, containers with misconfigured boundaries, and developer workstations — is in scope. Defenders should prioritise kernel patching across their fleet as a matter of urgency, and treat any environment running unpatched kernels with local multi-user access as effectively compromised until remediated.

ShinyHunters Claims Massive Canvas LMS Breach — 275 Million Records, 9,000 Schools, Deadline Monday
ShinyHunters, the prolific threat actor behind several high-profile data extortion campaigns, is claiming responsibility for a breach of Instructure's Canvas LMS platform — alleging exfiltration of 275 million records spanning roughly 9,000 educational institutions. This is notably flagged as a second security incident at Instructure, raising serious questions about whether the initial compromise was fully contained or whether the threat actor maintained persistent access. With a ransom deadline reportedly set for May 12, institutions using Canvas — which includes universities, K-12 districts, and corporate learning environments across dozens of countries — are in an acutely difficult position as the clock runs down. The scale of affected records likely encompasses student PII, educator credentials, and institutional data; practitioners at affected organisations should begin assessing exposure now and not wait for official disclosure. Regardless of whether Instructure pays or negotiates, the data's eventual appearance on breach markets should be treated as a near-certainty.

JDownloader Site Compromised to Serve Python RAT via Trojanised Installers
The official distribution infrastructure for JDownloader — the widely used open-source download manager — was compromised, with threat actors replacing legitimate installers with trojanised versions bundling a Python-based remote access trojan. Supply chain attacks targeting popular open-source utilities are an increasingly efficient vector precisely because users arrive with implicit trust, often bypassing the scepticism they'd apply to an unsolicited download. Anyone who downloaded JDownloader from the official site during the compromise window should assume the host is fully backdoored and respond accordingly: isolate, re-image, rotate credentials, and review lateral movement opportunities the RAT may have exploited. Security teams should also audit endpoint telemetry for unusual Python interpreter activity, outbound C2 beaconing patterns, and persistence mechanisms consistent with RAT deployment.

Schrödinger's Feed

China's CAS Cold Atom Technology has unveiled Hanyuan-2, described as the world's first dual-core neutral atom quantum computer — a 200-qubit system that represents a meaningful architectural leap from single-core designs, potentially enabling more complex error-correction schemes and parallel workload execution. The dual-core approach mirrors conceptual directions being explored in classical high-performance computing, but in the quantum context it hints at a path toward the kind of fault-tolerant, large-scale machines that cryptographers have been quietly dreading. A 200-qubit neutral atom system is not yet Shor's-algorithm-at-scale territory, but the architectural innovation matters: multi-core designs could compound qubit counts faster than linear single-core scaling. Practitioners managing long-lived PKI infrastructure, HSM key hierarchies, or anything relying on RSA/ECC should treat this as another data point in the "migrate to PQC sooner rather than later" argument — NIST's finalised standards exist; the question now is execution timelines.

/dev/random

The Bun JavaScript runtime's ongoing Rust rewrite has hit 99.8% test compatibility on Linux x64 glibc, which is either an extraordinary engineering achievement or proof that the Rust evangelists have simply outlasted everyone's will to argue. Rewriting a runtime — the kind of project that has historically ended careers, marriages, and at least two promising startups — in a memory-safe language while maintaining near-total test parity is genuinely impressive. The remaining 0.2% of failing tests is presumably either cosmically cursed edge cases or one very stubborn timezone bug. Security-wise, a Rust-native Bun eventually means a significantly smaller attack surface for the memory corruption vulnerabilities that have historically made JavaScript runtimes a favourite target — so this one's worth watching beyond the benchmarks.