cybr.cx Daily Digest — March 19, 2026

Critical Vulnerabilities

CVE-2026-1463 | NextGEN Gallery for WordPress | CVSS 8.8 HIGH
A local file inclusion flaw in the popular NextGEN Gallery plugin (versions ≤4.0.3) allows authenticated users with Author privileges to execute arbitrary PHP files on the server via the 'template' parameter in gallery shortcodes. If you allow untrusted contributors on your WordPress site, this is a full server compromise waiting to happen. Patch immediately or remove the plugin.

CVE-2026-2992 | KiviCare EHR Plugin for WordPress | CVSS 8.2 HIGH
The KiviCare clinic management plugin has a broken authorization check on its setup wizard REST endpoint, letting unauthenticated attackers create admin accounts out of thin air. Healthcare sites running this plugin are at serious risk of complete takeover. Update past version 4.1.2 now—no authentication required to exploit.

CVE-2026-32596 | Glances System Monitor | CVSS 7.5 HIGH
Running glances -w exposes your system's REST API to the network with zero authentication by default. That API leaks process command lines, which routinely contain passwords, API keys, and tokens. If you've ever spun up Glances for "quick monitoring," check if it's still running. Version 4.5.2 fixes this.

CVE-2026-22317 | Undisclosed Device (Root CA Workflow) | CVSS 7.2 HIGH
A command injection in a device's certificate transfer workflow gives privileged attackers root shell access via crafted HTTP POST requests. Vendor not specified in the advisory—check your network appliances and certificate management tools for patches.

Headline News

Lazarus Group Hits Bitrefill, Steals Funds via Employee Laptop
North Korea's Lazarus Group has struck again, this time compromising crypto e-commerce platform Bitrefill through a targeted attack on an employee laptop. The company confirmed the breach resulted in stolen funds, though the exact amount hasn't been disclosed. This continues the DPRK's relentless focus on cryptocurrency as a sanctions evasion mechanism. The attack vector—employee endpoint compromise—reinforces why supply chain hygiene and endpoint hardening remain critical, especially for organizations handling digital assets. Bitrefill's public attribution to Lazarus is notable; most victims stay quiet.

Apple Deploys First "Background Security Improvements" Update for WebKit Zero-Day
Apple has quietly pushed its first-ever Background Security Improvements update to patch CVE-2026-20643, a WebKit vulnerability affecting iPhones, iPads, and Macs. This new update mechanism patches security flaws without requiring users to install full OS upgrades—a significant shift in Apple's patching strategy. The WebKit flaw was found in the wild, though exploitation details remain sparse. For defenders, this means your Apple fleet may now receive critical patches silently, which is great for coverage but complicates your vulnerability tracking. Check your MDM telemetry.

Microsoft's FedRAMP Approval Under Fire as Internal Criticism Surfaces
A ProPublica investigation gaining major traction on Reddit (739 upvotes) reveals that federal cybersecurity experts privately called Microsoft's cloud offering "a pile of shit" during FedRAMP evaluation—but approved it anyway. The report exposes tensions between security assessments and procurement realities in government IT. For practitioners, this isn't exactly shocking, but it's rare to see internal dissent documented this clearly. The story adds fuel to ongoing debates about Microsoft's security posture following years of high-profile breaches affecting government customers.

Nerdy Corner

OpenAI is apparently pivoting hard—toward its IPO. A Hacker News post (179 points) links to analysis suggesting the company's recent moves are less about AGI and more about making the numbers look pretty for Wall Street. Nothing says "we're building humanity's last invention" quite like quarterly earnings pressure. At least when Skynet goes live, shareholders will get a nice dividend.

Stay patched. Stay paranoid.