OpenWrt DNS Proxy Flaw Enables Remote Command Execution
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 27, 2026
cybr.cx — Daily Cybersecurity Intelligence Digest
Wednesday, May 27, 2026
Critical Vulnerabilities
CVE-2026-46368 | luci-app-https-dns-proxy | CVSS 8.8 — HIGH
An authenticated user with the luci.https-dns-proxy ACL permission can inject shell metacharacters via the name parameter in the setInitAction function, leading to arbitrary command execution on OpenWrt devices. While the add-on isn't installed by default, any deployment that has enabled the LuCI HTTPS DNS proxy UI should patch or remove the package immediately — command injection on edge networking hardware is a bad day.
CVE-2026-44832 | Snipe-IT (< 8.4.1) | CVSS 8.8 — HIGH
A privilege escalation flaw in Snipe-IT allows any authenticated user with users.edit permission to grant themselves full admin rights by sending a crafted PATCH request to the API. The API strips superuser from the permissions array but leaves admin wide open. If you run Snipe-IT for asset management — and many enterprise IT teams do — upgrade to 8.4.1 now and audit recent permission changes.
CVE-2026-4480 | Samba (printing subsystem) | CVSS 8.5 — HIGH
Samba passes the client-controlled print job description string to the configured print command via %J substitution without sanitising shell metacharacters. A remote attacker can craft a print job to execute arbitrary shell commands on the server. SMB printing exposure on internal networks makes this broadly relevant; apply vendor patches and consider disabling the printing subsystem if it isn't needed.
CVE-2026-8046 | Unspecified product | CVSS 8.1 — HIGH
An authenticated low-privileged user can delete accounts belonging to higher-privileged users, including administrators, due to insufficient authorisation checks on account deletion endpoints. This is a straightforward broken access control issue with significant impact in multi-tenant or SaaS environments. Watch for vendor-specific advisories matching this description and validate your RBAC enforcement on destructive API operations.
CVE-2026-8834 | IBM HTTP Server 8.5 / 9.0 | CVSS 8.0 — HIGH
A buffer overflow in the IBM HTTP Server Administration Server can be triggered by an authenticated privileged user, potentially resulting in remote code execution or denial of service. While the authentication requirement raises the bar, RCE on a web server process is a critical blast radius. IBM customers should apply patches and restrict Administration Server network access.
CVE-2026-44468 / CVE-2026-44469 | Unspecified installer | CVSS 7.8 — HIGH
Two related local privilege escalation flaws in an administrative installer: the first (44468) creates a temp directory with insecure permissions, allowing modification of installation component definitions; the second (44469) introduces a TOCTOU race condition where verified files can be swapped for malicious ones before installation completes. Together they form a reliable LPE chain for any low-privileged local attacker. Vendor-specific advisories expected shortly.
CVE-2026-7451 | Autodesk 3ds Max | CVSS 7.8 — HIGH
A maliciously crafted TIF file can trigger an out-of-bounds write when parsed by 3ds Max, enabling arbitrary code execution in the context of the running process. Phishing campaigns targeting design and engineering firms frequently weaponise media file parsers — treat unsolicited 3ds Max project files with the same suspicion you'd give a macro-laden Office doc.
Headline News
Trend Micro Apex One Zero-Day Under Active Exploitation
A critical zero-day vulnerability in Trend Micro Apex One is being actively exploited in the wild, and CISA has moved quickly to add it to the Known Exploited Vulnerabilities catalogue — a reliable signal that real-world attack activity is confirmed, not theoretical. Apex One is widely deployed across enterprise endpoints, making the exposure surface substantial. Details on the specific vulnerability class are limited pending fuller disclosure, but the KEV listing means US federal agencies face a hard patching deadline and private sector defenders should treat this as urgent regardless. If Apex One is in your environment, get the patch applied and review endpoint telemetry for any anomalous behaviour predating the advisory.
Security Researcher Banned from GitHub and GitLab After Threatening Disclosures
A researcher operating under the handle Nightmare-Eclipse has been banned from both GitHub and GitLab following a campaign of what can only be described as coercive vulnerability disclosure — threatening recipients with statements including "I will make sure your bones are shattered" alongside drops of unpatched Windows zero-days. The episode illustrates the increasingly blurry line between legitimate pressure tactics in responsible disclosure and outright extortion, and it raises uncomfortable questions about where the community draws that line. The Windows zero-days themselves remain a concern regardless of the messenger's conduct; defenders should track any technical details that have entered public circulation. Platform bans are a meaningful but ultimately limited tool — the vulnerabilities don't disappear with the account.
250 Fake Android Apps Conducting Silent Carrier Billing Fraud
Researchers have uncovered a campaign involving nearly 250 malicious Android applications impersonating popular games and social media platforms, silently enrolling victims in premium carrier billing subscriptions without any interaction. The apps operate stealthily, exploiting WAP billing mechanisms that bypass standard payment authentication, meaning victims often only discover the fraud on their phone bill weeks later. The breadth of the campaign — spanning multiple app categories and regions — suggests a well-resourced operation rather than opportunistic actors. Mobile device management policies that restrict sideloading and enforce app source controls are the most effective mitigation, though the campaign also highlights the inadequacy of relying solely on marketplace screening.
Schrödinger's Feed
The U.S. Air Force has taken delivery of Terra Quantum's quantum-secure communications simulation platform for active operational testing in contested network environments, marking the graduation of the technology through SBIR Phase I and II programmes. In parallel, Terra Quantum and Malta-based Merqury Cybersecurity have deployed a live QKD hardware implementation on a production optical telecoms network — moving quantum key distribution out of the lab and onto infrastructure that handles real traffic. These two developments together represent an accelerating convergence: military-grade PQC testing on one side, commercial network deployment on the other. Practitioners building long-term cryptographic roadmaps should note that "quantum-safe by 2030" timelines are starting to look conservative — production QKD deployments are happening now, and the gap between research and operational reality is closing faster than most patch cycles.
/dev/random
Spain has blocked access to prediction markets Polymarket and Kalshi on the grounds that they're operating without a gambling licence, which is either a reasonable regulatory enforcement action or a spectacular misread of what these platforms are, depending on your priors. The irony of a government blocking a market that lets people bet on government decisions is not lost on anyone. For what it's worth, you could probably have gotten decent odds on this outcome — if you could still access the site from Madrid. No CVEs involved, but the DNS blocking mechanisms used are exactly the same ones your threat intel team spends time routing around.