cybr.cx — Daily Digest | May 13, 2026

Critical Vulnerabilities

CVE-2026-33110 / CVE-2026-33112 / CVE-2026-35439 — Microsoft SharePoint (CVSS 8.8): Three separate deserialization vulnerabilities in Microsoft Office SharePoint allow any authenticated attacker to execute arbitrary code remotely over the network. The bar for exploitation is low — a valid account is all that's needed, not admin rights. Organisations running on-premises SharePoint should treat these as priority patches; these are exactly the class of bug that ransomware operators chain with credential theft.

CVE-2026-34329 — Windows Message Queuing (CVSS 8.8): A heap-based buffer overflow in Windows MSMQ allows an unauthenticated attacker on an adjacent network to achieve remote code execution. MSMQ has had a rough few years and is frequently left exposed internally. If you're not using it, disable it; if you are, patch and verify network segmentation.

CVE-2026-35436 — Microsoft Office Click-To-Run (CVSS 8.8): An access control flaw in Click-To-Run allows a locally authenticated attacker to elevate privileges. Less dramatic than the SharePoint trio, but local privilege escalation is a staple of post-compromise lateral movement — don't let it be the stepping stone.

CVE-2026-7256 — Zyxel WRE6505 v2 Firmware (CVSS 8.8): A command injection flaw in the CGI interface of this end-of-life Zyxel range extender allows any attacker on the local network to execute OS commands via a crafted HTTP request. The critical word here is unsupported — there is no patch coming. Retire or isolate this hardware immediately.

CVE-2026-6001 — ABIS Technology BAPSIS (CVSS 8.8): An authorization bypass via user-controlled keys allows exploitation of trusted identifiers in versions prior to v.202604152042. Organisations using this platform should update immediately and audit access logs for anomalous session behaviour.

CVE-2026-2465 — E-Kalite Turboard FOR-S (CVSS 8.8): Incorrect authorisation logic enables privilege escalation in versions between 7.01.2026 and 18.02.2026. Niche software, but a known pattern — broken access control in line-of-business platforms often goes unnoticed longest.

Headline News

Mass npm Supply Chain Attack Targets TanStack, Mistral AI, and 170+ Packages

A coordinated supply chain attack has compromised over 170 npm packages, with high-profile targets including the TanStack ecosystem and packages associated with Mistral AI. Attackers injected malicious code into package versions that would be pulled automatically by developers relying on unpinned dependencies — a reminder that the software supply chain remains one of the highest-leverage attack surfaces available to threat actors. The incident follows a now-familiar playbook: poison a widely trusted upstream package, let the dependency graph do the distribution work. Any team consuming affected packages should audit lock files, rotate secrets that may have been exposed in CI/CD pipelines, and review build logs for unexpected outbound connections. The scale here — 170+ packages — places this among the larger npm compromise events on record.

German Security Official Warns China Is Close to Fielding an AI-Powered "Superhacker"

A senior German cybersecurity official has issued a stark public warning that China is approaching the capability to deploy AI systems capable of conducting sophisticated, largely autonomous cyberattacks at scale. The assessment frames this not as a distant theoretical threat but as a near-term operational concern — one that would fundamentally alter the economics of nation-state offensive operations by dramatically lowering the cost and expertise required to conduct high-complexity intrusions. This tracks with a broader intelligence picture: AI-augmented reconnaissance, vulnerability discovery, and social engineering are already being observed in the wild, and the gap between "AI-assisted" and "AI-directed" attacks is narrowing faster than many defenders anticipated. For practitioners, the implication is straightforward — detection pipelines and incident response playbooks built around human-paced attack timelines need to be stress-tested against machine-speed adversary behaviour.

Canvas Learning Platform Breach: Ransom Paid to Delete Stolen Student Data

The operator of the Canvas cloud-based learning management platform confirmed it paid cybercriminals to delete student data stolen during a breach that came to light last week, with Adelaide University among the affected institutions. Paying for deletion assurances is, of course, an act of faith in the good will of extortionists — there is no reliable mechanism to verify that data has actually been destroyed, and it almost certainly has copies. The incident has drawn criticism not only for the breach itself but for the institution's communication failures in the aftermath, with students left in the dark about what data was exposed and for how long. For security teams supporting education sector clients, this is a useful case study in both third-party SaaS risk and the reputational cost of opaque incident communication.

Schrödinger's Feed

MIT researchers have published a new technique for measuring a poorly understood phenomenon that causes quantum circuits to behave inconsistently and introduce computational errors — a problem that has quietly undermined the reliability of quantum hardware at scale. Quantum computers don't just fail noisily; they sometimes fail subtly, producing results that look plausible but aren't, which makes error characterisation as important as error correction. Better measurement tools mean better calibration, which accelerates the timeline toward fault-tolerant quantum systems capable of running the long-duration algorithms — including cryptanalysis — that currently remain out of reach. Practitioners invested in post-quantum cryptography migration timelines should watch circuit reliability research closely: the gap between "quantum computers exist" and "quantum computers can threaten RSA-2048 at scale" is largely a hardware reliability problem, and that gap is shrinking methodically.

/dev/random

CERT has dropped six CVEs against dnsmasq — the lightweight DNS and DHCP server running quietly on an extraordinary number of routers, embedded devices, and Linux systems worldwide. dnsmasq is one of those pieces of software so ubiquitous it's essentially infrastructure wallpaper; it's just there, doing its job, mostly forgotten, until it isn't. Six vulnerabilities described as "serious" is a good reminder that the boring plumbing of your network deserves the same attention as the glamorous attack surface. Check your firmware, check your distro packages, and maybe say a small word of thanks to the maintainers who apparently have a lot on their plate.