cybr.cx — Daily Digest | April 26, 2026

Critical Vulnerabilities

CVE-2026-6988 — Tenda HG10 Router | CVSS 8.8 (High)
A remotely exploitable buffer overflow in the formRoute function of Tenda HG10's Boa web service allows unauthenticated attackers to potentially execute arbitrary code by manipulating the nextHop argument. A public exploit exists. If you have these routers on the network — common in SMB and residential ISP deployments — treat patching or network segmentation as urgent; Boa-based services on consumer-grade kit rarely get rapid vendor responses.

CVE-2026-41651 — Linux PackageKit ("Pack2TheRoot") | CVSS 8.8 (High)
A 12-year-old privilege escalation flaw in PackageKit allows any unprivileged local user to install or remove system packages without authorisation, effectively gaining root-level control. The vulnerability has sat quietly in countless Linux distributions since ~2014. Local access is required, but on shared systems, dev boxes, or containers where users have shell access, the blast radius is significant — patch now and audit who has interactive logins.

CVE-2026-6977 — vanna-ai/vanna ≤2.0.2 | CVSS 7.3 (High)
Improper authorisation in vanna-ai's legacy Flask API allows remote attackers to bypass access controls without authentication. The vendor has not responded to disclosure. Vanna is widely used in AI/data science workflows for natural language SQL interfaces — if it's exposed on any internal or external network endpoint, assume it's reachable and act accordingly until a patch materialises.

CVE-2026-6980 — GitPilot-MCP | CVSS 7.3 (High)
Command injection via the repo_path argument in this Model Context Protocol tool allows remote code execution. The project has no versioning scheme, making patch tracking difficult. MCP tooling is increasingly embedded in AI-assisted developer workflows — a reminder that the expanding AI toolchain surface area deserves the same scrutiny as any other internet-exposed service.

CVE-2026-6987 — PicoClaw ≤0.2.4 | CVSS 7.3 (High)
The /api/gateway/restart endpoint in PicoClaw's web management plane is vulnerable to remote command injection. No vendor response to date. Management plane exposure is a consistent theme this week — if these interfaces aren't behind strict network controls, they're a trivial entry point.

CVE-2026-6992 — Linksys MR9600 2.0.6.206937 | CVSS 7.2 (High)
OS command injection through the pin argument in the JNAP Action Handler allows remote attackers to execute arbitrary commands. A public exploit is available and the vendor received no-response disclosure. The MR9600 is a prosumer mesh router — likely present in home offices and small businesses that won't see a firmware update for months.

Headline News

Firestarter Malware Digs Into Cisco Firewall Firmware
Joint advisories from US and UK cybersecurity agencies are warning of a sophisticated custom implant called Firestarter that persists on Cisco Firepower and Secure Firewall devices — surviving both software updates and security patches. The malware targets devices running ASA or Firepower Threat Defense (FTD) software, embedding itself at a level that standard remediation workflows don't reach. This is the kind of capability associated with well-resourced nation-state actors who have learned that perimeter devices make ideal persistent footholds: they're trusted, rarely monitored internally, and often excluded from EDR coverage. For defenders, the immediate action is to verify the integrity of firewall firmware out-of-band, consult Cisco's published indicators of compromise, and treat any device showing anomalous behaviour as potentially implanted rather than merely misconfigured.

Pack2TheRoot: A 12-Year-Old Linux Privilege Escalation Bug Surfaces
A critical local privilege escalation vulnerability in PackageKit, dormant for roughly twelve years across mainstream Linux distributions, has been publicly disclosed as CVE-2026-41651. The flaw allows unprivileged users to install or remove packages at the system level — a capability that maps cleanly to post-exploitation techniques for establishing persistence or deploying secondary payloads. The long lifespan of the bug is the uncomfortable part: it predates many current security audit frameworks and has likely been present in countless hardened build images that teams considered clean. Administrators should audit PackageKit exposure on all Linux hosts, prioritise patching on shared infrastructure, and review logs for suspicious package operations going back as far as available retention allows.

Toronto Police Seize SMS Blasters — A First for Canada
Toronto police have seized so-called "SMS blasters" — rogue cellular base station hardware capable of impersonating legitimate cell towers and sending fraudulent SMS messages directly to nearby mobile devices, bypassing carrier infrastructure entirely. The seizure marks the first documented law enforcement action against this category of hardware in Canada, though the technology has been used in smishing campaigns in Asia, Europe, and the US for several years. The practical threat is significant: messages delivered via SMS blaster arrive without the normal carrier-side filtering or spam detection, making them substantially more convincing as phishing lures. Security teams should treat this as a signal that the technique is now operational in North American threat actor playbooks, and consider refreshing user awareness training around unexpected SMS messages requesting credential or payment actions.

Schrödinger's Feed

A newly published executive summary from Global Quantum Intelligence is drawing attention for one specific claim: the security community's long-standing focus on RSA-2048 as the primary Q-Day benchmark may be setting the wrong clock. The report argues that the relevant attack surface is broader and the timeline more compressed than consensus estimates suggest, pointing to asymmetries between what's being publicly disclosed and what advanced programmes may already be operating. Separately, Coinbase advisers have issued warnings that quantum decryption poses a credible near-term risk to blockchain encryption schemes — and that the window for orderly migration is closing faster than most asset custodians have planned for. For practitioners, the practical upshot isn't panic but pipeline: NIST's post-quantum standards are finalised, and the organisations still in "monitor and wait" mode are accumulating cryptographic debt that gets harder to service the longer it sits.

/dev/random

Someone has rendered Hokusai's The Great Wave off Kanagawa — one of the most recognised artworks in human history — in pure 1-bit pixel art, and it works disturbingly well. The technique constrains the artist to two states: pixel on, pixel off. No gradients, no anti-aliasing, no cheating. It's either a very apt metaphor for binary logic or just a beautiful piece of craft, depending on how far into your Sunday you want to philosophise. Either way, 19th-century Japanese woodblock printing and 1970s display hardware have no business looking this good together.