TextPattern CMS Flaw Enables Full Remote Code Execution
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 17, 2026
cybr.cx Daily Digest — May 17, 2026
Critical Vulnerabilities
CVE-2021-47976 — TextPattern CMS 4.9.0-dev | CVSS 8.8
Authenticated attackers can exploit the plugin upload functionality to drop arbitrary PHP files into the textpattern/tmp/ directory, achieving full remote code execution. The attack chain requires authentication plus a harvested CSRF token — low bar if credentials are weak or reused. Patch or disable plugin upload functionality immediately.
CVE-2020-37227 — HS Brand Logo Slider 2.1 | CVSS 8.8
Client-side file extension validation is trivially bypassed by intercepting the upload request and renaming a file to .php. Any authenticated user — including low-privilege contributors — can gain RCE. If you're running this plugin, assume it's a liability until patched.
CVE-2021-47979 — WordPress Backup and Restore 1.0.3 | CVSS 8.8
Manipulating file_name and folder_name parameters in AJAX requests lets authenticated attackers delete arbitrary files from the WordPress installation. File deletion as a precursor to privilege escalation or site destruction makes this one worth patching ahead of the weekend.
CVE-2020-37242 / CVE-2020-37243 / CVE-2020-37244 — Supsystic Ultimate Maps 1.1.12, Pricing Table 1.8.7, Membership 1.4.7 | CVSS 8.2
All three Supsystic plugins share the same root problem: unauthenticated SQL injection via the sidx (and related) GET parameters exposed through getListForTbl actions. No authentication required. Attackers can extract full database contents via boolean-blind or time-based techniques. Pricing Table also carries a stored XSS. These are WordPress plugins — exposure is broad. Audit your installations.
CVE-2021-47954 — LayerBB 1.1.4 | CVSS 8.2
Unauthenticated SQL injection through the search_query parameter in /search.php allows database extraction via CASE WHEN statements. LayerBB is a niche forum platform, but unpatched internet-facing installs are a straightforward target.
CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 | CVSS 8.2
Unauthenticated SQL injection via the firstname parameter in insert.php. This is a demo/tutorial CRUD app that has no business running in production — but it does. Check your exposure.
Headline News
Fast16 Malware Linked to Sabotage of Iranian Nuclear Weapons Testing
Security researchers have now confirmed with high confidence that the Fast16 malware was responsible for disrupting nuclear weapons test infrastructure, with Iran as the most likely target. The implant appears designed for precision sabotage rather than espionage — manipulating physical processes in ways that would produce erroneous test results while remaining difficult to distinguish from mechanical failure. The operation draws direct comparisons to Stuxnet in both intent and sophistication, though Fast16 represents a distinct capability with its own tradecraft. For practitioners, this is a reminder that the most consequential cyberweapons aren't ransomware — they're the ones you never hear about until years later, and even then only partially.
Linux Kernel Logs Its Fourth SSH-Adjacent Flaw of the Month
Qualys researchers have flagged yet another Linux kernel vulnerability this month, this one creating conditions under which SSH host keys could be stolen. It's the fourth kernel-level security issue identified in May alone, a pace that should prompt any organisation running Linux infrastructure to audit its patch cadence urgently. SSH host key compromise is particularly damaging: it enables man-in-the-middle attacks against encrypted sessions and can undermine the trust model that secure remote access depends on entirely. With Linux underpinning the vast majority of cloud, server, and container workloads, defenders should treat this cluster of disclosures as a signal to prioritise kernel hardening and monitoring for anomalous key activity.
Apple M5 Sees First Privilege Escalation Exploit, With AI Assistance
Researchers have disclosed the first known privilege escalation exploit targeting Apple's M5 architecture, bypassing the chip's Memory Integrity Enforcement to achieve root access on macOS — and the research was conducted with material assistance from Anthropic's Claude Mythos AI model. The exploit demonstrates that AI-assisted vulnerability research has matured enough to accelerate work on cutting-edge hardware, not just legacy codebases. The security implications run in two directions: defenders gain a powerful tool for offensive research and red-teaming, but so does everyone else. Apple has not yet issued a public patch timeline. M5 deployments in enterprise and developer environments should be treated as elevated-risk until mitigations are confirmed.
Schrödinger's Feed
Xanadu — the photonic quantum computing company that went public earlier this year — has reported a fourfold increase in first-quarter revenue to $2.8 million, alongside plans for expanded manufacturing capacity. Photonic approaches are particularly interesting from a cryptography standpoint because photon-based qubits operate at room temperature and are inherently suited to quantum communication and quantum key distribution at scale. This is still early commercial numbers, but the trajectory matters: photonic quantum hardware getting cheaper and more accessible compresses the timeline for practical quantum attacks on classical cryptography. Practitioners who haven't started mapping their PKI and key exchange dependencies against NIST's finalised post-quantum standards are running out of runway to do it comfortably.
/dev/random
Someone has built a Windows 9x Subsystem for Linux — yes, that's WSL running Windows 95/98 inside Linux, the precise inverse of what Microsoft spent years engineering. It's the kind of project that exists purely because it shouldn't, which is historically the strongest possible motivation in open source. The real security question, obviously, is whether anyone will get CVEs filed against a Win98 subsystem running on a modern kernel — and whether "supported platform" definitions will need updating accordingly. Clippy could not be reached for comment.