cybr.cx Daily Digest — April 04, 2026

Critical Vulnerabilities

CVE-2026-3666 | wpForo Forum (WordPress) | CVSS 8.8 | HIGH
Any authenticated user — subscriber-level and above — can delete arbitrary files on the server by embedding path traversal sequences in forum posts. On a shared host, this could mean wiping configuration files, disabling plugins, or destabilising the entire site. All versions through 2.4.16 are affected; patch or disable the plugin immediately.

CVE-2018-25251 | Snes9K 0.0.9z | CVSS 8.4 | HIGH
A buffer overflow in the Netplay Socket Port Number field allows local attackers to overwrite the SEH chain and execute arbitrary code via a crafted payload. Yes, this is a SNES emulator from 2018 getting a CVE in 2026 — but retro tooling lives on in surprising places (CTF boxes, legacy lab environments). Don't ignore it.

CVE-2018-25255 | 10-Strike LANState 8.8 | CVSS 8.4 | HIGH
Maliciously crafted LSM map files can overflow a buffer in the ObjCaption parameter, overwrite the SEH chain, and execute shellcode when opened. Another elderly local-exploit CVE surfacing now — network mapping tools like this persist in OT/IT environments well past their support window. If it's still running, it's a risk.

CVE-2015-10148 | Hirschmann HiLCOS (OpenBAT, WLC, BAT300, BAT54) | CVSS 8.2 | HIGH
These devices ship with identical default SSH and SSL keys that cannot be changed, enabling any attacker with network access to perform MitM attacks, decrypt management traffic, or impersonate devices wholesale. A decade-old vulnerability finally getting formal scoring — if any of these are in your OT or industrial wireless infrastructure, treat them as fully compromised until replaced.

CVE-2026-4896 | WCFM Frontend Manager for WooCommerce (≤6.7.25) | CVSS 8.1 | HIGH
Missing user-supplied input validation across multiple AJAX actions enables IDOR attacks — authenticated attackers can manipulate orders, delete products, and modify articles belonging to other users. WooCommerce multi-vendor shops are the target. Update to 6.7.26 or later.

CVE-2026-22661 / CVE-2026-22665 | prompts.chat (pre-commit 0f8d4c3 / 1464475) | CVSS 8.1 | HIGH
Two separate issues in the AI prompt-sharing platform: a zip-slip path traversal allowing arbitrary file writes on client systems, and an identity confusion flaw enabling account impersonation via case-variant usernames. If you self-host or contribute to this project, pull the latest commits and audit any uploaded skill archives.

Headline News

FBI Confirms Major Network Breach
The FBI has formally classified a compromise of its internal networks as a "major incident" — a designation reserved for breaches likely to cause demonstrable harm to U.S. national interests or expose sensitive data at scale. Details remain limited, but the classification triggers mandatory reporting and remediation obligations under federal incident response frameworks. For practitioners, the reminder is blunt: even the agencies tasked with investigating intrusions are not immune. The incident follows a period of heightened targeting of federal law enforcement and intelligence infrastructure, and will likely intensify scrutiny of lateral movement detection and zero-trust adoption timelines across government networks.

LinkedIn Allegedly Fingerprinting Installed Browser Extensions at Scale
A report alleges that LinkedIn — owned by Microsoft — has been silently scanning users' browsers for over 6,000 installed extensions and correlating that fingerprint with real-world identities, all without meaningful user consent. If accurate, this represents a significant expansion of browser-based profiling beyond typical tracking methods: installed extensions can reveal security tooling, internal enterprise software, sensitive personal interests, and even organisational affiliation. For blue teamers, this raises practical questions about what extension inventories look like to external parties and whether employees are inadvertently leaking operational tooling information simply by logging into LinkedIn. The story has attracted substantial attention across the security community and warrants close monitoring as Microsoft's response — or lack thereof — develops.

VPN Use as a Surveillance Trigger
A disclosure has raised concerns that use of commercial VPN services may be sufficient to flag Americans for warrantless surveillance under certain intelligence authorities — effectively penalising privacy-preserving behaviour. The implication is that tools widely recommended by the security community for protecting sensitive communications could paradoxically increase an individual's surveillance exposure. For practitioners advising clients or employees on operational security, this is a significant complication: the standard "use a VPN" guidance now carries legal and intelligence risk dimensions that vary depending on the user's context and jurisdiction. The story underscores the growing tension between privacy tooling and signals-intelligence collection frameworks.

Nerdy Corner

Researchers trained mRNA language models across 25 species for a total compute cost of approximately $165 — a figure that would have been absurd even three years ago. The project applies transformer-style architectures to biological sequence data, treating nucleotide sequences the way LLMs treat tokens, and the results apparently hold up scientifically. The security angle is left as an exercise to the reader, though "what happens when you fine-tune this on adversarial synthetic biology prompts" seems like a question someone will eventually get funding to answer. Bioinformatics pipelines, take note.