cybr.cx | Daily Digest — April 15, 2026

Critical Vulnerabilities

CVE-2026-5617 | WordPress "Login as User" Plugin | CVSS 8.8
Any authenticated user can escalate to administrator by forging the oclaup_original_admin cookie — there is zero server-side validation that the cookie was set during a legitimate admin-initiated session. If your WordPress stack uses this plugin at version 1.0.3 or below, treat it as a critical exposure and remove or update immediately.

CVE-2026-27305 | Adobe ColdFusion 2023.18 / 2025.6 and earlier | CVSS 8.6
A path traversal flaw allows unauthenticated attackers to read arbitrary files outside the web root — no user interaction required. ColdFusion servers exposed to the internet should be patched or isolated now; this class of bug has a strong track record of being weaponised quickly.

CVE-2026-27306 | Adobe ColdFusion 2023.18 / 2025.6 and earlier | CVSS 8.4
An improper input validation bug enables arbitrary code execution, though it requires the attacker to already hold elevated privileges and trick a user into opening a malicious file. Paired with CVE-2026-27305, the two together form a plausible read-then-execute attack chain worth taking seriously.

CVE-2026-34632 | Adobe Photoshop Installer | CVSS 8.2
An uncontrolled search path vulnerability in the installer lets a low-privileged local attacker plant a malicious DLL or binary that runs with the installing user's context. Relevant in shared workstation and lab environments — lock down installer directories and verify package integrity.

CVE-2026-27287 / CVE-2026-34631 | Adobe InCopy 20.5.2 / 21.2 and earlier | CVSS 7.8 each
One out-of-bounds read and one out-of-bounds write, both triggered by opening a crafted file, both leading to arbitrary code execution. InCopy is a frequent blind spot in patch cycles — editorial and production environments running older versions should update without delay.

CVE-2026-27292 / CVE-2026-27293 | Adobe Framemaker 2022.8 and earlier | CVSS 7.8 each
A use-after-free and a heap-based buffer overflow, again file-open triggered. Framemaker is niche but persistent in publishing and technical documentation workflows — if it's in your environment, patch it before someone sends a "proof file" via email.

Headline News

Microsoft April Patch Tuesday: 165 CVEs, One Already Being Exploited
Microsoft's April patch cycle landed with 165 fixes — one of the largest single-month drops in recent memory. Among them, a spoofing vulnerability in SharePoint Server was confirmed to have been actively exploited in the wild before the patch was available, meaning some organisations were already exposed before today. A separate CVE had been publicly disclosed prior to patching after a researcher apparently lost patience with the disclosure process. For defenders, SharePoint exposure is the immediate priority; anything internet-facing or reachable from an untrusted network should be considered compromised until patched and reviewed.

Microsoft's April Patch Tuesday: Massive Fix Drop Includes Actively Exploited SharePoint Flaw
The SharePoint spoofing flaw is particularly concerning because SharePoint remains deeply embedded in enterprise document workflows and intranet infrastructure. Spoofing vulnerabilities in authenticated platforms can enable session hijacking, credential theft, or lateral movement if exploited as part of a broader campaign. The sheer volume of patches this cycle — spanning Windows components, Office, and server software — will stretch patching pipelines for many teams. Practitioners should triage by exploitability and exposure rather than CVSS score alone, given that the actively exploited flaw may not carry the highest numerical rating.

Young Hacker Behind "Historic" Breach Speaks Before Prison Sentence
A young hacker described as responsible for a breach characterised as historically significant has spoken publicly for the first time ahead of reporting to prison. The case is a notable data point in the ongoing conversation about how technically skilled but loosely affiliated individuals — often teenagers acting without formal criminal infrastructure — manage to compromise organisations that have substantial security budgets. The hacker described the activity as compulsive, framing it less as calculated criminality and more as an escalating habit. For practitioners, the reminder is an uncomfortable one: some of the most damaging intrusions aren't sophisticated nation-state operations but individuals exploiting basic misconfigurations and social engineering at scale.

Schrödinger's Feed

"Giant Superatoms" and Frictionless Electrons: A Quantum Hardware Moment Worth Watching

Scientists have observed electrons in graphene behaving as a nearly frictionless quantum liquid — a result that defies conventional solid-state physics and points toward exotic new hardware possibilities. This kind of fundamental discovery doesn't translate to cryptographic risk overnight, but it's exactly the class of breakthrough that has historically shortened the gap between "theoretically interesting" and "practically threatening." Quantum error correction is simultaneously advancing rapidly, with new decoding architectures demonstrating the ability to generalise across different qubit topologies — a key bottleneck on the path to fault-tolerant machines. Practitioners who haven't started their post-quantum cryptography migration inventory should treat every headline like this as another nudge: the timeline is uncertain, but it is not lengthening.

/dev/random

The Ancient Enemy of the Home Office: Static Electricity

A writeup resurfaced this week documenting one engineer's genuinely baffling debugging journey: a monitor that intermittently went black, blinked, and shut off — traced eventually not to drivers, cables, or GPU failure, but to static electricity discharging from their office chair. The fix involved grounding straps and anti-static matting rather than anything in a driver update or firmware changelog. It's a useful reminder that not every incident has a software root cause, and that sometimes the threat actor is literally the carpet. Rubber-soled shoes were, briefly, a valid remediation step.