cybr.cx | Daily Digest — May 08, 2026

Critical Vulnerabilities

CVE-2026-6692 | Slider Revolution (WordPress) | CVSS 8.8
Slider Revolution versions 7.0.0–7.0.10 contain insufficient file type validation in the _get_media_url and _check_file_path functions, allowing any authenticated user — subscriber level or higher — to upload executable files and achieve remote code execution. Given Slider Revolution's ubiquity across WordPress installations, patch to 7.0.11 or later immediately and audit recent uploads from low-privilege accounts.

CVE-2026-3953 | Proticaret E-Commerce (Gosoft) | CVSS 8.8
A reflected XSS vulnerability affects Proticaret E-Commerce from v5.0.0 through V6.0.1767.1383. Attackers can inject malicious scripts via crafted URLs, potentially hijacking sessions or redirecting users. Merchants running this platform should upgrade to V6.0.1767.1383 or later without delay.

CVE-2026-5784 & CVE-2026-6002 | DivvyDrive | CVSS 8.8
Two separate XSS issues — one stored, one basic reflected — affect DivvyDrive versions 4.8.2.9 through 4.8.3.2. Stored XSS in particular is high-impact in a file-sharing context: an attacker with upload access could persist malicious payloads that execute in other users' browsers. Upgrade to 4.8.3.2 and review content stored on affected versions.

CVE-2025-14341 | DivvyDrive | CVSS 8.3
Unthrottled resource allocation in DivvyDrive (4.8.2.19–4.8.3.2) enables flooding and excessive allocation attacks. Combined with the XSS issues above, this makes unpatched DivvyDrive instances a particularly attractive target. Same fix: 4.8.3.2.

CVE-2026-7252 | WP-Optimize (WordPress) | CVSS 8.1
Insufficient file path validation in the unscheduled_original_file_deletion function allows author-level WordPress users to delete arbitrary files on the server. This could be weaponised to disable a site or destroy backups. All versions through 4.5.2 are affected; update immediately.

CVE-2026-33588 | Open Notebook v1.8.3 | CVSS 8.1
A path traversal flaw in Open Notebook's file upload functionality lets authenticated users create or modify files within the Docker container. If the container runs with elevated privileges or shares volumes with the host, the blast radius expands significantly. Check your containerisation hardening posture alongside patching.

CVE-2024-43384 | Unspecified device (low-privilege remote) | CVSS 8.0
A low-privileged remote attacker can recover the root password due to sensitive information not being scrubbed before storage or transfer — classic credential exposure. The sparse description is a red flag; organisations using embedded or industrial devices should consult their vendor advisories urgently to determine if their hardware is in scope.

Headline News

Americans sentenced for running North Korean laptop farms
Several US nationals have been sentenced for operating "laptop farm" schemes that helped North Korean IT workers fraudulently obtain remote employment at American companies — funnelling salaries back to Pyongyang. The operations involved routing remote connections through US-based laptops to disguise the workers' true locations, effectively laundering labour on behalf of a sanctioned state. For security teams, this is a reminder that insider threat vectors aren't always internal: malicious actors can embed themselves through the hiring pipeline rather than the network perimeter. Rigorous identity verification, device attestation, and anomaly detection on remote working patterns are no longer optional hygiene for organisations with distributed workforces.

ShinyHunters resurfaces with Canvas breach
The prolific threat actor group ShinyHunters appears to have claimed a breach of Canvas, with discussion among security practitioners circulating around the nature and scope of data potentially exposed. ShinyHunters has a well-documented history of large-scale credential and PII theft — prior targets have included major platforms affecting hundreds of millions of users — so any confirmed exfiltration should be taken seriously. If Canvas user data is involved, expect credential stuffing campaigns to follow as stolen records are cross-referenced against other services. Organisations whose employees use Canvas (widely deployed in education) should monitor for anomalous authentication activity and prompt password resets where appropriate.

Mirai-derived xlabs_v1 botnet targets exposed ADB interfaces
A newly documented Mirai variant, self-labelled xlabs_v1, is actively scanning for internet-exposed Android Debug Bridge interfaces to conscript IoT and Android-based devices into a DDoS-capable botnet. ADB was designed as a development tool and has no business being reachable from the public internet, yet exposed instances remain widespread — a recurring failure of device hardening at scale. The botnet's architecture follows familiar Mirai patterns but its targeting of ADB specifically suggests operators are hunting for smart TVs, set-top boxes, and embedded Android devices that rarely receive security attention. Network defenders should audit firewall rules for ADB port exposure (5555/TCP) and isolate IoT segments from internet-accessible interfaces.

Schrödinger's Feed

Physicists at ParityQC and the University of Innsbruck have introduced the Parity Unfolded Distillation Architecture, a fault-tolerant quantum computing scheme designed to significantly reduce the resource overhead required for universal, error-corrected quantum computation. One of the persistent barriers to practical quantum advantage has been the enormous qubit overhead demanded by traditional fault-tolerance approaches — reducing that cost brings genuinely useful quantum systems meaningfully closer. This matters to cryptographers because the timeline to "harvest now, decrypt later" attacks becomes harder to dismiss as theoretical when fault-tolerant architectures become less resource-prohibitive. Practitioners deploying long-lived sensitive data should be tracking PQC migration progress with renewed urgency.

/dev/random

A privilege escalation vulnerability dubbed Dirtyfrag has landed in the Linux security community's lap, described as a universal local privilege escalation affecting the kernel. The name alone earns points — whoever said vulnerability naming has to be boring clearly hasn't met the memory fragmentation code paths. It's the kind of finding that makes sysadmins simultaneously impressed by the researcher and quietly furious at whatever ancient corner of the kernel is responsible. Patch notes incoming; existential dread about your fleet: already here.