cybr.cx Daily Digest — March 31, 2026

Critical Vulnerabilities

CVE-2026-5130 — WordPress Debugger & Troubleshooter Plugin (CVSS 8.8 HIGH)
The Debugger & Troubleshooter plugin for WordPress versions up to 1.3.2 has an unauthenticated privilege escalation flaw. Attackers can impersonate any user—including administrators—simply by setting a cookie with a target user ID. No authentication required, no crypto validation. If you're running this plugin, disable it immediately and audit for compromise.

CVE-2026-5211 — D-Link NAS Devices (CVSS 8.8 HIGH)
A command injection vulnerability affects over 20 D-Link NAS models including DNS-320, DNS-325, DNS-345, and the DNR series. The flaw in /cgi-bin/app_mgr.cgi allows remote attackers to manipulate the f_dir parameter. Many of these devices are end-of-life with no patches expected. Isolate from the internet or replace.

CVE-2026-5152/5154/5155/5156/5204 — Tenda CH22 Router (CVSS 8.8 HIGH)
Five separate stack-based buffer overflow vulnerabilities in Tenda CH22 firmware 1.0.0.1 across multiple handlers. All are remotely exploitable with public exploits available. If you have Tenda CH22 devices deployed, assume they're compromised if internet-facing.

CVE-2026-32920 — OpenClaw (CVSS 8.4 HIGH)
OpenClaw before version 2026.3.12 auto-loads plugins from workspace directories without trust verification. Cloning a malicious repository and running OpenClaw from that directory executes attacker-controlled code. Update immediately or audit any repositories you've recently cloned.

Headline News

Axios NPM Package Hit by Supply Chain Attack
The popular Axios HTTP client library for JavaScript has been compromised in a supply chain attack, according to analysis shared on GitHub and heavily discussed across Reddit's security communities. The attack appears to have injected malicious code into the npm package, potentially affecting millions of downstream applications that depend on the library. Practitioners should immediately audit their package-lock.json files, pin to known-good versions, and review recent builds for unexpected network activity. This continues the concerning trend of threat actors targeting widely-used open source dependencies—Axios alone sees over 40 million weekly downloads.

Flock Safety Cameras Spark National Security Concerns
A highly-upvoted Reddit discussion (623 upvotes) has reignited debate over Flock Safety's license plate reader cameras deployed across US neighborhoods and cities. Security professionals are raising concerns about the centralised database of vehicle movements, data retention policies, and potential for abuse or breach. The discussion highlights that Flock's network effectively creates a nationwide surveillance infrastructure operated by a private company with limited oversight. For security teams, this is a reminder that third-party surveillance tech in your physical environment represents both an asset and a potential threat vector.

Anthropic's Claude Source Code Allegedly Leaked
A Twitter post claiming to contain leaked Claude source code gained significant traction on r/cybersecurity (421 upvotes). While the authenticity and scope of the leak remains unverified, the security community is analysing the materials for insights into model architecture and potential vulnerabilities. If legitimate, this represents a significant IP breach for Anthropic and could expose implementation details useful to adversaries. Organizations using Claude in production should monitor for any follow-on advisories.

Nerdy Corner

Microsoft's updated Copilot terms of service now include language stating the AI assistant is "for entertainment purposes only." Yes, the tool Microsoft is aggressively pushing into enterprise workflows, email, and document creation apparently belongs in the same legal category as a fortune cookie. One can only assume this is the legal team's answer to hallucination liability. Perhaps we should all add similar disclaimers to our incident reports—"this breach notification is for entertainment purposes only."