cybr.cx | Daily Digest — May 16, 2026

Critical Vulnerabilities

CVE-2026-6228 | Frontend Admin by DynamiApps (WordPress) | CVSS 8.8 — HIGH
Editors on any WordPress site running Frontend Admin ≤ 3.28.36 can escalate their own privileges to administrator level. The root cause is a misconfigured capability_type on the admin_form post type, which hands editors permissions they were never meant to have. If your site allows untrusted editors or user-generated content submissions via this plugin, treat this as critical and update immediately.

CVE-2021-47964 | Schlix CMS 2.2.6-6 | CVSS 8.8 — HIGH
Authenticated attackers can achieve remote code execution by uploading a crafted ZIP file through the block manager's extension upload feature. The malicious PHP payload inside packageinfo.inc executes when the About tab is loaded — no additional steps required. Any Schlix installation exposed to the internet with multiple user accounts should be patched or isolated now.

CVE-2021-47966 | PHP Timeclock 1.04 | CVSS 8.2 — HIGH
The login page accepts unsanitised SQL in the login_userid parameter, allowing completely unauthenticated attackers to dump the entire database via time-based and boolean blind injection. Employee credentials and personal data are directly at risk. PHP Timeclock is legacy software still running in surprising numbers of SMB environments — if you have it, replace or firewall it today.

CVE-2026-4094 | FOX Currency Switcher for WooCommerce (WordPress) | CVSS 8.1 — HIGH
Any authenticated user with Contributor-level access or above can wipe an entire multi-currency configuration simply by visiting any wp-admin page — no deliberate exploit URL required. The admin_head function lacks a capability check entirely. The impact is immediate business disruption to any WooCommerce store relying on multi-currency pricing; update to 1.4.6 or later.

CVE-2026-46367 | phpMyFAQ < 4.1.2 | CVSS 7.6 — HIGH
A stored XSS in Utils::parseUrl() lets authenticated users inject JavaScript via malformed URLs in FAQ comments. When an admin views the affected page, their session cookie is exposed — handing attackers full application takeover. Upgrade to 4.1.2; also see CVE-2026-46359 (same version, SQL injection via OAuth token claims from Azure AD display names), which pairs dangerously with this one.

CVE-2026-6403 | Quick Playground (WordPress) | CVSS 7.5 — HIGH
Unauthenticated path traversal in the qckply_zip_theme() function lets anyone pass directory traversal sequences via the stylesheet parameter. No authentication is required. Disable or remove the plugin immediately if running version 1.3.3 or below.

Headline News

Microsoft Exchange zero-day under active exploitation
Microsoft has disclosed a zero-day vulnerability in Exchange Server that is already being exploited in the wild, pushing the flaw straight to the top of incident response queues. Details on the specific attack vector remain limited, but active exploitation prior to a patch being widely applied is the worst-case disclosure scenario for on-premises Exchange operators — a category of infrastructure that has been hammered relentlessly for the past several years. Security teams should treat this as a priority-one patching event, apply any available mitigations immediately, and review Exchange-facing logs for anomalous activity going back at least 30 days. The timing is particularly uncomfortable given that Exchange was also demonstrated as hackable at Pwn2Own within the same window, with researchers successfully chaining zero-days against both Exchange and Windows 11 on day two of the competition — a reminder that the attack surface remains fertile ground for motivated adversaries.

OpenAI confirms breach via TanStack supply chain attack
OpenAI has confirmed it was affected by a supply chain compromise involving the TanStack open-source JavaScript library ecosystem, underscoring once again that even well-resourced AI companies are not immune to third-party dependency risk. The attack followed the now-familiar playbook: a malicious package or update propagated through a trusted dependency, reaching downstream consumers before detection. For practitioners, the incident is a useful data point in the ongoing argument for aggressive software composition analysis (SCA) tooling and tighter controls around automatic dependency updates in CI/CD pipelines. The breach also raises pointed questions about the security posture of AI development environments specifically — these systems often handle sensitive training data, model weights, and API credentials that represent high-value targets well beyond conventional application assets.

F5 patches 18-year-old heap overflow in NGINX, found by AI
F5 has patched a heap buffer overflow in NGINX's rewrite module that reportedly sat undetected for approximately 18 years — and was ultimately discovered not by a human researcher but by an AI-assisted vulnerability analysis tool, in what is being called the "Rift" vulnerability. The flaw lives in one of the most widely deployed web server components on the internet, meaning the potential blast radius during that dormant period was enormous. The find reinforces a growing body of evidence that AI tooling is beginning to surface vulnerability classes and code paths that human auditors, even skilled ones, consistently miss — particularly in mature, heavily reviewed codebases where familiarity breeds complacency. Security teams relying on NGINX should patch immediately and treat this as a prompt to revisit assumptions about "well-audited" infrastructure code.

Schrödinger's Feed

China's quantum computing programme is the subject of unusually direct geopolitical framing this week, with analysis from within the quantum industry making explicit what has long been implicit: that the hardware race between the US and China is no longer primarily a scientific competition but a strategic one, with cryptographic infrastructure as a central prize. The logic is straightforward — whoever achieves cryptographically relevant quantum capability first gains, at least temporarily, the ability to decrypt adversaries' archived encrypted communications under "harvest now, decrypt later" strategies already believed to be underway. Meanwhile, both IonQ and Chinese firm Origin Quantum have expanded physical laboratory infrastructure, suggesting the pace of hardware development is accelerating across both sides of that divide. Practitioners should be watching not just NIST PQC rollout timelines but geopolitical quantum milestones — the threat model is evolving faster than most migration roadmaps.

/dev/random

Project Zero has published a full 0-click exploit chain targeting the Pixel 10 — Google's own security research team, demonstrating a zero-interaction compromise of Google's own flagship phone, and posting it publicly for all to enjoy. There is something almost performance-art about the arrangement: the same company that makes the device, funds the team that breaks it, then tells everyone how they did it. The chain reportedly requires no user interaction whatsoever, which is the technical definition of "you didn't do anything wrong and it still happened." Google's transparency here is genuinely commendable — though we imagine the Pixel marketing team had a fairly spirited conversation with Project Zero about the timing.