cybersec

Cybersecurity

Weekly CVE deep dives. Real-world analysis. No fluff.

cybersec

May 6, 2026 · 5 min SQL Injection

CVE-2026-22850: When Your Own Export File Comes Back As A Bomb

Koko Analytics, a WordPress analytics plugin, lets unauthenticated visitors plant SQL fragments into the analytics tables, then politely re-serves them as a `.sql` admin export, then runs whatever the admin re-uploads with `$wpdb->query()` — no allowlist, no statement filter, no escaping along the way. Three layers of "this is fine," each one trusting the layer before it.

— stored data is still tainted data

Apr 29, 2026 · 6 minType Confusion

CVE-2026-21683: When the Tag Lied About What It Was

A C-style downcast inside the iccDEV ICC profile evaluator trusted attacker-controlled file contents to be the type the function expected. When they weren't, a virtual call landed somewhere it had no business being.

— Trust the vtable, not the file

Apr 25, 2026 · 6 minMissing Authorization

CVE-2025-69359: The WordPress LMS That Forgot to Ask Who You Are

A medium-severity Missing Authorization flaw in WPFunnels' Creator LMS plugin (versions ≤ 1.1.12) — Patchstack's catalogue entry says "Broken Access Control," CVSS 5.3, no authentication required to reach the affected functionality. This is one of the most boring and most common shapes of WordPress plugin vulnerability, and it's worth the post precisely *because* it is boring.

— Permission callbacks are not vibes

Apr 24, 2026 · 5 minStack Buffer Overflow

CVE-2026-0640: When sscanf Became gets() Again

A stack buffer overflow in the `/goform/PowerSaveSet` HTTP handler on Tenda's AC23 router (firmware ≤ V16.03.07.52). The root cause is a single unbounded `sscanf` call that parses an attacker-controlled POST parameter into fixed-size stack buffers — the scanf-family equivalent of calling `gets()`, repeated four times in one line.

— scanf is still gets, apparently

Apr 24, 2026 · 6 minAlgorithm Confusion

CVE-2026-5194: The Digest That Wasn't Big Enough

When a TLS library will happily verify an ECDSA certificate signature using any digest size a cert happens to advertise, the "security level" printed on the box stops meaning what the box says. wolfSSL's pre-10131 signature path had a conspicuous size check — but only on the upper end.

— half a check is half your security

Apr 24, 2026 · 6 minBlind SQL Injection

CVE-2025-59379: The Login Page That Answered Questions It Shouldn't Have

Dwyer-Omega's Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 leaks database contents through a blind SQL injection in the `user` parameter of the login form — the one door every web app is supposed to keep boring, and this one cheerfully tells the attacker about the shape of the furniture inside.

— Parameterise the query, hash the password

Apr 24, 2026 · 6 minType Confusion

CVE-2026-21493: Type Confusion in iccDEV Curve Serializer — When a Type Tag Isn't a C++ Type

A medium-severity flaw in the reference ICC color-management library (CVE-2026-21493) turns on a tiny but classic mistake: trusting a four-byte signature inside a file to tell you what C++ class an object is. The fix is a small diff with a big lesson about the gap between runtime type tags and RTTI.

— Tag bytes aren't vtables, friend

Apr 23, 2026 · 5 minURL Parsing (SSRF-adjacent)

CVE-2025-62718: The Trailing Dot That Leaked Your Localhost

A 9.9 in axios, published April 2026 (CVE-2025-62718): `NO_PROXY=localhost` does not protect `http://localhost.:8080/`, and it does not protect `http://[::1]/` either. Axios forwards those requests through the configured HTTP proxy — a textbook SSRF pivot, delivered by the oldest bug in the book: string-compare on things that aren't strings.

— normalize before you compare, always