Critical CVE-2026-8076: CashDro 3 web admin panel allows numeric PINs and lacks account lockout, enabling brute-force admin access to POS cash systems.

WP-Optimize’s unscheduled_original_file_deletion allows Author accounts to delete wp-config.php, risking outages and site takeover; check versions, lock roles and test restores.

A public exploit for CVE-2026-7853 targets D-Link DI-8100 16.07.26A1 via /auto_reboot.asp, severity 10.0; urgent steps and ISO-aligned controls recommended.

Betheme theme flaw allows author-level ZIP uploads that can drop PHP into public uploads, creating a remote code execution and data breach vector; immediate inventory, upload restrictions and scans recommended.

CVE-2026-7747: Totolink N300RH loginauth buffer overflow disclosed with public exploit, immediate patching or isolation required.

A public buffer overflow affecting Edimax BR-6208AC’s /goform/setWAN (pptpDfGateway) is rated 9.0 HIGH; vendor non-responsive, exploit published. Practical steps for inventory, isolation, patching and supplier checks.

Sunnet CTMS and CPAS have an arbitrary file upload vulnerability (CVE-2026-7490) allowing web shells and arbitrary code execution; inventory, isolate uploads, hunt for shells, and apply mitigations immediately.

A newly published CVE shows WP Editor missing nonce checks in add_plugins_page and add_themes_page, allowing forged requests to overwrite plugin and theme PHP if an admin is tricked.