A publicly disclosed buffer overflow in H3C Magic B1’s /goform/aspForm could allow remote code execution; the vendor did not respond to the disclosure.

A WordPress plugin flaw allows authenticated admins to force downloads and extract ZIPs into wp-content/plugins/cmp-premium-themes/, enabling remote code execution; inventory, isolate and remove or patch the plugin immediately.

CVE-2026-6483 allows remote OS command injection in Wavlink WL-WN530H4 via /cgi-bin/internet.cgi; exploit public, fix is firmware 2026.04.16 — patch or isolate immediately.

PHANTOMPULSE, delivered through an Obsidian plugin in the REF6598 campaign, bypasses AV and targets finance and crypto users; here’s what to check first.

CVE-2026-3461: a WordPress plugin can authenticate users using only a billing email during guest checkout, allowing account takeover and site compromise; immediate checks and mitigations advised.

Anthropic’s Claude Mythos preview reportedly completed a 32-step cyber kill chain and scored 73% on expert tasks, prompting urgent reviews by UK financial regulators; practical steps for organisations to limit exposure.

LibreNMS versions before 26.3.0 contain an authenticated RCE via Binary Locations and Netcommand (CVE-2026-6204); patch, isolate and rotate admin credentials now.