Linux Kernel KSMBD and NFS Flaws Lead Critical Wave
Linux kernel ksmbd and NFSv4 flaws lead a wave of critical disclosures, while three WordPress plugins and SeppMail gateways face unauthenticated RCE.

CVE-2026-43379 leads a batch of four critical Linux kernel flaws disclosed today, including a use-after-free in the ksmbd SMB server that can be triggered remotely. The bug in smb_lazy_parent_lease_break_close() allows an attacker to access freed memory via an RCU pointer after the read lock has been released, enabling potential code execution in the kernel context. Three additional critical Linux CVEs landed: CVE-2026-31405 (OOB access in DVB network ULE extension header tables), CVE-2026-31402 (heap overflow in NFSv4.0 LOCK replay cache), and CVE-2026-31414 (use-after-free in netfilter conntrack expectation helper lookup). The NFSv4.0 heap overflow is especially dangerous for file-server environments — it overflows a fixed 112-byte inline buffer during LOCK operation replay, and as Rapid7 noted in its April Patch Tuesday analysis, the conntrack flaw (CVE-2026-31414) can lead to use of a stale helper pointer. All four require kernel updates; no public PoCs are confirmed yet, but the ksmbd and NFSv4 flaws are remotely triggerable and should be prioritized.
Three WordPress plugins disclosed critical unauthenticated vulnerabilities today, each carrying a CVSS 9.8 and collectively affecting hundreds of thousands of sites. CVE-2026-7637 hits the Boost plugin (up to v2.0.3, 100k+ active installs) — an unauthenticated PHP object injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie, giving attackers a direct path to remote code execution. CVE-2026-7284 affects Easy Elements for Elementor (up to v1.4.4) through a privilege escalation flaw in the easyel_handle_register function that lets unauthenticated users register as administrators. CVE-2026-6555 targets the ProSolution WP Client plugin (up to v2.0.0) with an arbitrary file upload bug caused by an array validation mismatch — only the first file in the upload array is checked for extension and type, allowing attackers to upload a webshell as a subsequent file. No patches have been confirmed for any of the three; site operators should disable the plugins immediately if alternative mitigations are unavailable.
CVE-2026-2743 in SeppMail (v15.0.2.1 and earlier) enables unauthenticated remote code execution through a path-traversal-to-file-write chain in the large file transfer (LFT) feature. As The Hacker News reported, the vulnerability allows attackers to write arbitrary files to the filesystem by traversing out of the intended upload directory, then execute them to achieve RCE. SeppMail is a widely deployed secure email gateway appliance used by enterprises and government agencies in Europe; the same advisory notes additional flaws in the product that could expose mail traffic. Organizations running SeppMail should immediately restrict network access to the web interface and apply any vendor-supplied patches as they become available.
CVE-2026-36829 in Panabit PAP-XM320 (up to v7.7) is an authentication bypass in the embedded HTTP server that uses a filesystem existence check against a user-controlled cookie value to validate sessions — an attacker can simply provide a cookie path that exists on the filesystem to impersonate any user. Panabit is a Chinese network-appliance vendor whose PAP-XM320 series is deployed as edge routing and SD-WAN gear in small-to-medium business networks across Asia. With a CVSS 9.8 and no authentication required, this flaw is a prime candidate for mass scanning and botnet recruitment. No patch has been announced; operators should isolate the management interface from the internet and monitor for vendor updates.
CVE-2026-44159 in Tyler Technologies' Identity Local (TID-L) product ships with documented, default administrative credentials that users are not required to change before deployment. While Tyler notes that TID-L has not been distributed since December 2020 and has been unsupported since 2021, the product remains in use across many state and local government agencies that deployed it for identity management. The CVSS 9.8 rating reflects the trivial nature of the attack — an attacker who knows the documented default credentials (which are publicly available) can gain full administrative access to any instance that never changed them. Organizations still running TID-L should treat it as compromised, immediately rotate all credentials, and prioritize migration to a supported identity platform.
Mozilla shipped emergency fixes for two critical vulnerabilities in Firefox and Thunderbird. CVE-2026-8956 is an integer overflow in the Networking: JAR component (CVSS 9.8) that could allow remote code execution when processing crafted JAR archives, fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. CVE-2026-8401 is a sandbox escape in the Profile Backup component (CVSS 9.8) that breaks the browser's security isolation, fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11. The sandbox escape is particularly concerning because it can be chained with a renderer compromise for full system access. Users should update immediately; ESR channel organizations should prioritize the 140.11 builds.