What you need to know today.

CISA adds a critical Linux kernel SMB flaw to KEV, while a wave of WordPress plugin and edge-device CVEs hit critical severity. CVE-2026-43379 is a use-after-free vulnerability in the kernel's ksmbd (SMB) server that can be triggered remotely without authentication, making it a prime target for ransomware and wormable attacks. The flaw was patched in the latest kernel updates, but unpatched NAS appliances and Linux-based file servers remain exposed. CISA's KEV listing means federal agencies must remediate by June 10, and private-sector teams should treat this as an emergency-patch priority given the prevalence of SMB in enterprise environments.

Three WordPress plugins disclosed critical unauthenticated RCE and privilege-escalation flaws, affecting hundreds of thousands of sites. CVE-2026-7637 (Boost plugin, CVSS 9.8) allows PHP object injection via a deserialized cookie, enabling unauthenticated remote code execution on sites running versions up to 2.0.3. CVE-2026-7284 (Easy Elements for Elementor, CVSS 9.8) lets unauthenticated attackers register as administrators through a flawed user-registration handler in all versions up to 1.4.4. CVE-2026-6555 (ProSolution WP Client, CVSS 9.8) permits arbitrary file upload due to an array-validation mismatch that only checks the first file in a multi-file upload — attackers can upload a webshell directly. All three plugins have patches available; site operators should audit their plugin inventories immediately.

SEPPMail's secure email gateway carries a critical path-traversal-to-RCE flaw, with public exploit details now circulating. CVE-2026-2743 (CVSS 9.8) affects SEPPMail versions 15.0.2.1 and earlier, allowing unauthenticated attackers to write arbitrary files via path traversal in the large-file-transfer feature, leading to full remote code execution on the gateway appliance. As The Hacker News reported, the same research also identified additional vulnerabilities that could expose mail traffic. Organizations running SEPPMail as their email security layer should treat this as an active-compromise risk and prioritize patching, especially given that email gateways sit at the network perimeter with access to internal directory services.

A wave of Linux kernel flaws beyond ksmbd demands attention from infrastructure teams. CVE-2026-31402 (CVSS 9.8) is a heap overflow in the NFSv4.0 LOCK replay cache that can be triggered by a crafted NFS request, potentially leading to RCE on NFS servers. CVE-2026-31405 (CVSS 9.8) is an out-of-bounds access in the DVB network subsystem's ULE extension header parsing, exploitable via maliciously crafted MPEG-TS frames. CVE-2026-31436 (CVSS 9.8) affects the Intel Data Streaming Accelerator (DSA) driver (idxd), where a descriptor-completion logic error could lead to use-after-free conditions. CVE-2026-31414 (CVSS 9.8) is a netfilter conntrack expectation bug that could cause information disclosure or denial of service, noted in Rapid7's Patch Tuesday analysis. All are patched in the latest stable kernel releases; teams running custom or LTS kernels should verify backport status.

Edge-device and embedded-system flaws create a broad attack surface for network-perimeter exploitation. CVE-2026-36829 (CVSS 9.8) affects Panabit PAP-XM320 access points up to v7.7, where the HTTP server validates session cookies via a filesystem existence check against a user-controlled value — allowing unauthenticated attackers to bypass authentication entirely. CVE-2026-37541 (CVSS 10.0) is a buffer overflow in Open Vehicle Monitoring System 3 (OVMS3) v3.3.005, where the GVRET binary format parser fails to validate length fields, enabling remote DoS or potential code execution against connected vehicle telematics units. CVE-2026-44159 (CVSS 9.8) affects Tyler Technologies' Identity Local (TID-L) — an end-of-life product not distributed since December 2020 — which ships with documented default credentials that cannot be changed. Any remaining TID-L deployments in government or education networks are trivially compromisable.

Mozilla shipped emergency fixes for two critical flaws spanning Firefox and Thunderbird. CVE-2026-8956 (CVSS 9.8) is an integer overflow in the Networking: JAR component that could allow arbitrary code execution when processing malicious JAR archives, fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. CVE-2026-8401 (CVSS 9.8) is a sandbox escape in the Profile Backup component that could allow an attacker to break out of the browser sandbox and execute code on the host system, fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11. Given the sandbox-escape vector of CVE-2026-8401, enterprise security teams should treat this as a browser-compromise chain enabler and prioritize deployment of the latest ESR builds.