What you need to know today.

Nezha monitoring dashboard ships with critical privilege-escalation bugs. Two flaws in the open-source server-monitoring tool Nezha allow any authenticated user — even a low-privilege RoleMember — to create or modify cron jobs (CVE-2026-46716) and notification channels (CVE-2026-46717). The cron and notification POST/PATCH routes are wired through commonHandler (which only checks authentication) instead of the admin-only adminHandler. An attacker with a valid member session can abuse CVE-2026-46716 to execute arbitrary commands on the Nezha agent hosts via cron, and CVE-2026-46717 to hijack notification pipelines for data exfiltration or phishing. Both carry a risk score of 0.52 (high) and 0.38 (medium) respectively. No public PoC or KEV listing has been reported yet, but Nezha deployments in multi-tenant environments should treat these as emergency-patch items.

Getarcaneapp Arcane suffers an admin-bypass flaw that exposes global environment secrets. CVE-2026-47125 (risk 0.38, medium) affects the PUT /api/environments/{id}/templates/variables endpoint in Arcane, a self-hosted deployment platform. The endpoint writes to the system-wide .env.global file, which holds secrets used for variable substitution across every project's Docker Compose configuration. The route lacks an admin authorization check, meaning any authenticated user can overwrite global environment variables — potentially injecting malicious values that propagate to all running containers. This is a supply-chain-style pivot: compromise one low-privilege account and you can poison every project's runtime. No patch details or exploit activity have been confirmed as of this writing.

Parse Server faces a ReDoS vulnerability exploitable with just an Application ID. CVE-2026-47138 (risk 0.38, medium) affects Parse Community's open-source Parse Server. An unauthenticated attacker who knows a publicly known Parse Application ID can send a single HTTP request whose client SDK version field contains a crafted string that triggers polynomial backtracking in the request-header parser. The resulting regular-expression denial-of-service (ReDoS) can exhaust server CPU resources, effectively taking the Parse instance offline. Because Parse Application IDs are often exposed in mobile-app client code or public documentation, the barrier to exploitation is low. No patch or mitigation has been released yet; operators should consider rate-limiting or WAF rules on the SDK-version header.

Edimax BR-6428NS router hit with a wave of pre-auth command-injection and buffer-overflow disclosures. Five CVEs were published against the Edimax BR-6428NS running firmware 1.10, all targeting the goform POST handler endpoints. CVE-2026-9297 is a command injection via the repeaterSSID argument in formWlbasic. CVE-2026-9296 is another command injection through the formWlanM endpoint via multiple arguments (ateFunc, ateGain, ateTxCount, etc.). CVE-2026-9295 is a buffer overflow in formWirelessTbl via the vapurl argument. CVE-2026-9294 is a buffer overflow in formWanTcpipSetup via pppUserName. All four are remotely exploitable without authentication. Edimax has not released a patch, and these routers are widely deployed in small-office and home networks. Given the public disclosure and the lack of vendor response, these are prime candidates for botnet and IoT-malware targeting.

Free5GC AMF (5G Core) hit with four memory-corruption bugs in NGAP message handling. Four CVEs — CVE-2026-9301, CVE-2026-9300, CVE-2026-9299, and CVE-2026-9298 — were disclosed against the omec-project's Access and Mobility Management Function (AMF) up to version 2.1.1. The flaws reside in the NGReset Message Handler, NGSetupRequest Handler, PDUSessionResourceModifyIndication handler, and PathSwitchRequest Handler respectively. All four are remotely triggerable and result in memory corruption, which in a 5G core context could lead to denial of service or potentially remote code execution. The AMF is a critical control-plane component in 5G standalone networks; these bugs could allow an attacker to disrupt subscriber mobility management or session continuity. No patches or mitigations have been announced.

WordPress WishList Member plugin enables unauthenticated privilege escalation. CVE-2026-6419 affects the WishList Member plugin for WordPress up to version 3.30.1. The ajax_get_screen() function lacks both capability checks and nonce validation, allowing an unauthenticated attacker to escalate privileges. This is a classic missing-authorization flaw in a membership-management plugin that handles user roles and access tiers. With over 10,000 active installations, the plugin's user-base is significant. No exploit activity has been publicly reported yet, but the vulnerability is trivial to exploit once the endpoint is identified. Site owners should update immediately if a patched version becomes available.