Nezha Dashboard Flaws Lead Critical Pack
Critical privilege-escalation flaws in Nezha monitoring dashboard lead today's disclosures, alongside a Parse Server ReDoS and five Edimax router bugs.

Nezha monitoring dashboard hit by privilege-escalation pair. Two critical flaws in the open-source nezha monitoring dashboard let low-privilege users escalate to admin. CVE-2026-46716 affects the cron routes (POST /api/v1/cron and PATCH /api/v1/cron/:id), which are wired through commonHandler (any authenticated user) instead of requiring RoleAdmin. CVE-2026-46717 does the same for notification routes (POST /api/v1/notification and PATCH /api/v1/notification/:id). Both are rated critical with a risk score of 0.52. An authenticated RoleMember can create, modify, or delete cron jobs and notifications — effectively gaining full administrative control over the monitoring platform. No public PoC or active exploitation has been reported yet, but the attack surface is broad: any organization running nezha for server monitoring should prioritize patching immediately.
Getarcaneapp Arcane vulnerable to global .env takeover by any authenticated user. CVE-2026-47125 (high severity, risk 0.38) affects Getarcaneapp's Arcane platform. The PUT /api/environments/{id}/templates/variables endpoint writes to the system-wide .env.global file, which is used for variable substitution across every project's Docker Compose files. The endpoint lacks an admin authorization check, meaning any authenticated user can overwrite global environment variables. An attacker who modifies .env.global can inject malicious values that propagate to all projects — potentially achieving credential theft, service redirection, or code injection across the entire deployment. No patch details have been released as of this writing; teams running Arcane should restrict network access to the API and audit user sessions.
Parse Server ReDoS vulnerability requires only a known App ID. CVE-2026-47138 (high severity, risk 0.38) affects Parse Community's Parse Server, the open-source backend-as-a-service platform. An unauthenticated attacker who knows a publicly-known Parse Application ID can send a single HTTP request with a crafted client SDK version field, triggering polynomial backtracking in the request-header parser. The resulting ReDoS (Regular Expression Denial of Service) can exhaust server CPU resources with minimal bandwidth. Since Parse Application IDs are often exposed in mobile app binaries or web client code, the pre-condition is trivial to meet. Organizations running Parse Server should apply the patch and consider rate-limiting or WAF rules to mitigate regex-based attacks.
Edimax BR-6428NS router hit with five pre-auth command-injection and buffer-overflow flaws. Five CVEs were disclosed against the Edimax BR-6428NS router (firmware 1.10), all exploitable via POST requests to the /goform/ endpoint family. CVE-2026-9297 is a command injection in the repeaterSSID parameter of formWlbasic. CVE-2026-9296 is a buffer overflow via the system function in formWlanM through multiple arguments (ateFunc, ateGain, ateTxCount, etc.). CVE-2026-9295 is a buffer overflow in formWirelessTbl via the vapurl argument. CVE-2026-9294 is a buffer overflow in formWanTcpipSetup via the pppUserName argument. All four carry EPSS scores of 0.01, indicating low but non-zero exploitation probability. These are classic embedded-device flaws — no authentication required, full device compromise possible. Edimax has not released a patch for this end-of-life model; users should isolate or replace the hardware.
Free5GC AMF (5G Core) hit with four memory-corruption flaws. Four CVEs — CVE-2026-9301, CVE-2026-9300, CVE-2026-9299, and CVE-2026-9298 — were disclosed against the omec-project AMF (Access and Mobility Management Function) up to version 2.1.1, a key component of the Free5GC open-source 5G core network. The flaws affect the NGReset Message Handler, NGSetupRequest Handler, PDUSessionResourceModifyIndication function, and PathSwitchRequest Handler respectively. All four are remotely exploitable and result in memory corruption, which could lead to denial of service or potentially code execution within the 5G control plane. With EPSS scores of 0.00, active exploitation is not currently expected, but the systemic nature of these bugs across multiple NGAP protocol handlers is concerning for operators running Free5GC in test or production 5G environments.
Linux kernel, WordPress plugin, and Cal.com bugs round out the window. CVE-2026-43503 is a Linux kernel fix for a shared-frag marker bug in skb_try_coalesce() that could cause memory corruption during SKB coalescing — a networking-stack stability issue rather than a direct security boundary. CVE-2026-6419 affects the WishList Member WordPress plugin (up to 3.30.1), where missing capability and nonce checks in ajax_get_screen() allow privilege escalation. CVE-2026-9304 and CVE-2026-9303 affect Cal.com (cal.diy up to 4.9.4): an SSRF in the Logo API's validateUrlForSSRF function and a CSRF vulnerability with a publicly available PoC exploit. CVE-2026-9305 and CVE-2026-9306 affect QuantumNous new-api (up to 0.12.1): SQL injection in the topup search endpoint and an unspecified Midjourney image relay issue. CVE-2026-9302 is a code-injection flaw in vps-inventory-monitoring via eval() in the VpsTest console.