VYPR
AI Brief2026-05-26· generated May 26, 2026

LiteSpeed cPanel Plugin Exploited for Root

WordPress LiteSpeed cPanel plugin exploited for root escalation, while seven hackney HTTP client flaws and a PCManFM-Qt D-Bus bug demand urgent patching.

WordPress LiteSpeed cPanel plugin exploited in the wild to escalate privileges to root. CVE-2026-48172 is a critical privilege-escalation vulnerability in the LiteSpeed User-End cPanel Plugin for WordPress (versions before 2.4.5) that is already being actively exploited as of May 2026. Attackers can leverage the flaw to escalate privileges potentially all the way to root on the underlying server. As The Hacker News reported, detection can be performed by searching cPanel logs for the cpanel_jsonapi_func=redisAble indicator. The plugin's maintainers have released version 2.4.5 to address the issue, and given confirmed in-the-wild exploitation, this should be treated as an emergency patching priority for any WordPress site running on cPanel with the LiteSpeed plugin installed.

A cluster of seven resource-exhaustion and SSRF vulnerabilities disclosed in the Erlang hackney HTTP client library. CVE-2026-47073, CVE-2026-47067, CVE-2026-47066, CVE-2026-47077, CVE-2026-47071, CVE-2026-47076, and CVE-2026-47072 collectively expose hackney to denial-of-service, flooding, and server-side request forgery attacks. The most critical issues include an unbounded WebSocket handshake memory allocation (CVE-2026-47073), a BEAM atom exhaustion vector via the URL parser (CVE-2026-47067), and an infinite loop in the Alt-Svc header parser (CVE-2026-47066). The SOCKS5 transport (CVE-2026-47071) drops caller-supplied timeouts after negotiation, enabling indefinite socket hangs. Additionally, a URL-decoding normalization conflict (CVE-2026-47076) allows SSRF by bypassing host validation, and CRLF injection in the WebSocket upgrade path (CVE-2026-47072) enables HTTP request/response splitting. Any Erlang or Elixir application using hackney — a widely adopted HTTP client — should review these advisories and update immediately.

PCManFM-Qt file manager vulnerable to arbitrary program execution via D-Bus. CVE-2026-48700 affects all versions of PCManFM-Qt starting from 1.1.0, the Qt-based file manager used in LXQt desktop environments. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates handling to a different program based on the file extension, without proper validation. An attacker who can send D-Bus messages to the session bus — which includes any process running under the same user session — can trigger arbitrary program execution. This is particularly dangerous in multi-process desktop environments where untrusted applications (e.g., a malicious Flatpak or browser extension) can invoke D-Bus methods. No patch details have been confirmed at time of writing; users should monitor the LXQt project for updates and consider restricting D-Bus access where possible.

Besen BS20 EV charging station hit by two flaws — one critical, one low-severity. CVE-2026-9397 (CVSS 8.1, High) affects the OTA update installation handler in Besen BS20 EV Charging Stations up to firmware version 20260426, allowing an attacker with network access to push unauthorized firmware updates due to improper authorization. A companion issue, CVE-2026-9396 (CVSS 3.7, Low), involves a firmware version check that improperly restricts the range of acceptable versions, potentially enabling downgrade attacks. These vulnerabilities highlight the growing attack surface in EV charging infrastructure, where unpatched devices could be remotely compromised to alter charging behavior or serve as a pivot point into broader energy-management networks. Operators of Besen BS20 stations should verify firmware integrity and restrict network access to the charging station's management interface.

PuTTY 0.84 ships with fix for Ed25519 signature verification flaw. CVE-2026-4115 affects PuTTY version 0.83, where the eddsa_verify function in crypto/ecc-ssh.c improperly verifies Ed25519 cryptographic signatures. As Cyber Security News reported, the PuTTY team has released version 0.84 addressing this issue alongside fixes for SSH KEX crashes and a Telnet prompt spoofing flaw. While the Ed25519 verification weakness is rated Low severity (CVSS 3.7), it undermines the authentication guarantees of SSH connections using Ed25519 keys — a widely recommended key type. Users of PuTTY, WinSCP, and other tools in the PuTTY family should upgrade to 0.84 to restore cryptographic assurance for their SSH sessions.

Mattermost denial-of-service flaw from nil webhook attachment payloads. CVE-2026-4915 (CVSS 6.5, Medium) affects Mattermost versions 11.6.0, 11.5.x through 11.5.3, 11.4.x through 11.4.4, and 10.11.x through 10.11.14. The platform fails to filter nil elements from outgoing webhook attachment payloads before processing, allowing an authenticated user to cause a denial-of-service condition. Given Mattermost's widespread use as an open-source Slack alternative in enterprise and government environments, this DoS vector could be exploited by a low-privilege user to disrupt team communications. Administrators should update to the latest patched versions of their respective release trains.

Synthesized by Vypr AI