What you need to know today.
Critical flaws in Tenda routers and Acer Wave 7 devices, alongside WordPress RCEs and a Python package supply-chain attack, dominate today's security landscape.
Multiple critical vulnerabilities have been disclosed in Tenda routers, including CVE-2026-11499, which allows for stack-based buffer overflows and command injection via manipulation of the blkDomain argument in the /boaform/formDOMAINBLK function. This flaw, along with others affecting Tenda HG7HG9 and HG10 models, could enable attackers to compromise network devices. Vypr Intelligence reported on these Tenda router vulnerabilities, highlighting the potential for significant network disruption. Vypr Intelligence reported.
Acer is addressing critical vulnerabilities in its Wave 7 routers, including CVE-2026-49200 and CVE-2026-49201. CVE-2026-49200 allows unauthenticated access to cleartext credentials in the acer_cgi.log file, while CVE-2026-49201 enables attackers to decrypt, modify, and re-encrypt system backups by exploiting a hardcoded AES key in the upload.cgi binary. These flaws could lead to persistent backdoor injection and unauthorized system access. BleepingComputer detailed these Acer router zero-days, noting the vendor's efforts to patch them. BleepingComputer.
Several WordPress themes and plugins are affected by critical vulnerabilities, including arbitrary file uploads and remote code execution. CVE-2024-58349 in the Travelscape theme allows unauthenticated attackers to upload malicious files, while CVE-2024-58348 in the Background Image Cropper plugin enables RCE via the ups.php endpoint. Additionally, CVE-2023-54352 in the Seotheme allows for arbitrary PHP code execution by uploading malicious files. These flaws pose a significant risk to WordPress sites relying on these components.
A supply-chain attack has been identified targeting the guardrails-ai Python package. CVE-2026-45758, introduced in version 0.10.1 published to PyPI on May 11, 2026, could allow attackers to compromise systems that install this malicious version. This highlights the ongoing risks associated with third-party software dependencies in development workflows.
Critical vulnerabilities affecting ZKTeco products, including CVE-2016-20030, CVE-2016-20026, and CVE-2016-20024, have been disclosed. ZKBioSecurity 3.0 suffers from user enumeration and hardcoded credentials in its bundled Apache Tomcat server, potentially allowing unauthenticated access. ZKTime.Net 3.0.1.6 has insecure file permissions that could lead to privilege escalation. These issues collectively present a severe risk to organizations using ZKTeco's access control and time management systems.