CVE-2026-41679

Daily digests

An unauthenticated attacker can get full remote code execution on any network-reachable Paperclip instance running the default 'authenticated' mode config. No credentials, no user interaction: just 6 API calls and the target's address. CVSS 10.0, and the attack is trivially automatable, so expect scanners to pick this up fast.

• Daily Digest · Apr 23, 2026

  Paperclip RCE is a perfect 10, patch or block now