CVE
CVE-2026-41940
3field notes · 0digests
Field notes
Analysis · May 1, 2026 · The Commentary Desk
The same LDAP injection, in two firewalls, in the same month
OPNsense shipped a textbook LDAP filter injection that hid for eleven years. WatchGuard disclosed the same class of flaw weeks later. The pattern is not coincidence.
Analysis · May 1, 2026 · The Commentary Desk
Anthropic's MCP gives every downstream app unauthenticated RCE, and they called it expected behavior
The Model Context Protocol's STDIO transport passes user input directly into subprocess execution with no sanitization. OX Security found 14+ CVEs across the ecosystem. Anthropic declined to patch.
Analysis · Apr 30, 2026 · The Field Notes Desk
CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.
A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests. The fix landed. The architecture question hasn't. Updated May 4 with exploitation scale: 44,000+ hosts compromised, ransomware, botnet, and state-sponsored campaigns confirmed.