CVE-2026-6886

Daily digests

Borg SPM 2007 has an authentication bypass that lets any remote attacker log in as any user without credentials. CVSS 9.8. Combined with CVE-2026-6887 (SQL injection in the same product), this thing is completely wide open. No patch is coming since the product has been end-of-life since 2008.

• Daily Digest · Apr 23, 2026

  Paperclip RCE is a perfect 10, patch or block now