PatchDay Alert
APR 29, 2026 Subscribe →
Daily Digest By Colten Anderson

Paperclip CVSS 10.0 unauth RCE, plus a 9.9 in FunnelFormsPro and Froxlor

Six API calls and no credentials give attackers full control of default Paperclip installs. FunnelFormsPro (WordPress) and Froxlor both carry 9.9 code execution bugs, and Borg SPM 2007 has two 9.8s that will never be patched.

Patch now
4
Within 24h
1
This week
0
Exploited
0
WordPressCMS

Five fresh CVEs today, and the top one deserves your full attention. CVE-2026-41679 is an unauthenticated RCE in Paperclip scoring a perfect CVSS 10.0. No creds, no user interaction, just 6 API calls. It's not exploited in the wild yet, but the attack is trivially automatable, so expect scanners to light up fast. Below that: a WordPress plugin RCE, a Froxlor path traversal to code execution, and two CVSS 9.8s in a product that's been dead since 2008.

Today's CVEs

Sorted by urgency
01

CVE-2026-41679

NVD
10.0
CVSS
CRITICAL

An unauthenticated attacker can get full remote code execution on any network-reachable Paperclip instance running the default 'authenticated' mode config. No credentials, no user interaction: just 6 API calls and the target's address. CVSS 10.0, and the attack is trivially automatable, so expect scanners to pick this up fast.

Affected estate
Anyone running Paperclip (Node.js/React AI agent platform) versions prior to 2026.416.0, especially instances exposed to the internet
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Upgrade Paperclip to version 2026.416.0 right now. If you can't upgrade immediately, pull the instance off the network until you can.
Urgency
Patch immediately
Why it matters
An unauthenticated attacker can get full remote code execution on any network-reachable Paperclip instance running the default 'authenticated' mode config
Source
NVD
02

CVE-2026-39440

NVD
9.9
CVSS
CRITICAL
WordPressCMS

An attacker can inject and execute arbitrary code remotely through FunnelFormsPro, the WordPress plugin. This is a code injection bug with a CVSS of 9.9. All versions through 3.8.1 are vulnerable.

Affected estate
WordPress site owners and hosts running FunnelFormsPro plugin version 3.8.1 or earlier
How to check
Check inventory, endpoint management, or the vendor console for affected WordPress versions.
Action
Update FunnelFormsPro to the latest patched version above 3.8.1 immediately. If no patch is available yet, deactivate and remove the plugin until one ships.
Urgency
Patch immediately
Why it matters
An attacker can inject and execute arbitrary code remotely through FunnelFormsPro, the WordPress plugin
Source
NVD
03

CVE-2026-41228

NVD
9.9
CVSS
CRITICAL

An authenticated Froxlor customer (not just admins) can set their language preference to a path traversal payload. Froxlor then blindly passes that value into a PHP 'require' call on the next request, which lets the attacker execute arbitrary PHP code as the web server user. This requires a valid customer account and the ability to upload a file to a known path, but the exploitation itself is straightforward once those conditions are met. CVSS 9.9.

Affected estate
Anyone running Froxlor server management panel versions prior to 2.3.6
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Upgrade Froxlor to version 2.3.6. Review your customer accounts for any suspicious 'def_language' values in the database as a sign of prior exploitation.
Urgency
Patch within 24 hours
Why it matters
An authenticated Froxlor customer (not just admins) can set their language preference to a path traversal payload
Source
NVD
04

CVE-2026-6887

NVD
9.8
CVSS
CRITICAL

Borg SPM 2007 has an unauthenticated SQL injection bug that lets a remote attacker read, modify, or delete anything in the database. No credentials needed. CVSS 9.8. This product's sales ended in 2008, so there will be no patch.

Affected estate
Anyone still running Borg SPM 2007 by BorG Technology Corporation
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Take Borg SPM 2007 offline permanently. This product is end-of-life since 2008 and will not receive a fix. Migrate to a supported alternative.
Urgency
Patch immediately
Why it matters
Borg SPM 2007 has an unauthenticated SQL injection bug that lets a remote attacker read, modify, or delete anything in the database
Source
NVD
05

CVE-2026-6886

NVD
9.8
CVSS
CRITICAL

Borg SPM 2007 has an authentication bypass that lets any remote attacker log in as any user without credentials. CVSS 9.8. Combined with CVE-2026-6887 (SQL injection in the same product), this thing is completely wide open. No patch is coming since the product has been end-of-life since 2008.

Affected estate
Anyone still running Borg SPM 2007 by BorG Technology Corporation
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Decommission Borg SPM 2007 immediately. No fix will be released for this end-of-life product. If you absolutely cannot shut it down today, block all external access to it at the firewall level as a stopgap.
Urgency
Patch immediately
Why it matters
Borg SPM 2007 has an authentication bypass that lets any remote attacker log in as any user without credentials
Source
NVD