PatchDay Alert
APR 29, 2026 Subscribe →
Daily Digest By Colten Anderson

5 bugs at CVSS 9.8: Apache MINA's filter bypassed twice, WordPress plugin to admin in one click

Two deserialization bypasses in Apache MINA let attackers slip past the allowlist for RCE, a WordPress privilege escalation hands out admin roles, and a pair of Totolink router command injections have public exploits. All 9.8, none exploited in the wild yet.

Patch now
5
Within 24h
0
This week
0
Exploited
0
RouterNetwork ApplianceWordPressCMSApache MINAJava

Five CVEs today. All scored 9.8. None exploited in the wild yet, but public exploits already exist for the Totolink router bugs, and the two Apache MINA deserialization bypasses are the kind of thing that gets weaponized fast. If you run MINA with IoBuffer.getObject() in your stack, that's your priority.

Today's CVEs

Sorted by urgency
01

CVE-2026-7122

NVD
9.8
CVSS
CRITICAL
RouterNetwork Appliance

An attacker can inject OS commands remotely through the UPnP configuration handler on Totolink A8000RU routers running firmware 7.1cu.643_b20200521. No authentication is needed, and a public exploit already exists. CVSS 9.8, so this is full remote takeover of the device.

Affected estate
Anyone running a Totolink A8000RU with firmware 7.1cu.643_b20200521
How to check
Check inventory, endpoint management, or the vendor console for affected Router versions.
Action
Update the A8000RU firmware to the latest available version from Totolink. If no patch exists yet, pull the device off the public internet and block remote access to the CGI interface.
Urgency
Patch immediately
Why it matters
An attacker can inject OS commands remotely through the UPnP configuration handler on Totolink A8000RU routers running firmware 7
Source
NVD
02

CVE-2026-7121

NVD
9.8
CVSS
CRITICAL
RouterNetwork Appliance

Same router, different function. The wizard configuration handler on the Totolink A8000RU also accepts unsanitized input, letting a remote attacker inject arbitrary OS commands. A public exploit is available. CVSS 9.8.

Affected estate
Anyone running a Totolink A8000RU with firmware 7.1cu.643_b20200521
How to check
Check inventory, endpoint management, or the vendor console for affected Router versions.
Action
Apply the latest Totolink firmware. If none is available, isolate the router from the internet and disable remote management until a fix ships.
Urgency
Patch immediately
Why it matters
Same router, different function
Source
NVD
03

CVE-2026-22337

NVD
9.8
CVSS
CRITICAL
WordPressCMS

The Directorist Social Login plugin for WordPress has a privilege escalation bug that lets an attacker promote themselves to a higher role, potentially full admin. No special access is required. CVSS 9.8.

Affected estate
WordPress site owners running the Directorist Social Login plugin before version 2.1.4
How to check
Check inventory, endpoint management, or the vendor console for affected WordPress versions.
Action
Update the Directorist Social Login plugin to version 2.1.4 or later through the WordPress dashboard right now.
Urgency
Patch immediately
Why it matters
The Directorist Social Login plugin for WordPress has a privilege escalation bug that lets an attacker promote themselves to a higher role, potentially full admin
Source
NVD
04

CVE-2026-41409

NVD
9.8
CVSS
CRITICAL
Apache MINAJava

The earlier fix for CVE-2024-52046 in Apache MINA was incomplete. The classname allowlist that's supposed to block dangerous deserialization kicks in too late: a malicious class's static initializer can run before the filter ever checks it. If your app calls IoBuffer.getObject(), a remote attacker can execute arbitrary code. CVSS 9.8.

Affected estate
Java developers and teams running applications that use Apache MINA 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, or 2.2.0 through 2.2.5, specifically if the app calls IoBuffer.getObject()
How to check
Check inventory, endpoint management, or the vendor console for affected Apache MINA versions.
Action
Upgrade Apache MINA to 2.0.28, 2.1.11, or 2.2.6 depending on your branch.
Urgency
Patch immediately
Why it matters
The earlier fix for CVE-2024-52046 in Apache MINA was incomplete
Source
NVD
05

CVE-2026-41635

NVD
9.8
CVSS
CRITICAL
Apache MINAJava

Another deserialization bypass in Apache MINA. The resolveClass() method has a code path for static classes and primitives that skips the allowlist entirely, letting an attacker sneak arbitrary classes past the filter and get remote code execution. This is a separate bypass from CVE-2026-41409, fixed in the same release. CVSS 9.8.

Affected estate
Java developers and teams running applications that use Apache MINA 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, or 2.2.0 through 2.2.5, specifically if the app calls IoBuffer.getObject()
How to check
Check inventory, endpoint management, or the vendor console for affected Apache MINA versions.
Action
Upgrade Apache MINA to 2.0.28, 2.1.11, or 2.2.6 depending on your branch. This single upgrade covers both CVE-2026-41409 and this bug.
Urgency
Patch immediately
Why it matters
Another deserialization bypass in Apache MINA
Source
NVD