Daily Digest April 27, 2026 · 2 min read · 5 CVEs · Issue 05 By PatchDay Alert

5 bugs at CVSS 9.8: Apache MINA's filter bypassed twice, WordPress plugin to admin in one click

Two deserialization bypasses in Apache MINA let attackers slip past the allowlist for RCE, a WordPress privilege escalation hands out admin roles, and a pair of Totolink router command injections have public exploits. All 9.8, none exploited in the wild yet.

Patch now

Within 24h

This week

Exploited

Five CVEs today. All scored 9.8. None exploited in the wild yet, but public exploits already exist for the Totolink router bugs, and the two Apache MINA deserialization bypasses are the kind of thing that gets weaponized fast. If you run MINA with IoBuffer.getObject() in your stack, that's your priority.

Today's CVEs

Sorted by urgency

Search by CVE Vendor/Product Platform Urgency Exploited Fix status

CVE-2026-7122

NVD

9.8

CVSS

Patch now CRITICAL

An attacker can inject OS commands remotely through the UPnP configuration handler on Totolink A8000RU routers running firmware 7.1cu.643_b20200521. No authentication is needed, and a public exploit already exists. CVSS 9.8, so this is full remote takeover of the device.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Anyone running a Totolink A8000RU with firmware 7.1cu.643_b20200521
How to check: Check inventory, endpoint management, or the vendor console for affected Router versions.
Action: Update the A8000RU firmware to the latest available version from Totolink. If no patch exists yet, pull the device off the public internet and block remote access to the CGI interface.
Urgency: Patch immediately
Why it matters: An attacker can inject OS commands remotely through the UPnP configuration handler on Totolink A8000RU routers running firmware 7
Source: NVD

Evidence trail

NVD: View source

CVE-2026-7121

NVD

9.8

CVSS

Patch now CRITICAL

Same router, different function. The wizard configuration handler on the Totolink A8000RU also accepts unsanitized input, letting a remote attacker inject arbitrary OS commands. A public exploit is available. CVSS 9.8.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Anyone running a Totolink A8000RU with firmware 7.1cu.643_b20200521
How to check: Check inventory, endpoint management, or the vendor console for affected Router versions.
Action: Apply the latest Totolink firmware. If none is available, isolate the router from the internet and disable remote management until a fix ships.
Urgency: Patch immediately
Why it matters: Same router, different function
Source: NVD

Evidence trail

NVD: View source

CVE-2026-22337

NVD

9.8

CVSS

Patch now CRITICAL

The Directorist Social Login plugin for WordPress has a privilege escalation bug that lets an attacker promote themselves to a higher role, potentially full admin. No special access is required. CVSS 9.8.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: WordPress site owners running the Directorist Social Login plugin before version 2.1.4
How to check: Check inventory, endpoint management, or the vendor console for affected WordPress versions.
Action: Update the Directorist Social Login plugin to version 2.1.4 or later through the WordPress dashboard right now.
Urgency: Patch immediately
Why it matters: The Directorist Social Login plugin for WordPress has a privilege escalation bug that lets an attacker promote themselves to a higher role, potentially full admin
Source: NVD

Evidence trail

NVD: View source

CVE-2026-41409

NVD

9.8

CVSS

Patch now CRITICAL

The earlier fix for CVE-2024-52046 in Apache MINA was incomplete. The classname allowlist that's supposed to block dangerous deserialization kicks in too late: a malicious class's static initializer can run before the filter ever checks it. If your app calls IoBuffer.getObject(), a remote attacker can execute arbitrary code. CVSS 9.8.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Java developers and teams running applications that use Apache MINA 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, or 2.2.0 through 2.2.5, specifically if the app calls IoBuffer.getObject()
How to check: Check inventory, endpoint management, or the vendor console for affected Apache MINA versions.
Action: Upgrade Apache MINA to 2.0.28, 2.1.11, or 2.2.6 depending on your branch.
Urgency: Patch immediately
Why it matters: The earlier fix for CVE-2024-52046 in Apache MINA was incomplete
Source: NVD

Evidence trail

NVD: View source

CVE-2026-41635

NVD

9.8

CVSS

Patch now CRITICAL

Another deserialization bypass in Apache MINA. The resolveClass() method has a code path for static classes and primitives that skips the allowlist entirely, letting an attacker sneak arbitrary classes past the filter and get remote code execution. This is a separate bypass from CVE-2026-41409, fixed in the same release. CVSS 9.8.

Included because: prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
Affected estate: Java developers and teams running applications that use Apache MINA 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, or 2.2.0 through 2.2.5, specifically if the app calls IoBuffer.getObject()
How to check: Check inventory, endpoint management, or the vendor console for affected Apache MINA versions.
Action: Upgrade Apache MINA to 2.0.28, 2.1.11, or 2.2.6 depending on your branch. This single upgrade covers both CVE-2026-41409 and this bug.
Urgency: Patch immediately
Why it matters: Another deserialization bypass in Apache MINA
Source: NVD

Evidence trail

NVD: View source

One email, every weekday morning.

From the field notes

A crash got a federal patch deadline. Here's why that's the right call

From this beat

Read the rest of the field notes →