Daily CVE digests and sysadmin security guides.https://patchdayalert.com/en-ushttps://patchdayalert.com/digest/2026-04-29/https://patchdayalert.com/digest/2026-04-29/Two Chrome use-after-free bugs (CVE-2026-7343 + CVE-2026-7341, both CVSS 9.8) chain renderer compromise to full sandbox escape on Windows. Snap One WattBox 800/820 PDUs authenticate diagnostics endpoints with the MAC address printed on the label. Apache Pony Mail (Lua) has a 9.8 account takeover with no fix coming because the project is retired.Wed, 29 Apr 2026 11:00:00 GMThttps://patchdayalert.com/digest/2026-04-28/https://patchdayalert.com/digest/2026-04-28/Four public command injection exploits hit the Totolink A8000RU and one buffer overflow nails the D-Link DI-8100. All CVSS 9.8, all pre-auth, all with public exploit code. If either device is in your stack, pull it off the internet now.Tue, 28 Apr 2026 11:00:00 GMThttps://patchdayalert.com/blog/patching-the-whole-mess/https://patchdayalert.com/blog/patching-the-whole-mess/Patching isn't Windows Updates anymore. A tour of the six surfaces a real shop patches every week.Tue, 28 Apr 2026 11:00:00 GMThttps://patchdayalert.com/blog/patch-now-patch-later-ignore-for-now/https://patchdayalert.com/blog/patch-now-patch-later-ignore-for-now/A three-bucket triage model for sysadmins who don't own a vulnerability scanner and aren't going to buy one.Tue, 28 Apr 2026 10:00:00 GMThttps://patchdayalert.com/blog/why-most-patch-summaries-fail-operators/https://patchdayalert.com/blog/why-most-patch-summaries-fail-operators/Vendor advisories are written for completeness. They're not written for the operator triaging a CISA KEV ticket before lunch.Tue, 28 Apr 2026 09:00:00 GMThttps://patchdayalert.com/digest/2026-04-27/https://patchdayalert.com/digest/2026-04-27/Two deserialization bypasses in Apache MINA let attackers slip past the allowlist for RCE, a WordPress privilege escalation hands out admin roles, and a pair of Totolink router command injections have public exploits. All 9.8, none exploited in the wild yet.Mon, 27 Apr 2026 11:00:00 GMThttps://patchdayalert.com/digest/2026-04-24/https://patchdayalert.com/digest/2026-04-24/Microsoft Entra ID Entitlement Management has a CVSS 10.0 SSRF that needs no login, and Bing has a CVSS 10.0 deserialization RCE in the same boat. Hackage-server adds two 9.9 stored XSS bugs, plus a 9.8 crasher in Delta Electronics NAS gear.Fri, 24 Apr 2026 11:00:00 GMThttps://patchdayalert.com/digest/2026-04-23/https://patchdayalert.com/digest/2026-04-23/Six API calls and no credentials give attackers full control of default Paperclip installs. FunnelFormsPro (WordPress) and Froxlor both carry 9.9 code execution bugs, and Borg SPM 2007 has two 9.8s that will never be patched.Thu, 23 Apr 2026 11:00:00 GMThttps://patchdayalert.com/digest/2026-04-22/https://patchdayalert.com/digest/2026-04-22/A perfect-score stored XSS in AVideo's YPTSocket hits all connected browsers instantly. Also: Flowise command injection (9.9), ElectricSQL SQL injection that gives full PostgreSQL read/write (9.9), an unauth WordPress SMTP hijack via Sendmachine (9.8), and a Firefox DOM security bypass (9.8).Wed, 22 Apr 2026 11:00:00 GMThttps://patchdayalert.com/digest/2026-04-21/https://patchdayalert.com/digest/2026-04-21/Two Spinnaker RCEs (CVE-2026-32613, CVE-2026-32604) let attackers run code through pipeline expressions and gitrepo artifact injection. A 9.9 OpenClaw sandbox escape (CVE-2026-41329) bypasses privilege boundaries. Perl's Storable and Net::Dropbear round out the list with legacy crypto and deserialization bugs, both CVSS 10.0. None are exploited in the wild yet.Tue, 21 Apr 2026 11:00:00 GMT