MSP Threat Radar Weekly Briefing — Week of 2026-04-20

This week’s briefing tracks 12 recent watch items across 2 vendors, with emphasis on active service incidents and high-priority operational issues.

Top items

NVD watch item CVE-2026-6846

• Vendor: NVD
• Published: 2026-04-22
• Status: watch
• Source: nvd
• Official advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-6846

A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Review the official advisory, map affected products against managed client environments, and determine whether patching or temporary mitigation is required.

NVD watch item CVE-2026-6235

• Vendor: NVD
• Published: 2026-04-22
• Status: watch
• Source: nvd
• Official advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-6235

The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).

Review the official advisory, map affected products against managed client environments, and determine whether patching or temporary mitigation is required.

NVD watch item CVE-2026-4132

• Vendor: NVD
• Published: 2026-04-22
• Status: watch
• Source: nvd
• Official advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-4132

The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.

Review the official advisory, map affected products against managed client environments, and determine whether patching or temporary mitigation is required.

NVD watch item CVE-2026-4119

• Vendor: NVD
• Published: 2026-04-22
• Status: watch
• Source: nvd
• Official advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-4119

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.

Review the official advisory, map affected products against managed client environments, and determine whether patching or temporary mitigation is required.

Zone Activation Delays

• Vendor: Cloudflare
• Published: 2026-04-22
• Status: identified
• Source: cloudflare-status
• Official advisory: https://stspg.io/7npv1q05wy5d

Cloudflare is experiencing delays in activating customer sites. This does not impact existing active sites already in production. We are working to understand the full impact and mitigate this problem. More updates to follow shortly.

Check cloudflare dependent workflows, notify affected clients if service disruption persists, and review workaround guidance from the official incident page.