The lens
What matters in patching today.
Plain-English summaries. Real urgency. Exploited-in-the-wild first. A weekday newsletter for sysadmins and IT operators: the CVEs that actually affect your estate, translated out of security jargon, with a one-line verdict per item.
Written by Colten Anderson, a working sysadmin manager responsible for real patching, endpoint, and infrastructure operations. Built for teams who have to turn security tickets into action.
Who writes it →Front page
What matters today
- Patch Chrome: Update Chrome to 147.0.7727.138 or later on all Windows endpoints.. Covers 2 CVEs.
- Check exposure Apache Pony Mail: Take your Pony Mail instance offline or restrict access to trusted users immediately..
- Check exposure WattBox: Update WattBox firmware to 2.10.0.0 or later..
- Schedule Linux Kernel: Apply the updated kernel package for your distro and reboot..
CVE-2026-7343: A use-after-free bug in Chrome's Views component on Windows lets an attacker who already controls the renderer process break out of the sandbox.
That's the escalation path from "running code in Chrome's jail" to "running code on the host." CVSS 9
CVE-2026-7341: A use-after-free in Chrome's WebRTC stack lets an attacker run arbitrary code inside the browser sandbox by getting a user to visit a malicious page.
The sandbox limits the blast radius, but this still gives an attacker a foothold, and it pairs nicely with CVE-2026-7343 above for a full escape. CVSS 9
CVE-2026-41873: The Lua version of Apache Pony Mail has an HTTP request smuggling bug that lets an attacker take over admin accounts.
Here's the catch: the project is retired and there will be no fix. The replacement ("Pony Mail Foal," written in Python) isn't affected but also isn't officially released yet
CVE-2026-41446: Snap One WattBox 800 and 820 series power distribution units have hidden diagnostic HTTP endpoints that "authenticate" using only the device's MAC address and service tag.
Both values are printed on the physical label. Anyone who can read the sticker (or a photo of it) gets root command execution on the device
CVE-2026-31669: A use-after-free in the Linux kernel's MPTCP connection lookup code can be triggered over the network.
The CVSS is 9.8, but the EPSS score is very low (0
Get tomorrow's call
Same format every weekday: what to patch, what to isolate, what can wait.
Analysis
Featured field note
What patching looks like when you support the whole mess: endpoints, M365, identity, browsers, VPN, and line-of-business tools
Patching isn't Windows Updates anymore. A tour of the six surfaces a real shop patches every week.
The archive
Recent digests
Chrome sandbox escape chain, a WattBox sticker-to-root bug, and a dead Apache project
Two Chrome use-after-free bugs (CVE-2026-7343 + CVE-2026-7341, both CVSS 9.8) chain renderer compromise to full sandbox escape on Windows. Snap One WattBox 800/820 PDUs authenticate diagnostics endpoints with the MAC address printed on the label. Apache Pony Mail (Lua) has a 9.8 account takeover with no fix coming because the project is retired.
Five 9.8s on SOHO routers: Totolink and D-Link firmware is Swiss cheese
Four public command injection exploits hit the Totolink A8000RU and one buffer overflow nails the D-Link DI-8100. All CVSS 9.8, all pre-auth, all with public exploit code. If either device is in your stack, pull it off the internet now.
5 bugs at CVSS 9.8: Apache MINA's filter bypassed twice, WordPress plugin to admin in one click
Two deserialization bypasses in Apache MINA let attackers slip past the allowlist for RCE, a WordPress privilege escalation hands out admin roles, and a pair of Totolink router command injections have public exploits. All 9.8, none exploited in the wild yet.
Two perfect 10s: Entra ID SSRF and Bing RCE, both unauth, both wide open
Microsoft Entra ID Entitlement Management has a CVSS 10.0 SSRF that needs no login, and Bing has a CVSS 10.0 deserialization RCE in the same boat. Hackage-server adds two 9.9 stored XSS bugs, plus a 9.8 crasher in Delta Electronics NAS gear.
Paperclip CVSS 10.0 unauth RCE, plus a 9.9 in FunnelFormsPro and Froxlor
Six API calls and no credentials give attackers full control of default Paperclip installs. FunnelFormsPro (WordPress) and Froxlor both carry 9.9 code execution bugs, and Borg SPM 2007 has two 9.8s that will never be patched.
AVideo CVSS 10: one WebSocket message owns every viewer, no click needed
A perfect-score stored XSS in AVideo's YPTSocket hits all connected browsers instantly. Also: Flowise command injection (9.9), ElectricSQL SQL injection that gives full PostgreSQL read/write (9.9), an unauth WordPress SMTP hijack via Sendmachine (9.8), and a Firefox DOM security bypass (9.8).
The newsletter
Get weekday patch triage in your inbox.
One email. Every weekday, 11:00 UTC. Roughly four minutes to read. Written by a working sysadmin: if it isn't actionable before standup, it isn't in it.
- — Plain-English CVE summaries. No CVSS-worship.
- — One-line urgency per item: today, this week, or skip.
- — Exploited-in-wild flagged before anything else.
- — Patch Tuesday gets its own longer edition.