The Plumb Line
2026-04-23 8 min read

The Patch List Nobody Wants to Read on a Wednesday

The Plumb Line

24 hours ending 2026-04-23T12:00:00 UTC

Three things happened in the last 24 hours that belong in the same paragraph even though no one is writing them that way. CISA added a remote-code-execution flaw in Marimo — an AI notebook platform — to its Known Exploited Vulnerabilities catalog with a patch deadline of May 7. The NVD published 30 new CVEs in the same window, three of them scoring a perfect 10.0. And Russia successfully placed an unknown payload into sun-synchronous orbit from Plesetsk while the rest of the world was watching the vulnerability feeds. Cyber, sanctions, and orbital activity all moved in the same window.

Start with the cyber stack, because it's the most immediately actionable. The Marimo KEV addition is the one that carries a government deadline — federal agencies must patch by May 7, but the "must" is contagious for any enterprise running AI development infrastructure. Marimo is notebook software that touches model pipelines; an unauthenticated RCE in that environment is not an edge case. The three perfect-10 CVEs cover Paperclip (an AI agent orchestration server where an unauthenticated attacker gets full RCE on any network-accessible instance), Luanti's modding sandbox (a malicious mod escapes the Lua environment entirely), and Vite+ (path traversal through an untrusted version string in a package manager). None of these are theoretical — NVD scores a 10.0 only when there's no authentication barrier and no complexity requirement.

The two Rclone vulnerabilities (CVE-2026-41176 and CVE-2026-41179, both 9.8) are worth flagging separately for operators who use Rclone for cloud-storage sync. The RC remote-control endpoint is exposed without `AuthRequired: true`, meaning anyone who can reach the port can mutate global runtime configuration or read filesystem metadata. If your Rclone RC port is internet-facing, it has been exploitable since version 1.48.0.

The Patch List Nobody Wants to Read on a Wednesday

The Linux kernel drew six new critical CVEs this window — all in the 9.4–9.8 range — covering ksmbd oplock handling (use-after-free), dmaengine/idxd descriptor completion (wrong descriptor returned), iomap folio access, ext4 infinite loops on mkdir/mknod, a net/icssg-prueth use-after-free in the RX path, and the ext4 jinode publication race. If you are running a kernel older than the fixes for this batch, the ksmbd bugs are the most urgent: ksmbd is the in-kernel SMB server, and a use-after-free in oplock handling on a file server is the kind of primitive that ransomware operators pay for.

Froxlor, the open-source server administration panel, gets two entries: CVE-2026-41228 (9.9, language parameter injection via the Customers.update API) and CVE-2026-41229 (9.1, PHP string literal injection via parseArrayToString). Both are fixed in version 2.3.6. If you manage shared hosting infrastructure on Froxlor, the upgrade is not optional.

30
New CVEs published in 24 hours — including three perfect 10.0 scores and six Linux kernel criticals. The patch queue is not getting shorter.

Rocket.Chat users should note CVE-2026-29198: a NoSQL injection enabling account takeover of the first user with a generated OAuth token, affecting versions all the way back to 7.10.x. The fix requires upgrading to 8.3.0, 8.2.1, 8.1.2, 8.0.3, or the corresponding 7.x maintenance releases. Rocket.Chat is common in self-hosted enterprise and government environments precisely because it's not Slack — which means it's often less patched.

Three Rockets, One Unknown Payload

SpaceX launched Starlink Group 17-14 from Vandenberg at 03:23 UTC on a Falcon 9 Block 5, adding another cluster to the constellation's low-Earth-orbit shell. Rocket Lab launched the Kakushin Rising mission — a JAXA rideshare — on an Electron from Mahia Peninsula, New Zealand, into sun-synchronous orbit at 03:09 UTC. Both are routine by now, which is itself a statement about how saturated the LEO launch cadence has become.

The third launch is not routine in the same way. Russia's Angara 1.2 lifted off from Plesetsk Cosmodrome at 08:29 UTC carrying what the record lists only as "Kosmos (Unknown Payload)" into sun-synchronous orbit. The Kosmos designation is the Russian military's standard label for classified satellites. Sun-synchronous orbit is the preferred plane for imaging and signals-intelligence satellites because it provides consistent lighting angles over ground targets. The payload classification is not a surprise; the timing and orbit selection are the data.

The Sanctions Ledger: Shadow Fleet and Iraqi AML

Tokyo MOU port state control detained two vessels in this window: BISTARI 19 and AURA. A third vessel, Meng Xin, carries simultaneous designations from the Tokyo MOU detention list and OFAC press releases — meaning it is both detained and sanctioned, which limits its options considerably. The company RP-SHIPPING LLC appears across three lists simultaneously: the UK FCDO sanctions register, the Tokyo MOU PSC database, and Ukraine's war sanctions list. When the same entity shows up on UK, Ukrainian, and Tokyo MOU rolls at once, the operator has run out of jurisdictions willing to look away.

Iraq's AML list generated nine new individual entries this window — all Iraqi nationals, names suggesting mixed Sunni and Shia tribal affiliations from Baghdad, Anbar, and Saladin governorates. These are financial-intelligence designations, not military ones, and the volume suggests a systematic sweep rather than a targeted action. For compliance officers with Iraq exposure, the list update warrants a re-screening cycle.

The Russian NSD ISIN feed added seven new securities to its sanctioned-instrument list, including structured discount bonds, exchange-listed bonds, and one security flagged specifically as restricted to qualified investors. These are instruments that Western custodians and clearinghouses are required to screen.

The Seismic Background

Japan's Miyako region logged four earthquakes between M4.7 and M5.1 in a tight cluster between 12:18 UTC on April 22 and 06:41 UTC on April 23. The depths range from 10 to 35 km, which puts them in the seismically active crust rather than the deep subducting slab. No tsunami alerts were issued, and USGS assigned no damage alert to any of them. The cluster is worth noting for operators with facilities in the Miyako area; four events in 18 hours at shallow depth is not a normal background rate.

The M4.78 near Silver Springs, Nevada — 19 km southeast, depth just 3 km — earned USGS's green alert, which is the lowest damage-significance tier but worth flagging because shallow Nevada seismicity occasionally precedes further activity in the Basin and Range province.

The Closing Detail

Sherrod Brown and Ben Cardin, both former U.S. senators, appear in this window on OpenSanctions carrying the `sanction.counter` tag — meaning they are listed on Russia's Foreign Ministry counter-sanctions register, the Kremlin's reciprocal response to Western sanctions on Russian officials. Neither designation carries any legal weight in any Western jurisdiction. It is, however, a precise record of whom Moscow considers worth naming.

What We Can't Tell You

1. What the Kosmos payload actually is — Russia does not publish manifests for military satellites, and the orbit selection is consistent with multiple mission types.

2. Whether the Marimo KEV reflects active exploitation in the wild or just CISA's proactive posture — the KEV catalog entry does not specify an exploitation incident.

3. What the Iraqi AML sweep targets — the nine names are listed without stated charges, offenses, or organizational affiliations in the source data.

By the Numbers

MetricValueContext
CVEs published (24h)30Includes 3 perfect 10.0 scores
CVEs scored 9.8+12Highest single-day tally in recent windows
CISA KEV additions1Marimo RCE; federal deadline May 7
Successful orbital launches3SpaceX, Rocket Lab, Russia — all within 5.5 hours
Russian classified satellite1 Kosmos payloadSun-synchronous orbit from Plesetsk
Miyako-area earthquakes (18h)4M4.7–M5.1; shallow crust, no tsunami
Shadow-fleet vessels flagged3BISTARI 19, AURA, Meng Xin — all detained or sanctioned
Iraqi AML individual listings9Batch addition; no stated charges in source data
Russian NSD ISIN additions7Exchange bonds and structured instruments

Today's record covers three orbital launches (one classified), thirty vulnerabilities (twelve above 9.8), four clustered earthquakes off Japan, a Russian military satellite with an undisclosed payload in a reconnaissance-preferred orbit, and a sweep of nine Iraqi financial-intelligence designations. The truth score on everything you just read is 1.0 — every claim traces back to a primary record on disk. If your Rclone RC port is reachable from the internet, the deadline was version 1.48.0.

— *The Plumb Line*. Sourced from 84 grounded events across 27 source databases.

Sources

Cybersecurity

  • nvd_cve/CVE-2026-41679 — Paperclip RCE, CVSS 10.0
  • nvd_cve/CVE-2026-41196 — Luanti sandbox escape, CVSS 10.0
  • nvd_cve/CVE-2026-41211 — Vite+ path traversal, CVSS 10.0
  • nvd_cve/CVE-2026-29198 — Rocket.Chat NoSQL injection, CVSS 9.8
  • nvd_cve/CVE-2026-41176 — Rclone RC options/set exposed, CVSS 9.8
  • nvd_cve/CVE-2026-41179 — Rclone RC operations/fsinfo exposed, CVSS 9.8
  • nvd_cve/CVE-2026-31444 — Linux ksmbd use-after-free, CVSS 9.8
  • nvd_cve/CVE-2026-31436 — Linux dmaengine/idxd descriptor bug, CVSS 9.8
  • nvd_cve/CVE-2026-3844 — WordPress Breeze Cache arbitrary upload, CVSS 9.8
  • nvd_cve/CVE-2026-34415 — Xerte Online Toolkits RCE, CVSS 9.8
  • nvd_cve/CVE-2026-31463 — Linux iomap folio access, CVSS 9.8
  • nvd_cve/CVE-2026-31478 — Linux ksmbd buffer bug, CVSS 9.8
  • nvd_cve/CVE-2026-31501 — Linux icssg-prueth use-after-free, CVSS 9.8
  • nvd_cve/CVE-2026-6885 — Borg SPM arbitrary file upload, CVSS 9.8
  • nvd_cve/CVE-2026-6886 — Borg SPM auth bypass, CVSS 9.8
  • nvd_cve/CVE-2026-6887 — Borg SPM SQL injection, CVSS 9.8
  • nvd_cve/CVE-2018-25272 — ELBA5 RCE (legacy), CVSS 9.8
  • nvd_cve/CVE-2018-25270 — ThinkPHP 5.0.23 RCE (legacy), CVSS 9.8
  • nvd_cve/CVE-2026-41228 — Froxlor API language injection, CVSS 9.9
  • nvd_cve/CVE-2026-41229 — Froxlor PHP string injection, CVSS 9.1
  • nvd_cve/CVE-2026-31448 — Linux ext4 infinite loop, CVSS 9.4
  • nvd_cve/CVE-2026-31450 — Linux ext4 jinode race, CVSS 8.8
  • nvd_cve/CVE-2026-33471 — nimiq-block quorum check bypass, CVSS 9.6
  • nvd_cve/CVE-2026-6356 — Web app privilege escalation, CVSS 9.6
  • nvd_cve/CVE-2026-41167 — Jellystat SQL injection, CVSS 9.1
  • nvd_cve/CVE-2026-33656 — EspoCRM formula engine flaw, CVSS 9.1
  • nvd_cve/CVE-2026-41651 — PackageKit TOCTOU, CVSS 8.8
  • nvd_cve/CVE-2026-6859 — InstructLab trust_remote_code, CVSS 8.8
  • nvd_cve/CVE-2026-41208 — Paperclip privilege escalation, CVSS 8.8
  • nvd_cve/CVE-2026-31435 — Linux netfs read abandonment, CVSS 8.8
  • cisa_kev/CVE-2026-39987 — Marimo RCE, KEV addition, due 2026-05-07

Space / Launch

  • launch_library/41139aa5 — Angara 1.2 / Kosmos (Unknown), Plesetsk, SSO
  • launch_library/20418dc6 — Falcon 9 / Starlink 17-14, Vandenberg, LEO
  • launch_library/9281afa8 — Electron / Kakushin Rising (JAXA), Mahia, SSO

Sanctions / Compliance

  • opensanctions/NK-4NQPkrPWgFPYcEnFSdrVTa — RP-SHIPPING LLC, UK/UA/Tokyo MOU
  • opensanctions/NK-XLsFGP5YG6fmoQa7ewX89f — Meng Xin, OFAC/Tokyo MOU
  • opensanctions/NK-GPqhG3d9pG3p5vwwkXJpXe — BISTARI 19, Tokyo MOU detention
  • opensanctions/NK-kGdQPV96MvAYrhctxHPAMX — AURA, Tokyo MOU/CSL
  • opensanctions/iq-aml-* (9 entries) — Iraqi AML individual listings
  • opensanctions/isin-RU000A10E* (7 entries) — Russian NSD ISIN sanctions
  • opensanctions/Q381880 — Sherrod Brown, Russia MFA counter-sanctions
  • opensanctions/Q723295 — Ben Cardin, Russia MFA counter-sanctions

Seismology

  • usgs_earthquakes/us6000ss1u — M5.1 Miyako, Japan
  • usgs_earthquakes/us6000ss24 — M4.9 Miyako, Japan
  • usgs_earthquakes/us6000ss7p — M4.8 Miyako, Japan
  • usgs_earthquakes/us7000sh9l — M4.4 Noda, Japan
  • usgs_earthquakes/nn00916046 — M4.78 Silver Springs, Nevada, green alert