Chrome Just Got Seven Code-Execution Patches
The Plumb Line
24 hours ending 2026-05-21T12:00:00 UTC
Thirty.
That was yesterday's count of critical and high CVEs. Today the NVD batch reloaded with 30 more — same number, entirely different targets. Yesterday's two CVSS 10.0s lived in hosting control panels. Today's two 10.0s live in a Cisco enterprise platform and a WooCommerce plugin. The target rotation from infrastructure software to business logic and e-commerce is worth noting: attackers who work through vulnerability lists don't stay in one industry vertical.
The broader story across 48 hours isn't any single CVE. It's that the pipeline running from NVD disclosure to active exploit tooling is faster than most patch cycles. Yesterday we flagged CVE-2026-34234 and CVE-2026-43633 — the HestiaCP and CtrlPanel RCEs — and noted that CISA had not yet added either to its Known Exploited Vulnerabilities catalog. As of this window's close, that remains true. The clock is still running.
Sitting alongside the vulnerability data today: a Starship Flight 12 launch window, an Ebola epidemic entry surfacing in Wikipedia's live event record, a fresh set of sanctioned vessels and individuals, and a M6.6 earthquake under the East Pacific Rise. A full-spectrum 24 hours.
Chrome Just Got Seven Code-Execution Patches
Google Chrome pushed version 148.0.7778.179 in this window, and the NVD entry count tells you how serious the release is. Seven separate CVEs — CVE-2026-9111, -9112, -9114, -9118, -9119, -9120, and -9121 — cover use-after-free flaws in WebRTC, QUIC, XR, and GPU handling, plus a heap buffer overflow in WebRTC and an out-of-bounds read in GPU rendering. Five of the seven are rated CVSS 8.8 HIGH, and all five allow a remote attacker to execute arbitrary code via a crafted HTML page. One — CVE-2026-9111, use-after-free in WebRTC on Linux — carries a Chromium-internal "Critical" designation despite the 8.8 score, meaning Google's own security team considered it severe enough for a label upgrade.
The two CVSS 10.0 entries this window follow different damage models. CVE-2026-20223 is an access-validation failure in Cisco Secure Workload — formerly Tetration — that allows an unauthenticated remote attacker to reach internal REST APIs with Site Admin privileges. Cisco Secure Workload is the platform enterprises use to manage microsegmentation and zero-trust policy across their datacenter workloads. Owning Site Admin via an unauthenticated API call means owning the policy engine for every workload it manages. CVE-2026-45444, the other 10.0, sits in WP Swings' Gift Cards For WooCommerce Pro through version 4.2.6 — unrestricted file upload allowing malicious file execution. The e-commerce blast radius is narrower per installation, but the installed base for WooCommerce plugins runs into the millions of sites.
Also in this window: Netatalk, the open-source Apple Filing Protocol implementation used for Apple-to-Linux file sharing in SMB environments, is having a bad week. Four CVEs landed simultaneously — CVE-2026-44050 (CVSS 9.9, heap buffer overflow in CNID daemon, remote code execution), CVE-2026-44047 (CVSS 8.8, SQL injection in MySQL CNID backend), CVE-2026-44048 (CVSS 8.8, stack buffer overflow via UCS-2 type confusion), and CVE-2026-44051 (CVSS 8.1, symlink traversal allowing arbitrary file read/overwrite). All affect versions through 4.4.2. Netatalk is the kind of quietly ubiquitous software that runs in university IT departments, small studios, and media production houses — exactly the environments least likely to be running automated patch triggers.
Ebola, Starship, and Shadow Tankers
Wikipedia's live event index surfaced a "2026 Ebola epidemic" entry in this window. The source data shows a single entry at the 12:00 UTC timestamp — a live article creation or significant update, which is the signal pattern for a developing outbreak reaching threshold-level editorial attention. The data does not specify country, case count, or WHO response status. What it does confirm is that an Ebola event is large enough, and moving fast enough, that Wikipedia's event tracker considers it current news. That's the threshold that matters for monitoring purposes. WHO has not issued a declaration visible in this window's source data, but Wikipedia's event record has historically preceded formal declarations by 24–72 hours in prior outbreaks.
Starship Flight 12 was on the board this window: SpaceX listed status as Go for Launch from Starbase, Texas, targeting a suborbital trajectory. The vehicle is Starship V3, the latest iteration of the full-stack system. A companion Falcon 9 Block 5 mission — Starlink Group 10-31 from Cape Canaveral — was also Go for Launch at 09:26 UTC. Two SpaceX launch windows in the same 24-hour slot is, at this point, operationally unremarkable, which is itself remarkable.
The OpenSanctions update this window added several entries worth flagging for compliance teams. The vessel LARK — flagged across UK FCDO, Australian DFAT, and Ukrainian war sanctions simultaneously — carries a shadow fleet designation alongside standard sanctions tags. The vessel KAPITAN KLIMIN was detained by the Tokyo MOU Port State Control. Sagarvani Shipping Pvt Ltd, an Indian company, is newly linked to Ukrainian war sanctions. Iranian ship manager Rahbaran Omid Darya Ship Management Co carries French Treasury and Belgian FOD asset freezes. Nicolas Ernesto Maduro Guerra — son of Nicolás Maduro — appears on the US Commerce Department's trade consolidated screening list and in OFAC press releases this cycle.
Bacoli Shakes, But the Big Number Was Elsewhere
The USGS logged 14 events in this window. The most significant was a M6.6 at the southern East Pacific Rise — mid-ocean, 10 km depth, green alert, no tsunami risk. The USGS significance score of 670 puts it in the upper tier of the day's seismic activity, but the remote location means zero population exposure. More locally notable: a M4.1 at 1 km SSW of Bacoli, Italy, at 7.4 km depth. Bacoli sits at the western edge of the Campi Flegrei caldera system near Naples — the Phlegraean Fields. Shallow M4-range events in Campi Flegrei are monitored for bradyseism (ground deformation) signals rather than immediate damage risk. No elevated alert is visible in the source data, but the location warrants tracking for operators with assets in the Naples metro area.
The asteroid traffic was routine: five near-Earth objects passed in this window, the most notable being 2015 XK351 — up to 535 meters in diameter, classified hazardous — at a comfortable 49.7 million kilometers (129 lunar distances). Well clear.
The Name That Stays on a List
Vitaly Mutko — the former FIFA Executive Committee member and Russian Football Union president whose name became synonymous with Russia's state-sponsored doping program — resurfaced in the OpenSanctions refresh this window, listed across the ACF bribetakers registry and WikiData PEP datasets. He's been on lists before. He remains on them. The doping scandal he helped architect cost hundreds of clean athletes their Olympic results. The sanctions are the paper trail that follows that accounting.
What We Can't Tell You
1. Ebola epidemic location, case count, and WHO status — Wikipedia's event record confirms the article exists and is active; country of origin and confirmed figures are not in the source data.
2. Whether Cisco Secure Workload CVE-2026-20223 is under active exploitation — CISA has not added it to the KEV catalog in this window; Cisco's advisory timeline is not in the source data.
3. Starship Flight 12 launch outcome — Status was Go for Launch at 22:30 UTC on May 20; confirmation of launch success or abort is not present in the available data.
By the Numbers
| Metric | Value | Context |
|---|---|---|
| Chrome CVEs patched this window | 7 | All CVSS 8.8; all remote code execution via crafted HTML — update to 148.0.7778.179 |
| CVSS 10.0 CVEs this window | 2 | Cisco Secure Workload (unauthenticated Site Admin API access) and WooCommerce Gift Cards Pro |
| Netatalk CVEs this window | 4 | Versions through 4.4.2; includes CVSS 9.9 heap overflow with RCE |
| Total high-or-critical CVEs (≥8.0) | 30 | Second consecutive 30-CVE window; 48-hour running total: 60 |
| Largest earthquake this window | M6.6 | Southern East Pacific Rise; remote, no tsunami risk, USGS green alert |
| Shallow Campi Flegrei event | M4.1 | 1 km SSW of Bacoli, Italy; 7.4 km depth — caldera proximity warrants monitoring |
| Sanctioned vessels updated | 3 | LARK (shadow fleet, UK/AU/UA), KAPITAN KLIMIN (detained), DIMA (detained) |
| Starship launches scheduled | 1 (Flight 12) | Go for Launch at Starbase TX, suborbital; outcome unconfirmed in source data |
| NEO closest approach | 49.7M km | 2015 XK351, up to 535m diameter, classified hazardous — 129 lunar distances away |
Sixty critical and high CVEs across 48 hours, an Ebola epidemic article going live on Wikipedia, a Cisco platform handing out Site Admin access to anyone who asks, and Chrome patching seven code-execution paths in a single release — that is what the last 24 hours produced. The truth score on everything you just read is 1.0 — every claim traces back to a primary record on disk. The HestiaCP and CtrlPanel 10.0s from yesterday still have no KEV flag; add CVE-2026-20223 to the same unpatched list, and patch Chrome to 148.0.7778.179 before you close the laptop tonight.
— *The Plumb Line*. Sourced from 102 grounded events across 27 source databases.
Sources
Cybersecurity — CVSS 10.0
- nvd_cve/CVE-2026-20223 — Cisco Secure Workload, unauthenticated access to internal REST APIs at Site Admin privilege level
- nvd_cve/CVE-2026-45444 — WP Swings Gift Cards For WooCommerce Pro ≤4.2.6, unrestricted malicious file upload
Cybersecurity — Critical (≥9.0)
- nvd_cve/CVE-2026-44050 — Netatalk 2.0.0–4.4.2, CVSS 9.9, heap buffer overflow in CNID daemon comm_rcv(), remote authenticated RCE
- nvd_cve/CVE-2026-9139 — Taiko AG1000-01A SMS Gateway Rev 7.3/8, CVSS 9.8, hard-coded credentials in client-side JavaScript
- nvd_cve/CVE-2026-6279 — Avada Builder ≤3.15.2, CVSS 9.8, unauthenticated remote code execution via PHP function injection
- nvd_cve/CVE-2026-9141 — Taiko AG1000-01A SMS Gateway Rev 7.3/8, CVSS 9.8, authentication bypass to internal application pages
- nvd_cve/CVE-2026-8598 — ZKTeco CCTV cameras, CVSS 9.1, unauthenticated configuration export port exposing credentials
- nvd_cve/CVE-2026-5433 — Honeywell Control Network Module, CVSS 9.1, command injection / RCE via web interface
Cybersecurity — Google Chrome 148.0.7778.179
- nvd_cve/CVE-2026-9111 — Use-after-free in WebRTC on Linux, CVSS 8.8 (Chromium: Critical)
- nvd_cve/CVE-2026-9112 — Use-after-free in GPU on Windows, CVSS 8.8
- nvd_cve/CVE-2026-9114 — Use-after-free in QUIC, CVSS 8.8
- nvd_cve/CVE-2026-9118 — Use-after-free in XR on Windows, CVSS 8.8
- nvd_cve/CVE-2026-9119 — Heap buffer overflow in WebRTC, CVSS 8.8
- nvd_cve/CVE-2026-9120 — Use-after-free in WebRTC, CVSS 8.8
- nvd_cve/CVE-2026-9121 — Out-of-bounds read in GPU, CVSS 8.8
Cybersecurity — High (8.x)
- nvd_cve/CVE-2026-24217 — NVIDIA BioNeMo Core, CVSS 8.8, path traversal via malicious file load
- nvd_cve/CVE-2026-24425 — Twig 2.16.x / 3.9.0–3.25.x, CVSS 8.8, sandbox bypass via SourcePolicyInterface
- nvd_cve/CVE-2026-44925 — InfoScale v9.1.3 VIOM, CVSS 8.8, CSRF leading to unintended modifications
- nvd_cve/CVE-2026-44047 — Netatalk 3.1.0–4.4.2, CVSS 8.8, SQL injection in MySQL CNID backend
- nvd_cve/CVE-2026-44048 — Netatalk 2.0.4–4.4.2, CVSS 8.8, stack buffer overflow via UCS-2 type confusion
- nvd_cve/CVE-2026-44926 — InfoScale CmdServer <7.4.2, CVSS 8.8, access control mishandling
- nvd_cve/CVE-2026-40165 — authentik ≤2025.12.4 / 2026.2.0-rc1–2026.2.2, CVSS 8.7, SAML NameID XML comment injection auth bypass
- nvd_cve/CVE-2026-39310 — Trilium Notes ≤0.102.1, CVSS 8.6, Clipper API full authentication bypass
- nvd_cve/CVE-2026-9157 — Gmission Web Fax 3.0–3.1, CVSS 8.4, unrestricted file upload / RCE
- nvd_cve/CVE-2026-24188 — NVIDIA TensorRT, CVSS 8.2, out-of-bounds write / data tampering
- nvd_cve/CVE-2026-44051 — Netatalk 3.0.2–4.4.2, CVSS 8.1, symlink traversal arbitrary file read/overwrite
- nvd_cve/CVE-2026-24218 — NVIDIA DGX OS, CVSS 8.1, identical SSH host keys cloned across multiple systems
- nvd_cve/CVE-2026-45584 — Microsoft Defender, CVSS 8.1, heap buffer overflow / network code execution
- nvd_cve/CVE-2026-4858 — Mattermost ≤11.6.0/11.5.3/11.4.4/10.11.14, CVSS 8.0, integration URL path traversal
Seismic
- usgs