### What changed today
Finding 01 leads because Aqara Home Android CVE-2026-50091 combines critical severity, hard-coded SDK keys, and public advisory evidence. The useful first step is not broad incident response; it is an asset check for Aqara Home Android 6.0.0 and white-label clients embedding liblumidevsdk.so, followed by vendor remediation tracking. Source: https://nvd.nist.gov/vuln/detail/CVE-2026-50091
Findings 02-08 are the main owner-action patch queue: browser and WebView fleets, EdgeRouter X management surfaces, Apache IoTDB pipe processing, WordPress Appointment Booking Calendar, PraisonAI workspaces, EspoCRM, and OpenTelemetry-Go. EdgeRouter X keeps the vendor-dispute caveat, so exposure management should focus on reachable management planes and compensating controls rather than treating every post-authentication record as equal. Source: https://nvd.nist.gov/vuln/detail/CVE-2023-2373
Findings 09-13 cover lower-confidence or grouped infrastructure and parser work: NATS Server, Perl DBI, Invixium IXM WEB, ClamAV, and Mistune/js-yaml. These are still owner action items, but the confidence labels matter; several are single-source MSRC batches and should be paired with upstream release notes or package evidence before escalation beyond patch planning. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58208
The retained public cards cover CVE-2026-50091, CVE-2026-58281, CVE-2023-2373, CVE-2026-40008, CVE-2026-12378, CVE-2026-61442, CVE-2020-37094, CVE-2026-39883, CVE-2026-58208, CVE-2026-14380, CVE-2026-51119, CVE-2026-20214, and CVE-2026-59869.
The digest keeps OpenSSH, PcVue, XRING/XQUIC, and jscrambler visible without letting them crowd out the primary queue. jscrambler remains a developer-host and CI search item if package inventories show version 8.14.0; XRING/XQUIC remains developing because there is no CVE or fixed release in the collected evidence. Source: https://socket.dev/blog/jscrambler-supply-chain-attack
### Recommended actions
- Inventory Aqara Home Android 6.0.0 and white-label liblumidevsdk.so exposure first.
- Validate browser, WebView2, EdgeRouter X, Apache IoTDB, WordPress Appointment Booking Calendar, PraisonAI, EspoCRM, and OpenTelemetry-Go patch state.
- Route NATS, ClamAV, Perl DBI, Mistune/js-yaml, Invixium IXM WEB, PcVue, OpenSSH, and XQUIC to relevant owners with confidence caveats intact.
- Search package inventories, lockfiles, package caches, and CI logs for jscrambler 8.14.0.