ELEVATED 1 min read 12 Jul 2026

Aqara Home Android Leads Today's Intel Queue

Today's Intel is consolidated into 13 priority findings, led by Aqara Home Android CVE-2026-50091 and followed by owner checks across browser, edge, OT, developer, server, and parser estates. 4 further items tracked below.

Key findings
01
Aqara Home Android hard-coded SDK keys expose smart-home cryptographic trust
HIGH
[High] Severity: CRITICAL. NVD records CVE-2026-50091 for Aqara Home Android 6.0.0 and white-label clients embedding liblumidevsdk.so. The flaw is hard-coded cryptographic keys with a 9.1 critical CVSS estimate and public exploit/advisory references.
02
Microsoft Edge/Chromium July 11 CVE batch includes Edge RCE routing
HIGH
[High] Severity: HIGH. MSRC published 142 Edge/Chromium vulnerability records on July 11, including CVE-2026-58281 labelled as a Microsoft Edge remote-code-execution vulnerability and a broad Chromium component wave spanning V8, ANGLE, Dawn, Skia, WebUSB, Bluetooth, Omnibox, WebView, Chrome for iOS, and related surfaces.
03
Ubiquiti EdgeRouter X Web Management command-injection CVE batch enters NVD with public exploit references
MEDIUM
[Medium] Severity: HIGH. NVD lists six EdgeRouter X Web Management Interface command-injection CVEs affecting releases up to 2.0.9-hotfix.6. NVD notes remote attack paths and public exploit references while recording the vendor dispute that post-authentication issues are not accepted as vulnerabilities.
04
Apache IoTDB CVE-2026-40008 unsafe reflection requires 2.0.10 checks
HIGH
[High] Severity: HIGH. NVD records unsafe reflection in Apache IoTDB pipe processing: an externally controlled fully qualified Java class name is instantiated without validation or allowlisting. Affected versions are before 2.0.10.
05
WordPress Appointment Booking Calendar CVE-2026-12378 enables unauthenticated PHP object injection
CRITICAL
[High] Severity: HIGH. NVD records that the Appointment Booking Calendar Plugin and Scheduling Plugin through 1.1.28 pass unvalidated data to PHP deserialization. Unauthenticated object injection can become RCE where a suitable gadget chain exists.
06
PraisonAI Platform CVE-2026-61442 misses owner/admin authorization on PATCH routes
HIGH
[High] Severity: HIGH. NVD records missing authorization in praisonai-platform before 0.1.9: workspace members can modify owner-created projects, issues, and agents, including reassigning project lead ownership and deleting owner-created projects.
07
EspoCRM token reuse lets matching-password accounts bypass 2FA
HIGH
[High] Severity: HIGH. NVD records CVE-2020-37094 for EspoCRM 5.7.0 before 5.9.0: authentication tokens were tied to password hashes rather than per-user identities, allowing an authenticated attacker with a controlled account to replay a token against a victim account sharing the same password and bypass 2FA.
08
OpenTelemetry-Go PATH hijack bypasses prior Darwin-only fix on BSD and Solaris
HIGH
[High] Severity: HIGH. NVD and GitHub advisory routing describe OpenTelemetry-Go 1.15.0 through 1.42.0. A previous fix made the Darwin ioreg path absolute but left BSD/Solaris kenv resolution dependent on PATH; version 1.43.0 fixes the issue.
09
NATS Server MQTT/WebSocket/leafnode and authorization CVE batch
LOW
[Low] Severity: HIGH. MSRC published six NATS Server advisories covering MQTT, WebSocket, leafnode crash paths, and subscribe/route authorization bypasses. Prioritize exposed or multi-tenant NATS deployments, especially where JetStream, leafnodes, MQTT-over-WebSocket, or route APIs are enabled.
10
Perl DBI before 1.650 code-injection and memory-safety CVEs
LOW
[Low] Severity: HIGH. MSRC lists DBI before 1.650 issues covering code injection through caller-influenced Profile data, heap overflow during SQL placeholder preparsing, and out-of-bounds read when deleting an initial SQL comment.
11
Invixium IXM WEB CVE-2026-51119 privilege escalation surfaces in NVD/EUVD routing
HIGH
[High] Severity: HIGH. NVD describes IXM WEB v2.3.85.25 privilege escalation through /SystemUsers/CreateAppUser, mapped to CWE-269 improper privilege management. EUVD also surfaced the CVE, giving this a UK/EU regulatory discovery path while vendor fix state remains unclear.
12
ClamAV archive and disk-image parser CVE batch
LOW
[Low] Severity: HIGH. MSRC published six ClamAV file-format processing advisories across FSG, 7Zip, InstallShield, PESpin, ALZ, and DMG handlers. The practical exposure is mail, upload, artifact, and gateway scanning paths where untrusted archives or disk images are automatically unpacked.
13
Mistune and js-yaml parser advisories affect untrusted Markdown and YAML processing
LOW
[Low] Severity: MEDIUM. MSRC published parser advisories for js-yaml quadratic CPU consumption and Mistune parsing, XSS, and heading-id collision issues. Route to applications that parse untrusted Markdown, documentation, README content, issue bodies, or YAML input.

### What changed today

Finding 01 leads because Aqara Home Android CVE-2026-50091 combines critical severity, hard-coded SDK keys, and public advisory evidence. The useful first step is not broad incident response; it is an asset check for Aqara Home Android 6.0.0 and white-label clients embedding liblumidevsdk.so, followed by vendor remediation tracking. Source: https://nvd.nist.gov/vuln/detail/CVE-2026-50091

Findings 02-08 are the main owner-action patch queue: browser and WebView fleets, EdgeRouter X management surfaces, Apache IoTDB pipe processing, WordPress Appointment Booking Calendar, PraisonAI workspaces, EspoCRM, and OpenTelemetry-Go. EdgeRouter X keeps the vendor-dispute caveat, so exposure management should focus on reachable management planes and compensating controls rather than treating every post-authentication record as equal. Source: https://nvd.nist.gov/vuln/detail/CVE-2023-2373

Findings 09-13 cover lower-confidence or grouped infrastructure and parser work: NATS Server, Perl DBI, Invixium IXM WEB, ClamAV, and Mistune/js-yaml. These are still owner action items, but the confidence labels matter; several are single-source MSRC batches and should be paired with upstream release notes or package evidence before escalation beyond patch planning. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58208

The retained public cards cover CVE-2026-50091, CVE-2026-58281, CVE-2023-2373, CVE-2026-40008, CVE-2026-12378, CVE-2026-61442, CVE-2020-37094, CVE-2026-39883, CVE-2026-58208, CVE-2026-14380, CVE-2026-51119, CVE-2026-20214, and CVE-2026-59869.

The digest keeps OpenSSH, PcVue, XRING/XQUIC, and jscrambler visible without letting them crowd out the primary queue. jscrambler remains a developer-host and CI search item if package inventories show version 8.14.0; XRING/XQUIC remains developing because there is no CVE or fixed release in the collected evidence. Source: https://socket.dev/blog/jscrambler-supply-chain-attack

### Recommended actions

  • Inventory Aqara Home Android 6.0.0 and white-label liblumidevsdk.so exposure first.
  • Validate browser, WebView2, EdgeRouter X, Apache IoTDB, WordPress Appointment Booking Calendar, PraisonAI, EspoCRM, and OpenTelemetry-Go patch state.
  • Route NATS, ClamAV, Perl DBI, Mistune/js-yaml, Invixium IXM WEB, PcVue, OpenSSH, and XQUIC to relevant owners with confidence caveats intact.
  • Search package inventories, lockfiles, package caches, and CI logs for jscrambler 8.14.0.
aqarachromiumclamavcve-2020-37094cve-2023-2373cve-2026-12378cve-2026-14380cve-2026-20214cve-2026-39883cve-2026-40008

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.