The Lyceum: Cybersecurity Daily — Mar 26, 2026

Attackers reverse-engineered a critical Langflow bug from nothing but an advisory description and had working exploits scanning the internet in under 20 hours — CISA added the Langflow bug to its KEV catalog yesterday. Meanwhile, Kaspersky reported that the iOS exploit kit circulating in the wild is a direct descendant of Operation Triangulation, and is now being deployed indiscriminately, per Kaspersky. And a prompt-injection flaw in Anthropic's Claude browser extension showed that visiting the wrong webpage could silently hijack your AI assistant. The theme today: the attack surface is expanding faster than most teams' mental models of what counts as "infrastructure."

• CVE-2026-33017 — Langflow AI pipeline builder (pre-1.9.0): actively exploited, CVSS 9.3, unauthenticated RCE via unsanitized Python in flow definitions. CISA KEV added March 25. Patch to 1.9.0+.
• CVE-2026-21262 — Microsoft SQL Server: publicly disclosed elevation-of-privilege zero-day (CVSS 8.8), patched via March 2026 Patch Tuesday. No in-the-wild exploitation reported.
• CVE-2026-26127 — .NET runtime: publicly disclosed denial-of-service zero-day (CVSS 7.5), patched via March 2026 Patch Tuesday. No in-the-wild exploitation reported.
• CVE-2026-26110 — Microsoft Office: critical RCE via Preview Pane, patched March 2026 Patch Tuesday. No reported exploitation yet.
• CVE-2025-60787 — motionEye ≤0.43.1b4: RCE via config file injection, public PoC on Exploit-DB. No upstream patch available; project appears minimally maintained.
• CVE-2026-1357 — WPvivid Backup & Migration plugin for WordPress (≤0.9.123): CVSS 9.8, unauthenticated RCE. Public exploit published today; patch (0.9.124) available since January 28.

If your team uses Langflow — the drag-and-drop platform for building AI agents and RAG pipelines — attackers are scanning for your instance right now, and they don't need a password.

CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog yesterday, confirming active exploitation. The flaw (CVSS 9.3) sits in Langflow's public flow-building API, which was deliberately designed to work without authentication so users could share workflows. The bug lets anyone inject arbitrary Python into a flow definition, which the server executes unsandboxed. One POST request. Full control.

The speed is what's alarming. Cloud security firm Sysdig documented attackers building working exploits within 20 hours of the advisory — with no public proof-of-concept in existence. They reverse-engineered the bug from the description alone. Exfiltrated data in observed attacks included API keys for OpenAI, Anthropic, and AWS — exactly what you'd expect from a platform wired into your entire AI stack.

What changes: If exploitation matures beyond scanning into targeted campaigns, every Langflow instance becomes a key-harvesting machine for the AI credentials behind it. The fix is version 1.9.0 or later. Patch, rotate every API key and database credential that process could reach, and restrict network access immediately. Public PoC code now exists on GitHub.

What to watch for: If CISA assigns a federal remediation deadline this week, it signals the exploitation has graduated from opportunistic to targeted.

The iOS exploit kit called Coruna has been circulating in threat intelligence reports for weeks. Today Kaspersky's GReAT team published findings that reframe what it actually is — and the answer is worse than anyone initially reported.

Coruna is not a new tool. It's a continuously maintained evolution of Operation Triangulation, the sophisticated iOS surveillance framework Kaspersky first uncovered in 2023 and attributed to a nation-state actor. The kernel exploit at Coruna's heart is an updated version of the same chain, with new code specifically targeting Apple M3 chips and current iOS builds. Whoever built Triangulation has been actively developing this codebase ever since.

The critical shift: Triangulation was precision espionage — surgical, deployed against specific high-value individuals. According to Kaspersky principal researcher Boris Larin, Coruna is now deployed indiscriminately. The Hacker News reports that Coruna has been linked to threat group UNC6353, which has been injecting it into compromised websites targeting Ukrainian users.

If Apple pushes an emergency out-of-cycle iOS update in the next few days, it means the mass-deployment phase is confirmed as an imminent threat to ordinary users, not just targeted individuals. If you haven't restarted your iPhone recently, do it now and confirm you're on the latest iOS.

LiteLLM — the Python library that routes requests to OpenAI, Anthropic, Google, and dozens of other AI providers — was poisoned on PyPI with malicious packages on March 24 (versions 1.82.7 and 1.82.8). The embedded code executes when Python starts and targets the exact secrets LiteLLM normally handles: API keys, cloud tokens, Kubernetes secrets, environment variables.

Armis ties the activity to TeamPCP, the group that previously compromised the Trivy vulnerability scanner and used stolen CI credentials to push the poisoned LiteLLM builds. Industry reporting pegs LiteLLM at roughly 3.4 million daily downloads and 40,000 GitHub stars — meaning the blast radius for exfiltrated secrets is substantial. Given LiteLLM's function of holding and forwarding API keys for AI models, the compromise creates a high-fidelity path to the most sensitive credentials in AI-enabled environments.

What changes if this pattern continues: Supply chain attacks are moving up the stack into AI developer kits, where a single library compromise yields cloud credentials, model access, and infrastructure secrets in one shot. Scan for those specific versions immediately, remove them, and rotate any keys or tokens that could have been accessed.

The signal to watch: If more AI-focused libraries (LangChain, Haystack, semantic-kernel) get targeted in the same pattern, it confirms TeamPCP is systematically working through the AI dependency tree.

CVE-2026-1357 affects the WPvivid Backup & Migration plugin — installed on over 900,000 WordPress sites — and allows unauthenticated arbitrary file upload leading to remote code execution. The vulnerability has existed since before January, and a patch (version 0.9.124) shipped January 28. What changed today: a working exploit hit Exploit-DB.

The technical trick is clever: when RSA decryption fails, the resulting null-byte key is predictable, letting attackers pre-encrypt their payloads. The vulnerable code in class-wpvivid-send-to-site.php processes uploaded files without validating decryption success. Per BleepingComputer's reporting, only sites with the "receive backup from another site" option enabled are critically exposed — but that feature is commonly toggled on during migrations, creating intermittent windows of vulnerability that are easy to forget about.

What changes: The combination of 900,000 installs, a public exploit, and a feature people turn on temporarily is exactly the recipe that produces mass scanning campaigns. If you manage WordPress sites, check WPvivid versions right now.

Failure mode: Sites that patched in January are fine. Sites that didn't — and there will be many — will start showing up in breach reports within weeks.

Check Point Research published new findings on "Silver Dragon," a campaign targeting organizations across Southeast Asia and Europe. The report details infrastructure overlaps, delivery mechanisms, and post-compromise tooling used by the threat group, which Check Point assesses is operating with espionage objectives. This is relevant context alongside today's telecom-backbone APT reporting — multiple research teams are independently flagging China-nexus persistence operations across different geographies and sectors simultaneously.

Source: Check Point Research — English (first publication, not yet picked up by English-language press). No English-language coverage confirmed at time of publication.

Xakep.ru reports the release of Kali Linux 2026.1, which adds eight new security tools and introduces a "BackTrack mode" — a nostalgic throwback to the pre-Kali pentesting distribution. For red teams and pentesters, the new tool additions are worth reviewing for workflow updates; the BackTrack mode is mostly cosmetic but signals Offensive Security's effort to re-engage the community.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that Google is deploying Gemini-based AI agents to scan dark web marketplaces and forums for threat intelligence — automating the collection and analysis of criminal listings, leaked credentials, and exploit sales. If confirmed by Google, this would represent a significant escalation in automated threat intelligence collection by a major platform provider and could reshape how dark web data feeds into defensive operations.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

An AI pipeline that executes whatever Python you POST to it, an espionage toolkit that graduated from hunting diplomats to hunting everyone, and a backup plugin whose encryption fails so predictably attackers can pre-wrap their payloads like birthday presents.

Somewhere, a mailcow admin is clicking a password reset link that points to a server in Moldova, and the Host header is laughing.

Read it. Act on it. Move on.

If someone you know runs Langflow, WordPress, or an iPhone they haven't restarted since February — forward this before they find out the hard way.