CVE-2026-3844 is an unauthenticated file upload vulnerability in the Breeze Cache plugin by Cloudways affecting all versions through 2.4.4, enabling remote code execution when the ‘Host Files Locally – Gravatars’ feature is enabled. Active exploitation has been reported across an estimated 400,000+ installations. A patched version (2.4.5) is available.