Patch Tuesday April 2026

Patch Tuesday April 2026 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

Microsoft Vulnerabilities

This Patch Tuesday brings 164 vulnerability fixes from Microsoft, significantly higher than typical monthly volumes, with eight rated critical and two zero-day vulnerabilities. The elevated number of patches, combined with the presence of zero-days and multiple critical issues, makes this a release that should be prioritized for immediate attention.

CVE-2026-33827 – Windows TCP/IP Remote Code Execution Vulnerability

“One malformed packet is all it takes—this flaw lets attackers turn network access into full system compromise without ever logging in.”

This critical vulnerability in the Windows TCP/IP stack is caused by a race condition in how shared resources are handled during concurrent execution. An unauthenticated attacker can exploit this flaw by sending specially crafted IPv6 packets to a target system with IPSec enabled, potentially achieving remote code execution. Despite requiring precise timing, the impact is severe, enabling full control over affected systems.
CVSS Score: 8.1
SEVERITY: Critical
THREAT: Remote Code Execution via race condition in TCP/IP stack
EXPLOITS:
There are currently no known public exploits or proof-of-concept code available, and the vulnerability has not been publicly disclosed prior to release. Exploitation is considered less likely due to the complexity of winning the race condition.
TECHNICAL SUMMARY:
The vulnerability arises from improper synchronization when handling shared resources within the Windows TCP/IP stack, specifically involving IPv6 and IPSec processing. Due to a race condition, multiple threads accessing the same resource may cause memory corruption or inconsistent system states. An attacker can exploit this by sending specially crafted IPv6 packets designed to trigger the race condition at the right moment. If successful, this can lead to arbitrary code execution in kernel context, giving the attacker complete control over the system.
EXPLOITABILITY:
Affects Windows systems with IPv6 and IPSec enabled.
Exploitation requires no authentication but does require precise timing to win the race condition.
BUSINESS IMPACT:
This vulnerability represents a high-impact threat because it allows attackers to remotely compromise systems without credentials or user interaction. Successful exploitation could lead to full system takeover, deployment of ransomware, lateral movement across networks, and disruption of critical services. Even with high complexity, the potential damage makes this a serious enterprise risk.
WORKAROUND:
If patching is not immediately possible:

• Disable IPv6 if not required
• Disable IPSec where feasible
• Restrict network exposure to trusted sources

URGENCY:
This is a critical remote code execution vulnerability that requires no authentication or user interaction. Even though exploitation is complex, the possibility of full system compromise from a single network packet significantly raises the stakes. Systems exposed to untrusted networks are particularly at risk, making rapid patch deployment essential to prevent potential large-scale attacks.

CVE-2026-33826 – Windows Active Directory Remote Code Execution Vulnerability

“A trusted domain user can become an unseen attacker—this flaw turns routine directory access into a launchpad for full system compromise.”

This vulnerability in Windows Active Directory is caused by improper input validation, allowing an authenticated attacker within the same domain to execute arbitrary code on a target system. By sending specially crafted RPC requests, an attacker can exploit the flaw to gain control over affected servers, making this a serious threat within enterprise environments where trust boundaries are critical.
CVSS Score: 8.0
SEVERITY: Critical
THREAT: Remote Code Execution via improper input validation in Active Directory RPC handling
EXPLOITS:
There are no known public exploits or proof-of-concept code at this time, and the vulnerability has not been publicly disclosed prior to release. However, exploitation is assessed as more likely due to low attack complexity.
TECHNICAL SUMMARY:
The vulnerability stems from insufficient validation of input data within Active Directory’s RPC handling mechanisms. An authenticated attacker in the same domain can send specially crafted RPC calls to a target server. Due to improper validation, malicious input may be processed in a way that leads to memory corruption or unintended execution paths. This can allow the attacker to execute arbitrary code in the context of the RPC service, potentially with elevated privileges depending on the service configuration.
EXPLOITABILITY:
Affects Windows systems running Active Directory services.
Requires low-privileged authenticated access within the same domain (adjacent network). Exploitation is straightforward due to low complexity.
BUSINESS IMPACT:
This vulnerability is particularly dangerous in enterprise environments because it allows attackers who have already gained a foothold in the network to escalate their attack rapidly. Compromising Active Directory infrastructure can lead to full domain takeover, unauthorized access to sensitive systems, and widespread disruption. It undermines the core trust model of enterprise identity management.
WORKAROUND:
If patching is not immediately possible:

• Restrict RPC access to trusted systems only
• Monitor and audit unusual RPC activity
• Apply strict network segmentation within the domain
  

URGENCY:
This vulnerability combines low attack complexity with high impact, making it especially dangerous in real-world scenarios. Once an attacker gains even minimal domain access, they can quickly exploit this flaw to move laterally and execute code on critical servers. Active Directory is a high-value target, and delaying patching increases the risk of widespread compromise.

CVE-2026-33824 – Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

“This is the kind of flaw attackers wait for—silent, remote, and devastating.”

This critical vulnerability affects the Windows Internet Key Exchange (IKE) service, specifically IKEv2, where improper memory handling allows a double free condition. An attacker can exploit this flaw remotely by sending specially crafted network packets, leading to full remote code execution. With no authentication or user interaction required, this issue represents a severe risk to exposed systems, particularly those using VPN or IPsec services.
CVSS Score: 9.8
SEVERITY: Critical
THREAT: Remote Code Execution
EXPLOITS:
No public exploits or proof-of-concept (PoC) code have been observed. The vulnerability is not publicly disclosed and is currently assessed as less likely to be exploited, though its characteristics make it highly attractive for threat actors.
TECHNICAL SUMMARY:
The vulnerability is caused by a double free condition (CWE-415) in the Windows IKE service extensions. This occurs when the system incorrectly handles memory deallocation during processing of IKEv2 packets. An attacker can send specially crafted packets to trigger the double free, leading to memory corruption. This corruption can be leveraged to execute arbitrary code in the context of the system, potentially granting full control over the affected machine. Because the attack occurs over the network and requires no authentication, it significantly increases the attack surface.
EXPLOITABILITY:
Affects Windows systems with IKEv2 enabled.
Exploitation is performed remotely via specially crafted UDP packets sent to ports 500 and 4500.
BUSINESS IMPACT:
This vulnerability poses a serious threat to enterprise environments, especially those relying on VPN or IPsec for secure communications. Successful exploitation can result in complete system compromise, allowing attackers to steal sensitive data, disrupt operations, or move laterally across the network. The lack of required user interaction makes this especially dangerous for internet-facing systems.
WORKAROUND:
Block inbound traffic on UDP ports 500 and 4500 if IKE is not required.
If IKE is necessary, restrict access to these ports to trusted IP addresses only.
URGENCY:
This vulnerability exposes systems to unauthenticated remote code execution with no user interaction required. Its low attack complexity and full system impact make it a prime candidate for rapid weaponization. Internet-facing systems running IKEv2 services are particularly at risk, and delaying patch deployment increases exposure to potential widespread attacks.

CVE-2026-33115 – Microsoft Word Remote Code Execution Vulnerability

“A simple document preview can silently trigger full system compromise—this flaw turns everyday files into hidden attack weapons.”
This vulnerability in Microsoft Word is caused by a use-after-free memory flaw, allowing an attacker to execute arbitrary code on a local system. Despite being classified as a local attack vector, it can be triggered through malicious documents, including via the Preview Pane, making it highly dangerous in real-world scenarios where users interact with untrusted files.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Remote Code Execution via use-after-free memory corruption in Microsoft Word
EXPLOITS:
There are currently no known public exploits or proof-of-concept code available, and the vulnerability has not been publicly disclosed prior to release. Exploitation is considered less likely at this time.
TECHNICAL SUMMARY:
The vulnerability is due to improper memory management in Microsoft Word, specifically a use-after-free condition. This occurs when memory is freed but still referenced by the application. An attacker can craft a malicious Word document that manipulates memory allocation and deallocation patterns. When the document is opened—or even previewed—the application may access freed memory, leading to memory corruption. This can allow the attacker to execute arbitrary code in the context of the user running Word.
EXPLOITABILITY:
Affects Microsoft Word and related Office components.
No authentication required. Exploitation can occur via opening or previewing a malicious document.
BUSINESS IMPACT:
This vulnerability poses a significant risk because it leverages common user behavior—opening or previewing documents. Attackers can use phishing or file-sharing techniques to deliver malicious files, leading to endpoint compromise. Once exploited, attackers can install malware, steal sensitive data, or move laterally within the organization. The Preview Pane vector increases risk by reducing the need for explicit user action.
WORKAROUND:
If patching is not immediately possible:

• Disable the Preview Pane in Windows Explorer
• Avoid opening untrusted or unsolicited documents
• Use Protected View and application sandboxing features
  

URGENCY:
This is a critical vulnerability affecting a widely used application, with the added risk of exploitation through the Preview Pane. The ability to trigger code execution with minimal or no user interaction significantly increases exposure, especially in phishing scenarios. Organizations should prioritize patching endpoints to reduce the risk of widespread compromise.

CVE-2026-33114 – Microsoft Word Remote Code Execution Vulnerability

“A single untrusted pointer can turn a harmless document into a full system takeover—this flaw lets attackers weaponize everyday files.”

This vulnerability in Microsoft Word is caused by an untrusted pointer dereference, allowing an attacker to execute arbitrary code on a local system. Although classified as a local attack, it can be triggered through malicious documents, including via the Preview Pane, making it a serious threat in common user workflows involving document handling.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Remote Code Execution via untrusted pointer dereference in Microsoft Word
EXPLOITS:
No public exploits or proof-of-concept code are currently known, and the vulnerability has not been publicly disclosed prior to release. Exploitation is considered less likely at this stage.
TECHNICAL SUMMARY:
The vulnerability arises from improper handling of pointers in Microsoft Word. Specifically, the application may dereference a pointer that references untrusted or invalid memory. An attacker can craft a malicious document that manipulates pointer references during processing. When the document is opened or previewed, Word may attempt to access memory locations controlled or influenced by the attacker, leading to memory corruption. This can ultimately allow arbitrary code execution in the context of the user.
EXPLOITABILITY:
Affects Microsoft Word and related Office components.
No authentication required. Exploitation can occur via opening or previewing a specially crafted document.
BUSINESS IMPACT:
This vulnerability is dangerous because it leverages normal user behavior—interacting with documents. Attackers can distribute malicious files through phishing or shared drives, leading to endpoint compromise. The Preview Pane vector increases exposure by reducing the need for user interaction. Successful exploitation can result in data theft, malware deployment, and lateral movement within the organization.
WORKAROUND:
If patching is not immediately possible:

• Disable the Preview Pane in Windows Explorer
• Avoid opening files from untrusted sources
• Use Protected View and endpoint protection controls

URGENCY:
This vulnerability affects a widely used productivity application and can be triggered with minimal user interaction, including through the Preview Pane. The combination of high impact and ease of delivery through phishing campaigns increases the likelihood of exploitation in real-world scenarios, making timely patching critical.

CVE-2026-32190 – Microsoft Office Remote Code Execution Vulnerability

“This flaw turns everyday documents into silent weapons—triggering full system compromise without a single click.”

This critical vulnerability in Microsoft Office is caused by a use-after-free memory flaw that allows an attacker to execute arbitrary code on a local system. Despite requiring local execution, the risk remains high due to attack vectors such as the Preview Pane, which can automatically process malicious content. Successful exploitation can grant attackers complete control over affected systems, making this a serious threat in environments where Office files are frequently handled.
CVSS Score: 8.4
SEVERITY: Critical
THREAT: Remote Code Execution
EXPLOITS:
No public exploits or proof-of-concept (PoC) code have been identified. The vulnerability has not been publicly disclosed and is currently considered less likely to be exploited, though similar vulnerabilities have historically been weaponized quickly.
TECHNICAL SUMMARY:
This vulnerability is classified as a use-after-free issue (CWE-416), where Microsoft Office improperly manages memory after it has been freed. When a specially crafted file is processed, the application may continue to reference memory that has already been released. An attacker can manipulate this condition to corrupt memory and execute arbitrary code. Notably, the Preview Pane can act as an attack vector, meaning the vulnerability can be triggered without explicitly opening the file, increasing the risk of accidental exposure.
EXPLOITABILITY:
Affects supported versions of Microsoft Office prior to the patched release.
Exploitation occurs when a malicious file is opened or previewed locally, including via the Preview Pane.
BUSINESS IMPACT:
This vulnerability poses a significant threat to organizations relying on Microsoft Office for daily operations. Attackers can leverage malicious documents to gain full control of user systems, leading to data theft, ransomware deployment, or lateral movement within the network. The Preview Pane vector increases the likelihood of accidental compromise, even among cautious users.
WORKAROUND:
Disable the Preview Pane in email clients and file explorers where possible.
Avoid opening or previewing files from untrusted or unknown sources.
URGENCY:
This vulnerability enables high-impact code execution with no required user interaction in certain scenarios, such as Preview Pane rendering. Its ability to bypass typical user caution mechanisms makes it particularly dangerous in phishing campaigns and targeted attacks. Rapid deployment of patches is critical to prevent exploitation through common document workflows.

CVE-2026-32157 – Remote Desktop Client Remote Code Execution Vulnerability

“Connecting to the wrong server can be all it takes—this flaw lets attackers turn a trusted remote session into a full system takeover.”

This critical vulnerability in the Remote Desktop Client is caused by a use-after-free memory issue that can be exploited when a user connects to a malicious or compromised Remote Desktop server. The flaw allows an attacker to execute arbitrary code on the client machine over the network. Although user interaction is required, the attack leverages trusted workflows, making it highly effective in real-world scenarios.
CVSS Score: 8.8
SEVERITY: Critical
THREAT: Remote Code Execution
EXPLOITS:
No public exploits or proof-of-concept (PoC) code have been reported. The vulnerability is not publicly disclosed and is currently assessed as less likely to be exploited, though it presents strong potential for targeted attacks.
TECHNICAL SUMMARY:
This vulnerability stems from a use-after-free condition (CWE-416) in the Remote Desktop Client. When handling data from a Remote Desktop session, the client improperly references memory that has already been freed. If a user connects to a malicious RDP server controlled by an attacker, the server can send specially crafted data that triggers memory corruption. This can be leveraged to execute arbitrary code on the client system in the context of the logged-in user, potentially leading to full system compromise.
EXPLOITABILITY:
Affects vulnerable versions of the Remote Desktop Client.
Exploitation requires a user to initiate a connection to a malicious or compromised RDP server.
BUSINESS IMPACT:
This vulnerability is particularly dangerous in environments where Remote Desktop is widely used for administration or remote work. Attackers can weaponize trusted remote connections to gain control over endpoints, steal sensitive data, deploy malware, or pivot deeper into corporate networks. Because the attack relies on legitimate workflows, it can bypass traditional security awareness.
WORKAROUND:
Avoid connecting to untrusted or unknown Remote Desktop servers.
Restrict outbound RDP connections where possible and enforce trusted server lists.
URGENCY:
This vulnerability enables high-impact remote code execution through a commonly used enterprise tool. Its reliance on user-initiated connections makes it ideal for targeted attacks and social engineering campaigns. Systems that frequently connect to external or third-party RDP servers face increased exposure, and delaying patching leaves a critical entry point open to attackers.

CVE-2026-23666 – .NET Framework Denial of Service Vulnerability

“This flaw can let a remote attacker knock over a critical service without ever logging in, turning routine network access into a business disruption risk.”

A race condition in .NET Framework can let an unauthorized attacker trigger a denial of service over the network by abusing concurrent execution against a shared resource that is not properly synchronized. Microsoft lists this issue under .NET Framework and notes that it affects availability rather than confidentiality or integrity. The issue is not marked as publicly exploited, but proof-of-concept exploit maturity is present, which means defenders should not treat it as theoretical.
CVSS Score: 7.5
SEVERITY: Critical
THREAT: Denial of Service
THREAT: Remote unauthenticated denial of service. An attacker may be able to send crafted network traffic that triggers a race condition and causes the targeted application or service to hang, crash, or become unavailable. This is especially dangerous for exposed services or business systems that rely on .NET availability to keep operations running.
EXPLOITS: Microsoft’s accessible advisory data indicates the vulnerability is not publicly disclosed and not exploited at the time of release. However, the exploit code maturity is listed as Proof-of-Concept, which means exploit methods are considered plausible enough to raise risk. There is no confirmed zero-day exploitation in the MSRC data provided.
TECHNICAL SUMMARY:
This vulnerability is caused by improper synchronization during concurrent execution in .NET Framework. When multiple operations interact with a shared resource at the same time, the application may fail to handle the resulting exceptional condition safely. An attacker can exploit this weakness remotely over a network, without privileges and without user interaction, by sending requests or inputs that force the vulnerable code path into a race condition. The likely outcome is service instability, process failure, or application unavailability. While the issue does not appear to expose data or allow tampering, it can directly affect system uptime and reliability.
EXPLOITABILITY:
Affects systems running vulnerable versions of the .NET Framework. The issue is remotely reachable and does not require authentication or user interaction, which lowers the barrier to attack. Exploitation would involve triggering concurrent operations in a way that causes the vulnerable service or application to fail.
BUSINESS IMPACT:
This is the kind of weakness that can turn a stable business service into an outage target. Even without stealing data, an attacker may be able to interrupt customer-facing applications, internal business workflows, APIs, or backend processing jobs. For organizations that depend on .NET-based services for daily operations, repeated crashes or service hangs can lead to downtime, lost productivity, missed transactions, and incident response costs. The real danger is disruption: the business keeps running until a remote attacker decides it should not.
WORKAROUND:
If the patch cannot be applied immediately, reduce exposure by limiting access to internet-facing .NET services, restricting inbound traffic to trusted networks, and monitoring for unusual application crashes or repeated request patterns. Where possible, use load balancing, restart policies, and service isolation to reduce the impact of a successful denial-of-service attempt.
URGENCY:
This vulnerability deserves fast attention because it is remotely reachable, requires no authentication, and has proof-of-concept exploit maturity in the MSRC data. Even though Microsoft does not mark it as actively exploited, availability attacks are often attractive because they are simple, noisy, and immediately disruptive. Any organization running exposed or business-critical .NET services should prioritize this update before opportunistic attackers turn a race condition into an outage.

CVE-2026-33825 – Microsoft Defender Elevation of Privilege Vulnerability

“This flaw turns limited access into total control—what starts as a foothold can quickly become full system domination.”

This vulnerability in Microsoft Defender stems from insufficient granularity in access control, allowing an attacker with limited local privileges to escalate to SYSTEM-level access. By exploiting weaknesses in how permissions are enforced, an attacker can bypass intended restrictions and gain full control over the affected system. While it requires initial access, the impact is severe due to the level of privileges that can be obtained.
CVSS Score: 7.8
SEVERITY: Important
THREAT: Elevation of Privilege
EXPLOITS:
Proof-of-concept (PoC) exploit code is available, and the vulnerability has been publicly disclosed. While no active exploitation has been confirmed, the presence of PoC code increases the likelihood of real-world attacks.
TECHNICAL SUMMARY:
This vulnerability is classified under CWE-1220, indicating insufficient granularity of access control within Microsoft Defender. The flaw allows a local attacker with low privileges to exploit improper permission enforcement mechanisms. By leveraging this weakness, the attacker can execute code or actions with elevated privileges, ultimately achieving SYSTEM-level access. This type of vulnerability is particularly dangerous because it can be chained with other exploits to expand initial access into full system compromise.
EXPLOITABILITY:
Affects Microsoft Defender Antimalware Platform versions prior to 4.18.26050.3011 (last vulnerable version: 4.18.26020.6).
Exploitation requires local access with low privileges and no user interaction.
BUSINESS IMPACT:
This vulnerability significantly increases risk in environments where attackers have already gained a foothold. Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling of security tools, and lateral movement across networks. Even environments with strong perimeter defenses are at risk if internal systems are compromised.
WORKAROUND:
Ensure Microsoft Defender updates are enabled and automatically applied.
Regularly verify that antimalware platform and signature updates are current.

CVE-2026-32201 – Microsoft SharePoint Server Spoofing Vulnerability

“This flaw lets attackers fake trust at scale—what looks legitimate may actually be a carefully crafted deception.”

This vulnerability in Microsoft SharePoint Server is caused by improper input validation, allowing attackers to spoof trusted content or interfaces over a network. By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content. While the direct impact on data is limited, the ability to deceive users makes this a powerful tool for broader attacks.
CVSS Score: 6.5
SEVERITY: Important
THREAT: Spoofing
EXPLOITS:
Exploitation has been detected in the wild, and functional exploit techniques are known. Although not publicly disclosed in detail, attackers are actively leveraging this vulnerability.
TECHNICAL SUMMARY:
The vulnerability is classified under CWE-20, improper input validation. SharePoint fails to properly validate or sanitize certain inputs, allowing attackers to inject or manipulate data that is displayed to users. This can result in spoofed content, misleading UI elements, or falsified information appearing as legitimate within SharePoint environments. The flaw can be exploited remotely without authentication, making it accessible to external attackers.
EXPLOITABILITY:
Affects Microsoft SharePoint Server instances that have not been updated.
Exploitation is performed remotely over the network without requiring user interaction.
BUSINESS IMPACT:
This vulnerability can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. It can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise. The presence of active exploitation significantly increases organizational risk.
WORKAROUND:
Apply strict input validation controls and monitor SharePoint activity for suspicious or unexpected content.
Limit exposure of SharePoint services to untrusted networks where possible.

CVE-2026-26133 – M365 Copilot Information Disclosure Vulnerability

“When AI assistants expose the wrong information, sensitive data can travel farther and faster than anyone expects.”

CVE-2026-26133 is an information disclosure vulnerability affecting Microsoft 365 Copilot. The issue occurs when Copilot improperly handles certain requests or contextual data, potentially allowing sensitive information to be exposed to unauthorized users. Because Copilot aggregates and processes large volumes of organizational data to generate responses, weaknesses in how data is filtered or validated could result in unintended disclosure of confidential information within an organization.

CVSS Score: 7.1
SEVERITY: High

THREAT:
This vulnerability could allow users to retrieve information they should not normally have access to through Copilot responses. Attackers may craft prompts or queries that cause Copilot to expose sensitive organizational data, internal documents, or restricted information. In environments where Copilot has broad access to corporate data sources, the impact could include exposure of intellectual property, confidential communications, or internal business records.

EXPLOITS:
There are no confirmed reports of active exploitation in the wild at the time of disclosure. However, vulnerabilities involving AI assistants and data exposure can be exploited through prompt manipulation or carefully crafted queries designed to bypass intended access controls. Security researchers may develop proof-of-concept techniques demonstrating how such information disclosure could occur.

TECHNICAL SUMMARY:
The vulnerability arises from improper handling or filtering of contextual data within Microsoft 365 Copilot. Copilot generates responses based on content retrieved from various Microsoft 365 services such as documents, emails, and collaboration platforms. If Copilot fails to correctly enforce access boundaries or sanitize contextual data used to generate responses, a user could receive information that originates from sources they should not be permitted to access. This results in unintended disclosure of sensitive organizational information.

EXPLOITABILITY:
Affected environments include Microsoft 365 tenants using Microsoft 365 Copilot capabilities.
Exploitation may involve a user issuing specially crafted prompts or queries designed to retrieve restricted information from Copilot’s contextual knowledge sources. No additional privileges beyond standard Copilot access may be required.

BUSINESS IMPACT:
Information disclosure vulnerabilities in AI-driven systems can have serious implications for organizations. Sensitive corporate data—such as financial information, internal communications, product plans, or customer records—could be unintentionally exposed to users who are not authorized to view it. Such exposure could lead to compliance violations, reputational damage, and potential legal consequences.

WORKAROUND:
If patching or mitigation updates cannot be immediately applied:

• Restrict Copilot access to sensitive repositories where possible.
• Review Microsoft 365 data access permissions and sharing policies.
• Monitor Copilot usage and responses for unusual or excessive data retrieval.
• Apply least-privilege access controls across Microsoft 365 workloads.

 

HPE AutoPass License Server

“A critical weakness in HPE’s AutoPass License Server allows attackers to completely bypass authentication and gain unrestricted access to licensing infrastructure.”

This update addresses CVE-2026-23600, a critical vulnerability in HPE AutoPass License Server (APLS) that allows remote authentication bypass. The flaw exists within the server’s authentication validation process, enabling attackers with network access to access protected services without valid credentials. Because APLS manages enterprise licensing and administrative functions, unauthorized access could allow attackers to manipulate licensing operations, alter configuration settings, or disrupt licensing services across enterprise systems.

CVE-2026-23600 — CVSS v3.1 Score: 10.0 (Critical). The vulnerability affects HPE AutoPass License Server versions prior to 9.19. The flaw can be exploited remotely and requires no privileges or user interaction, allowing attackers to fully bypass authentication controls and access restricted administrative capabilities. The issue creates a direct exposure of licensing infrastructure that could lead to service disruption or broader system compromise if exploited. HPE resolved the vulnerability in AutoPass License Server version 9.19.

 

Android – Qualcomm Graphics Component

“A low-level memory bug in Android can give attackers a path from local access to full device compromise.”

A security update for Android addresses CVE-2026-21385, a memory corruption vulnerability affecting memory allocation alignment handling within the Android platform. Improper memory management can allow a locally authenticated attacker to trigger corruption conditions that compromise the integrity of the system’s memory structures.

Successful exploitation could allow an attacker to escalate privileges and execute arbitrary code on the device. This could expose sensitive data, alter system operations, or cause system instability. The CVSS score is 7.8, which is High severity.

This vulnerability has been observed in real-world exploitation and is listed in the Known Exploited Vulnerabilities catalog. Android security updates correct the memory handling logic to prevent corruption during aligned memory allocation operations.

 

Cisco Secure Firewall

“When your firewall can be taken over, your entire network becomes exposed.”

Cisco Secure Firewall patched two critical vulnerabilities that allow attackers to execute arbitrary code and fully compromise affected systems. These issues impact core firewall functionality, putting network boundaries, traffic inspection, and security enforcement at immediate risk.

CVE-2026-20079 has a CVSS score of 10.0, which is Critical severity. CVE-2026-20131 has a CVSS score of 10.0, which is Critical severity. These vulnerabilities require urgent attention due to their maximum severity and the potential for complete system takeover.

CVE-2026-20131 is confirmed to be actively exploited in the wild, significantly increasing the urgency for remediation. The patch addresses unsafe input handling and strengthens system protections to prevent remote code execution and unauthorized control.

 

MongoDB Server

“One stream of malicious messages can drain server memory and take a database offline.”

MongoDB patched a denial-of-service vulnerability that allows unauthenticated attackers to crash a MongoDB server by exhausting system memory. The issue occurs when a server processes a series of specially crafted network messages that trigger asymmetric resource consumption. An attacker can repeatedly send these messages to rapidly consume available memory and force the database process to terminate.

The vulnerability affects MongoDB Server versions prior to 8.2.4, 8.0.18, and 7.0.29. Because the attack requires no authentication and can be triggered over the network, exposed database instances could be disrupted remotely. CVE-2026-25611 has a CVSS score of 7.5, which is High severity.

MongoDB addressed the issue by improving resource handling during message processing to prevent malicious requests from exhausting server memory.

 

Google Chrome Security Update

“A single malicious webpage can turn a browser bug into a full system foothold.”

Google released security updates for Chrome to address three vulnerabilities affecting browser memory safety and policy enforcement. These issues could allow attackers to exploit memory handling errors or bypass browser protections through specially crafted web content. If successfully exploited, attackers may be able to crash the browser, corrupt memory, or execute arbitrary code within the browser process.

CVE-2026-3536 has a CVSS score of 8.8, which is High severity. CVE-2026-3537 has a CVSS score of 6.5, which is Medium severity. CVE-2026-3538 has a CVSS score of 7.5, which is High severity. The vulnerabilities impact Chrome components responsible for memory management and security boundary enforcement when processing web content.

Google addressed the issues through updates to Chrome’s rendering and security controls. Users running outdated versions of Chrome remain exposed when visiting malicious or compromised websites designed to trigger these conditions.

 

Ivanti Endpoint Manager

“One missing check can turn your management system into a credential leak.”

Ivanti released a security update to fix an authentication bypass vulnerability in Endpoint Manager tracked as CVE-2026-1603. The issue affects Endpoint Manager versions prior to 2024 SU5 and allows a remote, unauthenticated attacker to bypass authentication controls and retrieve certain stored credential data from the system. Because Endpoint Manager manages endpoints across enterprise environments, exposure of credential data can create a pathway for broader network compromise.

CVE-2026-1603 has a CVSS score of 8.6, which is High severity. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk for exposed or internet-reachable management servers. The patch was released in the 2024 SU5 update.

Security agencies have confirmed real-world exploitation of this vulnerability. It has been added to a government-maintained catalog of actively exploited vulnerabilities, prompting urgent patching requirements for affected systems.

 

n8n

“If attackers can break the workflow sandbox, they can turn automation into remote control.”

The n8n automation platform released security updates addressing multiple critical vulnerabilities affecting workflow execution and sandbox protections. The issues include CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, and CVE-2026-27497. These vulnerabilities impact how the platform evaluates expressions, processes form inputs, and isolates JavaScript execution within workflow components. Exploitation could allow attackers to bypass sandbox protections, inject malicious code, or execute commands directly on the n8n server.

CVE-2026-27577 has a CVSS score of 9.4, which is Critical severity. CVE-2026-27493 has a CVSS score of 9.5, which is Critical severity. CVE-2026-27495 has a CVSS score of 9.4, which is Critical severity. CVE-2026-27497 has a CVSS score of 9.4, which is Critical severity. Several of these vulnerabilities allow remote code execution through workflow features such as expression evaluation, form nodes, and task runners. Because n8n automation systems often integrate with internal services, APIs, and sensitive data flows, successful exploitation could allow attackers to take control of automation processes and execute commands on the underlying server.

 

Chromium – PowerVR Object Lifecycle

“A single malicious webpage can corrupt browser memory and open the door to code execution.”

Google released a security update for Chromium and Chrome to address an object lifecycle vulnerability in the PowerVR graphics component affecting Chrome on Android. The issue occurs when objects within the PowerVR graphics pipeline are improperly managed, allowing memory to be accessed after it should no longer be valid. A remote attacker can exploit this condition by luring a user to a crafted HTML page that triggers heap corruption inside the browser process.

CVE-2026-3537 has a CVSS score of 8.8, which is High severity. Successful exploitation may allow attackers to execute arbitrary code within the browser environment, potentially exposing sensitive data or enabling further compromise of the affected device. The vulnerability affects Google Chrome on Android versions prior to 145.0.7632.159, which includes the security fix for the issue.

There are currently no confirmed reports of active exploitation in the wild.

 

HPE Aruba Networking AOS-CX

“A network switch with a broken lock is not a switch — it is an open door into every system behind it.”

CVE-2026-23813 affects HPE Aruba Networking AOS-CX switches, specifically the web-based management interface. The CVSS score is 9.8, which is Critical severity. No real-world exploitation has been confirmed. An unauthenticated remote attacker can bypass authentication controls and reset the administrator password with no credentials required. Affected versions span four release branches: 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, and 10.10.1170 and below.

Full control of a core switch enables traffic interception, VLAN manipulation, port mirroring, and deep network pivoting. For server rooms, data centers, or OT environments, this is a single point of catastrophic failure. HPE has released patched firmware. Where immediate patching is not possible, restrict management interface access to trusted hosts and isolate management traffic.

 

SAP NetWeaver and FS-QUO

“Two hidden entry points—one through outdated logging code and another through unsafe data handling—could let attackers take control of core SAP systems.”

SAP’s March 2026 security updates resolve two critical vulnerabilities affecting enterprise SAP environments. The first issue, CVE-2019-17571, impacts SAP Quotation Management Insurance (FS-QUO). The vulnerability stems from the use of Apache Log4j 1.2, where unsafe deserialization in the SocketServer component can allow attackers to execute arbitrary code when malicious log data is processed. CVE-2019-17571 has a CVSS score of 9.8, which is Critical severity.

The second issue, CVE-2026-27685, affects SAP NetWeaver Enterprise Portal Administration. The vulnerability occurs when the application deserializes uploaded content without proper validation. A malicious payload could trigger code execution, denial-of-service conditions, or privilege escalation within the portal environment. CVE-2026-27685 has a CVSS score of 9.1, which is Critical severity.

SAP addressed these vulnerabilities as part of its monthly security patch cycle. No verified reports of real-world exploitation have been confirmed at the time of disclosure.

 

Adobe Acrobat and Reader

“A malicious PDF could quietly turn a document viewer into a launch point for system compromise.”

Adobe released security updates on March 10, 2026, addressing multiple vulnerabilities in Adobe Acrobat and Adobe Reader for Windows and macOS. The update resolves memory management issues and signature validation weaknesses that could allow attackers to execute arbitrary code or escalate privileges if a user opens a specially crafted PDF file.

Two vulnerabilities involve use-after-free memory conditions that could enable arbitrary code execution. CVE-2026-27220 has a CVSS score of 7.8, which is High severity. CVE-2026-27278 has a CVSS score of 7.8, which is High severity. A separate issue involving improper verification of cryptographic signatures could allow privilege escalation within the application. CVE-2026-27221 has a CVSS score of 5.5, which is Medium severity.

Adobe addressed these issues in updated versions of Acrobat DC, Acrobat Reader DC, and Acrobat 2024. Successful exploitation would typically require a user to open a malicious PDF file crafted by an attacker. At the time of release, there are no verified reports of real-world exploitation.

 

Chromium Security Update – Zero-Day

“Two browser bugs, already under active attack, could let a malicious webpage seize control of the browser.”

The latest Chromium security update resolves two high-severity vulnerabilities affecting the browser’s JavaScript engine and internal memory management. Both flaws can be triggered through specially crafted web content and could allow attackers to execute arbitrary code if a user visits a malicious website.

CVE-2026-3909 affects the V8 JavaScript engine and involves a type confusion condition that can lead to arbitrary code execution during JavaScript processing. CVE-2026-3909 has a CVSS score of 8.8, which is High severity. This vulnerability has been confirmed as actively exploited in the wild.

CVE-2026-3910 involves improper memory handling within Chromium components responsible for processing web content. Successful exploitation could cause memory corruption and allow attackers to execute arbitrary code in the browser context. CVE-2026-3910 has a CVSS score of 8.8, which is High severity. This vulnerability has also been confirmed as actively exploited in the wild.

Chromium developers released patches addressing both issues, and browser vendors that rely on Chromium are integrating the fixes through their latest security updates.

 

Google Gemini

“A weakness in an AI platform can quickly turn a helpful tool into a pathway for abuse.”

Google addressed CVE-2026-0628 affecting the Gemini platform. The vulnerability impacts how the system processes certain interactions and inputs within the service. If exploited, an attacker could manipulate application behavior and perform unintended actions within the platform environment. Because AI services like Gemini often integrate with multiple systems and process user-generated content, weaknesses in input handling can increase the risk of misuse or unauthorized activity.

CVE-2026-0628 has a CVSS score of 8.8, which is High severity. No exploitation has been verified. The security update strengthens protections around the affected functionality and reduces the likelihood that crafted inputs could manipulate the platform’s behavior.

 

Edge and Chromium Stable Channel Update 146.0.7680.71/72

“This Chromium update shuts down a wide spread of browser bugs before they turn into real compromise paths.”

Google’s March 10, 2026 Chromium stable channel update moves desktop builds to 146.0.7680.71 on Linux and 146.0.7680.71/72 on Windows and Mac, and it fixes 32 security issues. The most important coverage is in WebML, Web Speech, Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, and WindowDialog. The highest-risk item in the set is CVE-2026-3916, which has a CVSS score of 9.6, which is Critical severity. Multiple vulnerabilities—including CVE-2026-3909 and CVE-2026-3910—have CVSS scores of 8.8, which is High severity, and are confirmed to be under active exploitation. Additional High severity issues (CVSS 7.5–8.8) further expand the attack surface, while several Medium and Low severity vulnerabilities contribute to overall risk.

CVE-2026-0385 has a CVSS score of 5.0, which is Medium severity. CVE-2026-3925, CVE-2026-3927, CVE-2026-3928, CVE-2026-3935, CVE-2026-3940, CVE-2026-3941, and CVE-2026-3942 each have CVSS scores of 4.3, which is Medium severity. CVE-2026-3929 has a CVSS score of 3.1, which is Low severity. Several other vulnerabilities—including CVE-2026-3930, CVE-2026-3932, CVE-2026-3934, CVE-2026-3937, CVE-2026-3938, and CVE-2026-3939—have CVSS scores of 6.5, which is Medium severity.

The presence of actively exploited vulnerabilities significantly raises the urgency of this update. High and Critical issues can lead to heap corruption, memory access, or potential sandbox escape from malicious web content. The combination of critical, high, and actively targeted flaws makes this a high-risk exposure for any unpatched Chromium-based browser.

 

Splunk

“When attackers can manipulate a monitoring platform, they gain the power to hide in plain sight.”

Splunk released a security update addressing CVE-2026-20163 in Splunk Enterprise. The vulnerability affects how the platform processes certain user-controlled inputs. If exploited, an attacker could manipulate application behavior and perform unauthorized actions within the Splunk environment. Because Splunk commonly operates with elevated privileges and deep access to log and security data, a successful attack could allow adversaries to alter monitoring visibility, disrupt detection workflows, or mask malicious activity inside the organization’s logging infrastructure.

CVE-2026-20163 has a CVSS score of 8.0, which is High severity. The issue highlights the risk of leaving centralized logging and analytics platforms unpatched, as compromise of these systems can weaken an organization’s ability to detect and respond to threats.

 

Nginx UI

“Any unauthenticated user on the internet could walk away with your server’s keys, certificates, and credentials — all in a single request.”

CVE-2026-27944 affects Nginx UI, a web-based management interface for the Nginx web server. The CVSS score is 9.8, which is Critical severity. No real-world exploitation has been confirmed. The /api/backup endpoint is accessible without authentication, and the server returns the AES-256 encryption key and initialization vector in a plain HTTP response header, allowing an attacker to download and immediately decrypt a full system backup. Exposed data includes administrator credentials, active session tokens, SSL private keys, and the complete Nginx configuration.

For any organization with the management interface exposed to the internet, this vulnerability represents a full server compromise requiring zero credentials and zero skill. Stolen SSL private keys enable man-in-the-middle attacks against your own users. Exposed credentials hand attackers administrative control of the web server and everything it fronts. The fix is available in Nginx UI version 2.3.3. All earlier versions are affected and must be updated immediately.

 

Cisco IOS XR

“When core routing software is exposed, attackers don’t just get access—they get control of the network itself.”

Cisco addressed multiple high-impact vulnerabilities in IOS XR that could allow attackers to escalate privileges and execute arbitrary code on affected devices. These flaws impact core routing infrastructure, creating risk to availability, integrity, and control of network traffic.

CVE-2026-20040 has a CVSS score of 8.8, which is High severity. CVE-2026-20046 has a CVSS score of 8.8, which is High severity. These vulnerabilities can be exploited over the network and could enable attackers to gain elevated privileges or execute code, depending on the attack path and exposure of the affected services.

The patch strengthens input validation, hardens privilege boundaries, and eliminates the conditions that allow unauthorized code execution and escalation. There is no confirmed real-world exploitation at this time, but given the critical role of IOS XR in service provider and enterprise networks, the potential impact is severe.

 

Microsoft Authenticator

“If MFA can be weakened, account security quietly unravels.”

Microsoft addressed a vulnerability in Microsoft Authenticator affecting the integrity of the multi-factor authentication (MFA) verification process. The issue could allow improper validation of authentication challenges under certain conditions, weakening the assurance that MFA is meant to provide.

CVE-2026-26123 has a CVSS score of 5.5, which is Medium severity. While the flaw does not enable direct remote takeover on its own, it reduces the effectiveness of a key identity protection control, increasing the risk of unauthorized access when combined with other attack vectors.

The patch improves verification logic and ensures authentication responses are properly validated. There is no confirmed real-world exploitation at this time.

 

Zimbra Collaboration

“When email systems are exposed, attackers gain a direct line into the business.”

Zimbra Collaboration patched a high-severity vulnerability that allows attackers to gain unauthorized access to the platform, potentially exposing sensitive communications and administrative controls. The issue affects core collaboration services, increasing the risk of data compromise and account takeover.

CVE-2025-66376 has a CVSS score of 7.2, which is High severity. The vulnerability can be exploited remotely and poses a significant threat to organizations relying on Zimbra for email and collaboration workflows.

This vulnerability is actively exploited in the wild, making it an urgent priority for remediation. The patch strengthens access controls and closes the unauthorized access path to prevent further abuse.

 

Ubiquiti

“One max-score vulnerability is all it takes to turn a network into an open door.”

Ubiquiti has released a patch addressing two vulnerabilities that impact network security and device integrity. CVE-2026-22557 carries a CVSS score of 10.0, which is Critical severity. This represents the highest possible risk, where attackers could potentially gain full control over affected systems with little to no resistance. CVE-2026-22558 has a CVSS score of 7.7, which is High severity, introducing additional risk that could be used to support further compromise or disrupt operations.

There is no verified evidence of real-world exploitation or public proof-of-concept code for either vulnerability. Despite that, the presence of a maximum severity issue significantly raises the urgency, especially in exposed network environments where Ubiquiti devices are widely deployed.

 

Atlassian Bamboo Data Center

“If authentication can be sidestepped, your build pipeline is no longer secure.”

Atlassian Bamboo Data Center addressed a vulnerability that could allow attackers to bypass authentication controls and gain unauthorized access to the system. This issue affects core access mechanisms, potentially exposing build pipelines, credentials, and sensitive development workflows.

CVE-2026-21570 has a CVSS score of 8.6, which is High severity. The vulnerability can be exploited remotely without valid credentials, increasing the risk to exposed or improperly secured environments.

The patch enforces stricter authentication validation and removes the bypass condition to ensure only authorized users can access the platform. There is no confirmed real-world exploitation at this time.

 

Oracle WebLogic

“One exposed enterprise service can hand over your entire infrastructure.”

Oracle addressed CVE-2026-21992 in WebLogic Server, a critical vulnerability that allows remote code execution without authentication. The flaw affects core application server components and can be exploited over the network, giving attackers the ability to execute arbitrary code and fully compromise affected systems.

CVE-2026-21992 has a CVSS score of 9.8, which is Critical severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code. The patch closes the remote execution path and strengthens input validation within affected services, reducing the risk of full system takeover.

 

Citrix

“Two gaps, one critical—this is the kind of exposure attackers wait for.”

Citrix has released a patch addressing two vulnerabilities that impact system security and access control. CVE-2026-3055 carries a CVSS score of 9.3, which is Critical severity. This issue presents a serious risk, potentially allowing attackers to compromise systems with minimal resistance. CVE-2026-4368 has a CVSS score of 7.7, which is High severity, and introduces additional exposure that could be leveraged to escalate attacks or disrupt services.

There is no verified evidence of real-world exploitation or public proof-of-concept code for either vulnerability at this time. Even without active exploitation, the severity—especially of the critical issue—demands immediate attention due to the high likelihood of weaponization.

 

Ubuntu

“This isn’t a minor issue—this is a clear path to serious system impact.”

Ubuntu has released a security update addressing CVE-2026-3888, a high-impact vulnerability that could compromise system integrity. The CVSS score is 7.8, which is High severity. This level of severity indicates a strong potential for attackers to exploit the issue to gain elevated access or disrupt system operations.

There is no verified evidence of real-world exploitation or public proof-of-concept code at this time. Despite that, the high severity rating signals meaningful risk, especially in exposed or unpatched environments, making timely remediation important.

 

Windows Error Reporting

“A silent reporting feature opened the door to system-level control.”

Microsoft addressed a high-severity vulnerability in Windows Error Reporting that could allow local attackers to escalate privileges. The issue enables an attacker with limited access to gain elevated permissions, potentially leading to full system compromise. CVE-2026-20817 has a CVSS score of 7.8, which is High severity.

Proof-of-concept code is publicly available, increasing the risk of exploitation in real-world environments. This makes timely patching critical, especially for systems where local access is possible or shared environments are in use.

 

Chromium – Multi-Vulnerability Security Patch

“A cluster of high-severity bugs can quietly turn a browser into a wide-open attack surface.”

This Chromium update addresses multiple vulnerabilities across core browser components, including memory handling and process isolation. Several issues are rated high severity, including CVE-2026-4442, CVE-2026-4459, CVE-2026-4673, CVE-2026-4674, CVE-2026-4675, CVE-2026-4677, CVE-2026-4679, and CVE-2026-4680, each with a CVSS score of 8.8, which is High severity. Additional issues include CVE-2026-32187 with a CVSS score of 4.2, which is Medium severity, and CVE-2026-4453 with a CVSS score of 4.3, which is Medium severity.

These vulnerabilities collectively impact browser stability, memory safety, and execution boundaries. While no verified exploitation or proof-of-concept activity is confirmed, the concentration of high severity issues significantly increases the risk profile for unpatched systems.

 

F5 BIG-IP

“One exposed endpoint can hand over the entire system.”

This patch addresses a critical remote code execution vulnerability in F5 BIG-IP tracked as CVE-2025-53521. The issue allows attackers to execute arbitrary code on affected systems, creating immediate risk of full system compromise, data exposure, and service disruption. The CVSS score is 9.8, which is Critical severity.

Active exploitation has been confirmed, significantly increasing the urgency for remediation. Systems exposed to untrusted networks are especially at risk, as attackers can leverage this vulnerability with little to no authentication. This patch closes the attack path and is essential for maintaining system integrity and availability.

 

BIND 9 DNS Service

“When DNS breaks, everything above it starts to fail.”

BIND 9 addressed multiple vulnerabilities affecting DNS query handling and service stability. These issues could allow attackers to disrupt DNS resolution or degrade service reliability through crafted requests. The vulnerabilities impact core DNS operations, increasing the risk of outages and degraded network performance.

CVE-2026-1519 has a CVSS score of 7.5, which is High severity. CVE-2026-3104 has a CVSS score of 7.5, which is High severity. CVE-2026-3119 has a CVSS score of 6.5, which is Medium severity. CVE-2026-3591 has a CVSS score of 5.4, which is Medium severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code for these vulnerabilities. The patch improves how BIND processes DNS queries and handles malformed input, reducing the risk of service disruption and strengthening overall reliability.

 

Google Chrome Zero-Day Vulnerability

“When a browser bug is already being used in the wild, every unpatched user is a target.”

Google addressed CVE-2026-5281 in Chrome, a high-severity vulnerability affecting core browser components. The flaw can be triggered through malicious web content, potentially allowing attackers to execute code, escape security boundaries, or compromise user systems through normal browsing activity.

CVE-2026-5281 has a CVSS score of 8.8, which is High severity. Active exploitation has been observed, confirming that attackers are already leveraging this issue in real-world scenarios. The patch closes the vulnerability and strengthens protections around content handling to block further abuse.

 

Cisco Integrated Management Controller

“When network infrastructure is exposed, attackers don’t need a second chance.”

Cisco addressed CVE-2026-20093, a critical vulnerability affecting network devices that could allow remote code execution. The flaw exists in a network-facing component and can be exploited without authentication, enabling attackers to execute arbitrary code and potentially take full control of affected systems.

CVE-2026-20093 has a CVSS score of 9.8, which is Critical severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code. The patch eliminates the remote execution vector and strengthens input validation to prevent unauthorized access and system compromise.

 

Fortinet Network Security Appliance

“When your security device is the target, the entire network is exposed.”

Fortinet addressed CVE-2026-35616, a critical vulnerability affecting its network security appliances. The flaw allows remote code execution through a network-facing component, potentially enabling attackers to take full control of affected systems without authentication. This puts enterprise perimeter defenses, traffic inspection, and internal network security at immediate risk.

CVE-2026-35616 has a CVSS score of 9.1, which is Critical severity. Active exploitation has been observed, confirming real-world attacks are already occurring. The patch eliminates the remote execution path and strengthens input validation to prevent unauthorized access and system compromise.

 

Next.js

“When a web framework fails at its core, every app built on it inherits the risk.”

Next.js addressed CVE-2025-55182, a critical vulnerability that allows remote code execution in affected applications. The flaw impacts core framework functionality and can be exploited through crafted requests, potentially allowing attackers to execute arbitrary code on servers running vulnerable Next.js applications.

CVE-2025-55182 has a CVSS score of 10.0, which is Critical severity. Active exploitation has been observed, confirming real-world attacks are already targeting this issue. The patch fixes the vulnerable request handling logic and strengthens validation to prevent unauthorized code execution.

 

Flowise

“When an AI workflow tool is exposed, attackers can turn automation into execution.”

Flowise addressed CVE-2025-59528, a critical vulnerability that allows remote code execution through improper handling of user-supplied input within its workflow engine. The issue can be exploited to execute arbitrary code on the host system, potentially leading to full system compromise and unauthorized access to connected data sources and services.

CVE-2025-59528 has a CVSS score of 10.0, which is Critical severity. Verified proof-of-concept code exists, increasing the likelihood of exploitation. The patch corrects input validation and execution controls within the workflow processing logic, preventing unauthorized code execution.

Google Chrome Release 146

“A browser release packed with high and critical bugs raises the stakes for every user session.”

Google Chrome Release 146 addresses multiple vulnerabilities across core browser components, including memory safety, rendering, and content processing. These issues could allow attackers to execute arbitrary code, crash the browser, or bypass security protections through malicious web content. The presence of multiple critical and high-severity vulnerabilities significantly increases the overall risk exposure.

CVE-2026-5288, CVE-2026-5289, and CVE-2026-5290 each have a CVSS score of 9.6, which is Critical severity. Numerous other vulnerabilities—including CVE-2026-5272, 5274, 5275, 5278, 5279, 5280, 5281, 5285, 5286, 5287, and 5292—have CVSS scores ranging from 7.5 to 8.8, which is High severity. Medium severity issues include CVE-2026-5273 (6.3), CVE-2026-5276 (6.5), CVE-2026-5283 (6.5), and CVE-2026-5291 (6.5).

Active exploitation has been confirmed for CVE-2026-5281, a use-after-free condition. This flaw can be triggered through malicious web content, allowing attackers to execute arbitrary code or compromise system integrity during normal browsing activity, increasing urgency for patching. No other vulnerabilities in this release show verified exploitation or public proof-of-concept code. The update strengthens memory handling, improves sandbox protections, and fixes unsafe processing of untrusted content.

List of CVEs included in this release:

CVE-2026-5288 — 9.6
CVE-2026-5289 — 9.6
CVE-2026-5290 — 9.6
CVE-2026-5272 — 8.8
CVE-2026-5274 — 8.8
CVE-2026-5275 — 8.8
CVE-2026-5278 — 8.8
CVE-2026-5279 — 8.8
CVE-2026-5280 — 8.8
CVE-2026-5281 — 8.8
CVE-2026-5285 — 8.8
CVE-2026-5286 — 8.8
CVE-2026-5287 — 8.8
CVE-2026-5292 — 8.8
CVE-2026-5282 — 8.1
CVE-2026-5277 — 7.5
CVE-2026-5284 — 7.5
CVE-2026-5276 — 6.5
CVE-2026-5283 — 6.5
CVE-2026-5291 — 6.5
CVE-2026-5273 — 6.3

 

Google Chrome Release 147 Security Update

“A large release with many unknown scores still hides real risk in plain sight.”

Chrome Release 147 includes a broad set of vulnerabilities, many of which currently do not have published CVSS base scores . These issues span multiple browser components, including V8, WebML, WebRTC, and rendering engines, potentially allowing attackers to trigger memory corruption, crashes, or unauthorized behavior through crafted web content.

Several vulnerabilities with confirmed scores include CVE-2026-5866, CVE-2026-5908, CVE-2026-5909, CVE-2026-5910, CVE-2026-5912, and CVE-2026-5914, each with a CVSS score of 8.8, which is High severity. CVE-2026-5907 and CVE-2026-5915 have CVSS scores of 8.1, which is High severity. Medium severity issues include CVE-2026-5905 (6.5), CVE-2026-5919 (6.5), and CVE-2026-5906, CVE-2026-5911, CVE-2026-5918 (4.3).

There is no verified evidence of active exploitation or publicly available proof-of-concept code for these vulnerabilities. The update focuses on improving memory safety, fixing logic errors, and strengthening input validation across browser subsystems.

• CVE-2026-5858 — Severity not listed.

• CVE-2026-5859 — Severity not listed.

• CVE-2026-5860 — Severity not listed.

• CVE-2026-5861 — Severity not listed.

• CVE-2026-5862 — Severity not listed.

• CVE-2026-5863 — Severity not listed.

• CVE-2026-5864 — Severity not listed.

• CVE-2026-5865 — Severity not listed.

• CVE-2026-5866 — 8.8 (High)

• CVE-2026-5867 — Severity not listed.

• CVE-2026-5868 — Severity not listed.

• CVE-2026-5869 — Severity not listed.

• CVE-2026-5870 — Severity not listed.

• CVE-2026-5871 — Severity not listed.

• CVE-2026-5872 — Severity not listed.

• CVE-2026-5873 — Severity not listed.

• CVE-2026-5874 — Severity not listed.

• CVE-2026-5875 — Severity not listed.

• CVE-2026-5876 — Severity not listed.

• CVE-2026-5877 — Severity not listed.

• CVE-2026-5878 — Severity not listed.

• CVE-2026-5879 — Severity not listed.

• CVE-2026-5880 — Severity not listed.

• CVE-2026-5881 — Severity not listed.

• CVE-2026-5882 — Severity not listed.

• CVE-2026-5883 — Severity not listed.

• CVE-2026-5884 — Severity not listed.

• CVE-2026-5885 — Severity not listed.

• CVE-2026-5886 — Severity not listed.

• CVE-2026-5887 — Severity not listed.

• CVE-2026-5888 — Severity not listed.

• CVE-2026-5889 — Severity not listed.

• CVE-2026-5890 — Severity not listed.

• CVE-2026-5891 — Severity not listed.

• CVE-2026-5892 — Severity not listed.

• CVE-2026-5893 — Severity not listed.

• CVE-2026-5894 — Severity not listed.

• CVE-2026-5895 — Severity not listed.

• CVE-2026-5896 — Severity not listed.

• CVE-2026-5897 — Severity not listed.

• CVE-2026-5898 — Severity not listed.

• CVE-2026-5899 — Severity not listed.

• CVE-2026-5900 — Severity not listed.

• CVE-2026-5901 — Severity not listed.

• CVE-2026-5902 — Severity not listed.

• CVE-2026-5903 — Severity not listed.

• CVE-2026-5904 — Severity not listed.

• CVE-2026-5905 — 6.5 (Medium)

• CVE-2026-5906 — 4.3 (Medium)

• CVE-2026-5907 — 8.1 (High)

• CVE-2026-5908 — 8.8 (High)

• CVE-2026-5909 — 8.8 (High)

• CVE-2026-5910 — 8.8 (High)

• CVE-2026-5911 — 4.3 (Medium)

• CVE-2026-5912 — 8.8 (High)

• CVE-2026-5913 — Severity not listed.

• CVE-2026-5914 — 8.8 (High)

• CVE-2026-5915 — 8.1 (High)

• CVE-2026-5918 — 4.3 (Medium)

• CVE-2026-5919 — 6.5 (Medium)

 

Apache ActiveMQ Broker

“When a messaging broker is exposed, attackers can move from messages to full system control.”

Apache addressed CVE-2026-34197 in ActiveMQ Broker, a high-severity vulnerability that can allow remote code execution through improper handling of incoming messages or requests. This flaw impacts core messaging functionality and could enable attackers to execute arbitrary code, potentially compromising the broker and connected systems.

CVE-2026-34197 has a CVSS score of 8.8, which is High severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code. The patch strengthens input validation and message handling to prevent unauthorized code execution and protect messaging infrastructure.

 

Linux Kernel 

“Attackers could gain root access through this bug.”

Linux addressed CVE-2026-23226, a high-severity vulnerability in the kernel that allows privilege escalation. The issue stems from improper handling of system-level operations, enabling a local attacker to gain elevated permissions and potentially take full control of the system.

CVE-2026-23226 has a CVSS score of 8.8, which is High severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code. The patch corrects the underlying logic and strengthens permission enforcement to prevent unauthorized privilege escalation.

 

Chromium April 2nd Release 

“When the browser layer cracks, every user session becomes a potential entry point.”

The Chromium April 2nd release addresses a wide range of vulnerabilities across core browser components, including memory safety, rendering, and content handling. These issues could allow attackers to execute code, crash the browser, or bypass security protections through malicious web content, directly impacting user systems during normal browsing.

CVE-2026-5272 has a CVSS score of 8.8, which is High severity. CVE-2026-5273 has a CVSS score of 6.3, which is Medium severity. CVE-2026-5274 has a CVSS score of 8.8, which is High severity. CVE-2026-5275 has a CVSS score of 8.8, which is High severity. CVE-2026-5276 has a CVSS score of 6.5, which is Medium severity. CVE-2026-5277 has a CVSS score of 7.5, which is High severity. CVE-2026-5279 has a CVSS score of 8.8, which is High severity. CVE-2026-5280 has a CVSS score of 8.8, which is High severity. CVE-2026-5281 has a CVSS score of 8.8, which is High severity. CVE-2026-5283 has a CVSS score of 6.5, which is Medium severity. CVE-2026-5284 has a CVSS score of 7.5, which is High severity. CVE-2026-5285 has a CVSS score of 8.8, which is High severity. CVE-2026-5286 has a CVSS score of 8.8, which is High severity. CVE-2026-5287 has a CVSS score of 8.8, which is High severity. CVE-2026-5289 has a CVSS score of 9.6, which is Critical severity. CVE-2026-5290 has a CVSS score of 9.6, which is Critical severity. CVE-2026-5291 has a CVSS score of 6.5, which is Medium severity. CVE-2026-5292 has a CVSS score of 8.8, which is High severity.

Active exploitation has been observed for CVE-2026-5281, confirming real-world attacks. No other vulnerabilities in this release show verified exploitation or public proof-of-concept code. The update focuses on strengthening memory safety, improving sandbox protections, and fixing unsafe handling of untrusted web content.

 

FreeScout

“A simple file upload bug turned into a zero-click server takeover risk for FreeScout deployments.”

A security update addresses two serious vulnerabilities in FreeScout, the open-source help desk and shared inbox platform. The first issue, CVE-2026-27636, allows an authenticated user to upload dangerous configuration files such as .htaccess due to incomplete file extension restrictions in the upload validation logic. On Apache servers with AllowOverride enabled, this can allow attackers to redefine how files are processed and ultimately execute arbitrary code on the server. The CVSS score is 8.8, which is High severity.

A second vulnerability, CVE-2026-28289, bypasses the original patch for the upload restriction flaw. By inserting an invisible zero-width space character before the filename, attackers can bypass the filename validation check and upload a malicious .htaccess file. Researchers demonstrated that this weakness can escalate into unauthenticated remote code execution, allowing attackers to execute commands on the server simply by sending a crafted email to a configured FreeScout mailbox. The CVSS score is 10.0, which is Critical severity.

FreeScout addressed these issues by strengthening file upload validation and sanitization logic in version 1.8.207, which prevents dangerous filenames and blocks the bypass technique that enabled remote code execution.

 

FreePBX tts Module

“A hidden database injection inside a voice feature can open the door to full system control.”

This patch addresses a security issue in the FreePBX Text-to-Speech (tts) module that allowed an authenticated administrator to perform SQL injection attacks through the FreePBX Administration Control Panel. The vulnerability affects FreePBX tts module versions prior to 16.0.5 and 17.0.5. Attackers with administrative access could manipulate database queries, potentially extracting sensitive data and executing commands on the underlying system. In some scenarios, this access could allow code execution as the asterisk service account and potentially escalate privileges to root, placing the entire telephony platform at risk.

The issue is tracked as CVE-2025-67736. The CVSS score is 8.6, which is High severity. The vulnerability allows network-based exploitation with low attack complexity, though it requires administrator privileges. The patch strengthens input validation and database query handling in the tts module to prevent malicious SQL commands from being executed.

No verified reports of active exploitation or zero-day attacks were confirmed.

 

Nagios XI

“A writable application file combined with a trusted sudo path created a direct route to root.”

A security update addresses CVE-2025-34288 in Nagios XI, a local privilege escalation vulnerability affecting the monitoring platform’s application environment. The issue occurs when a maintenance script that runs with elevated privileges loads a PHP include file that is writable by a lower-privileged application user. An attacker with access to the Nagios XI application account can modify that file and inject malicious code that executes when the privileged script runs.

Successful exploitation allows the attacker to execute commands with elevated permissions, potentially leading to full system compromise of the monitoring server. The CVSS score is 8.6, which is High severity.

The vendor released a security update that resolves the issue by correcting file ownership and permission handling so that lower-privileged users can no longer modify the included file used by the privileged maintenance process.

 

IceWarp

“One malicious header can hand attackers full control of your email server.”

A patch addresses CVE-2025-14500, a critical remote code execution vulnerability in the IceWarp collaboration and email platform. The issue stems from improper validation of the X-File-Operation HTTP header, which allows attackers to inject operating system commands. Because the vulnerable component executes the user-supplied input directly in a system call, a remote attacker can run arbitrary commands on the server.

The CVSS score is 9.8, which is Critical severity.

This vulnerability can be exploited remotely without authentication. Successful exploitation allows attackers to execute commands with SYSTEM or root-level privileges, potentially exposing email systems, stored files, conferencing services, and authentication data within affected environments. A vendor patch has been released and should be applied immediately to all exposed servers.

 

Viber for Android

“A privacy feature that exposes itself defeats the purpose.”

A patch addresses CVE-2025-13476 in the Viber messaging application for Android. The issue affects the Cloak proxy mode, which is designed to disguise proxy usage and help users bypass network censorship. Due to a flawed TLS handshake implementation, the app sends a static and predictable TLS ClientHello fingerprint. This lack of extension diversity allows Deep Packet Inspection (DPI) systems to easily identify Viber proxy traffic.

The CVSS score is 9.8, which is Critical severity.

Because the TLS fingerprint is rigid and easily recognized, network filtering systems can reliably detect and block Cloak-mode traffic. This undermines the feature’s purpose and may expose users attempting to bypass censorship or network restrictions. Updated versions of Viber modify the TLS behavior to prevent predictable fingerprinting.

 

AWS-LC

“When cryptographic validation breaks, attackers don’t need to crack encryption—they just walk around it.”

Amazon patched three vulnerabilities in AWS-LC, its open-source cryptographic library derived from BoringSSL. The update addresses validation bypass and timing side-channel weaknesses that could allow attackers to undermine cryptographic trust checks in applications that rely on the library.

Two vulnerabilities affect the PKCS7_verify() function. CVE-2026-3336 allows an unauthenticated user to bypass certificate chain validation when processing PKCS7 objects with multiple signers. CVE-2026-3338 allows signature verification bypass when PKCS7 objects include authenticated attributes. Both flaws could allow attackers to trick applications into trusting malicious or improperly validated signed content. CVE-2026-3336 has a CVSS score of 7.5, which is High severity. CVE-2026-3338 has a CVSS score of 7.5, which is High severity.

The third issue, CVE-2026-3337, introduces a timing side-channel in AES-CCM decryption that may reveal authentication tag validity through observable timing differences during decryption operations. CVE-2026-3337 has a CVSS score of 5.9, which is Medium severity.

These issues affect AWS-LC versions prior to 1.69.0 and related bindings such as aws-lc-sys. Amazon resolved all three vulnerabilities in AWS-LC version 1.69.0 and corresponding library updates.

 

AVideo Platform File Upload

“A media upload should store a video—not give an attacker a shell.”

AVideo patched a critical vulnerability that allows attackers to upload malicious files and execute code on the server. The issue stems from improper validation of uploaded media files. An attacker can bypass file restrictions and upload a crafted file that the server processes as executable code. Once executed, the attacker can gain control of the affected server environment.

CVE-2026-29058 has a CVSS score of 9.8, which is Critical severity. Because the vulnerability can be triggered remotely and does not require authentication in certain configurations, exposed AVideo platforms could be fully compromised through a malicious upload.

The patch strengthens file upload validation and execution handling to prevent malicious files from being processed as executable content.

 

FreeScout 

“A simple file upload bug turned into a zero-click server takeover risk for FreeScout deployments.”

A security update addresses two serious vulnerabilities in FreeScout, the open-source help desk and shared inbox platform. The first issue, CVE-2026-27636, allows an authenticated user to upload dangerous configuration files such as .htaccess due to incomplete file extension restrictions in the upload validation logic. On Apache servers with AllowOverride enabled, this can allow attackers to redefine how files are processed and ultimately execute arbitrary code on the server. The CVSS score is 8.8, which is High severity.

A second vulnerability, CVE-2026-28289, bypasses the original patch for the upload restriction flaw. By inserting an invisible zero-width space character before the filename, attackers can bypass the filename validation check and upload a malicious .htaccess file. Researchers demonstrated that this weakness can escalate into unauthenticated remote code execution, allowing attackers to execute commands on the server simply by sending a crafted email to a configured FreeScout mailbox. The CVSS score is 10.0, which is Critical severity.

FreeScout addressed these issues by strengthening file upload validation and sanitization logic in version 1.8.207, which prevents dangerous filenames and blocks the bypass technique that enabled remote code execution.

 

 

Wing FTP Server

“Even a medium-severity weakness becomes dangerous when attackers are already using it.”

Wing FTP Server addressed CVE-2025-47813, a vulnerability affecting how the server processes certain requests within its FTP service components. The weakness could allow attackers to manipulate server behavior and perform unauthorized actions through the service. Because FTP servers are often exposed to the internet and used for transferring sensitive files, exploitation could give attackers a foothold inside the network or access to stored data.

CVE-2025-47813 has a CVSS score of 4.3, which is Medium severity. Despite the moderate rating, the issue is actively exploited in the wild, increasing the real-world risk for organizations running vulnerable versions of Wing FTP Server. Systems that expose file transfer services to the internet face the greatest exposure until the patch is applied.

 

ExifTool for macOS Security Update for CVE-2026-3102

“A single crafted image file can become an entry point when metadata tools fail safely.”

A security update addresses CVE-2026-3102 affecting ExifTool for macOS, a widely used utility for reading and modifying image metadata. The vulnerability impacts how the application processes certain metadata structures within files. An attacker could craft a malicious file that triggers unintended behavior when processed by ExifTool, potentially allowing unauthorized actions during file analysis or automated processing tasks. Because ExifTool is commonly used in media pipelines, forensic workflows, and automated file processing environments, the risk increases where untrusted files are routinely handled.

CVE-2026-3102 has a CVSS score of 6.3, which is Medium severity. Proof-of-concept exploit code has been reported, demonstrating how the vulnerability could be triggered through specially crafted files if affected systems remain unpatched.

 

PostgreSQL — libpq

“A library trusted by every application talking to PostgreSQL can be turned into a crash-on-demand weapon from the network.”

CVE-2025-12818 affects the PostgreSQL libpq client library, used by virtually every application that connects to a PostgreSQL database. The CVSS score is 5.9, which is Medium severity. No real-world exploitation has been confirmed. An integer wraparound flaw in multiple libpq functions allows a network peer or malicious input source to cause the library to undersize a memory allocation, triggering an out-of-bounds write of up to hundreds of megabytes. The result is a segmentation fault, crashing the application using libpq. Affected versions include PostgreSQL 13 through 18 prior to the patched releases.

Because libpq is embedded in application code rather than the database server itself, this vulnerability affects any software that links against it, including web applications, reporting tools, middleware, and data pipelines. A crash triggered remotely causes application downtime and can disrupt business operations dependent on database connectivity. The fix is in PostgreSQL versions 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. All applications using earlier libpq builds should be updated promptly.

 

Apache ZooKeeper

“When session trust breaks, the whole cluster is exposed.”

Apache ZooKeeper patched a vulnerability affecting session validation that could allow an attacker to bypass authentication controls under specific conditions. The issue stems from improper handling of session state, enabling unauthorized access to nodes and data within the distributed coordination service. This directly impacts data integrity and access control across clustered environments.

CVE-2026-24308 has a CVSS score of 7.5, which is High severity. The vulnerability can be exploited over the network without requiring user interaction, making it a serious risk for exposed ZooKeeper deployments. The patch strengthens session validation logic and enforces stricter authentication checks to prevent unauthorized session reuse or manipulation.

There is no confirmed real-world exploitation at this time. However, given ZooKeeper’s role in managing critical distributed systems, the exposure could lead to significant operational and security impact if left unpatched.

 

SGLang

“If your AI runtime can be tricked, your infrastructure becomes the payload.”

SGLang patched multiple critical vulnerabilities that allow remote code execution and sandbox escape within its runtime environment. These flaws enable attackers to craft inputs that break isolation controls, execute arbitrary code, and potentially take full control of the underlying system.

CVE-2026-3059 has a CVSS score of 9.8, which is Critical severity. CVE-2026-3060 has a CVSS score of 9.8, which is Critical severity. CVE-2026-3989 has a CVSS score of 7.8, which is High severity. Together, these issues create a highly exploitable attack chain, especially in environments where SGLang is exposed to external or untrusted inputs.

Proof-of-concept code is available for all three vulnerabilities, confirming that exploitation is practical and lowering the barrier for attackers. The patch strengthens sandbox enforcement, tightens execution boundaries, and improves input validation to prevent runtime compromise.

 

Apple WebKit

“A browser engine weakness can quietly expose every page you load.”

Apple addressed a vulnerability in WebKit involving improper memory handling that could lead to unintended behavior during web content processing. The issue could potentially allow malicious web content to impact application stability or bypass certain security controls under specific conditions. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2.

CVE-2026-20643 has a CVSS score of 5.4, which is Medium severity. While the vulnerability does not enable direct system compromise on its own, it affects a core component used across browsers and applications, increasing exposure to web-based attack vectors.

The patch improves memory validation and strengthens safeguards in WebKit to prevent misuse during content rendering. There is no confirmed real-world exploitation at this time.

 

LangSmith

“When observability tools leak data, every model interaction becomes a liability.”

LangSmith patched a high-severity vulnerability that could allow unauthorized access to sensitive data within its observability and logging platform. The issue stems from insufficient access controls, potentially exposing prompts, responses, and associated metadata to unintended users.

CVE-2026-25750 has a CVSS score of 8.5, which is High severity. The vulnerability poses a significant risk to organizations relying on LangSmith for monitoring LLM applications, as it may lead to leakage of proprietary data, user inputs, or internal workflows.

The patch strengthens authentication and access control enforcement to ensure that only authorized users can access stored data. There is no confirmed real-world exploitation at this time.

 

Langflow

“One exposed endpoint is all it takes to hand over full control.”

Langflow addresses a critical vulnerability tracked as CVE-2026-33017 that enables remote code execution. The CVSS score is 9.3, which is Critical severity. This level of access allows attackers to execute arbitrary code, potentially taking full control of affected systems, accessing sensitive data, or disrupting operations.

Proof-of-concept code is available, increasing the likelihood of exploitation. While there is no confirmed real-world attack activity yet, the presence of a working PoC significantly lowers the barrier for threat actors and raises urgency for patching.

 

LangChain and LangGraph

“AI orchestration layers become a direct attack path when critical flaws go unpatched.”

LangChain and LangGraph released updates addressing three vulnerabilities impacting application logic and execution flow within AI-driven systems. These frameworks are often deeply embedded in modern applications, meaning weaknesses can quickly translate into real system compromise.

CVE-2025-68664 has a CVSS score of 9.3, which is Critical severity. This issue carries the highest risk and has verified proof-of-concept code, increasing the likelihood of exploitation. CVE-2026-34070 has a CVSS score of 7.5, which is High severity. CVE-2025-67644 has a CVSS score of 7.3, which is High severity. Both high-severity issues introduce meaningful risk but currently have no confirmed exploitation.

The patch strengthens execution boundaries and input handling across the frameworks, reducing the risk of unauthorized actions and system manipulation through AI workflows.

 

LibreChat

“A single weak point in a chat system can expose far more than just conversations.”

LibreChat has released a patch addressing CVE-2026-4276, a high severity vulnerability that could impact application security and data handling. The CVSS score is 7.5, which is High severity. This level of risk suggests attackers could exploit the issue to access sensitive data, manipulate application behavior, or disrupt service integrity.

There is no verified evidence of real-world exploitation or public proof-of-concept code. Even so, the high severity rating makes this a meaningful risk, particularly for exposed or internet-facing deployments.

 

RegPwn

“A high-impact gap like this can quietly open the door to system control.”

RegPwn has released a patch addressing CVE-2026-24291, a high severity vulnerability that could allow attackers to interfere with system operations or gain elevated access. The CVSS score is 7.8, which is High severity. This indicates a strong risk of exploitation leading to compromise of affected environments.

There is no verified evidence of real-world exploitation or public proof-of-concept code. Despite that, the severity level makes this a meaningful threat, especially in systems that are exposed or not regularly updated.

 

Wazuh

“With working exploit code out there, this isn’t theoretical—it’s actionable risk.”

Wazuh has released a patch addressing CVE-2026-25769, a critical vulnerability that exposes systems to severe compromise. The CVSS score is 9.1, which is Critical severity. This level of impact indicates attackers could gain deep control over affected environments, potentially leading to data exposure, system manipulation, or service disruption.

Proof-of-concept code is available, significantly increasing the likelihood of exploitation. While there is no confirmed real-world attack activity, the existence of working exploit code lowers the barrier for attackers and accelerates the risk timeline.

 

ConnectWise ScreenConnect

“When remote access tools break, attackers don’t knock—they log in.”

ConnectWise has released a patch addressing CVE-2026-3564, a critical vulnerability in ScreenConnect that could allow attackers to gain unauthorized access or control over remote systems. The CVSS score is 9.0, which is Critical severity. Given the nature of remote access software, exploitation could lead to full system compromise, lateral movement, and widespread operational impact.

There is no verified evidence of real-world exploitation or public proof-of-concept code at this time. However, the critical severity and exposure level make this a high-priority issue, especially for environments relying on ScreenConnect for remote administration.

 

TP-Link

“When core network devices weaken, everything behind them is exposed.”

This patch addresses five high severity vulnerabilities in TP-Link devices: CVE-2025-15517, CVE-2025-15518, CVE-2025-15519, CVE-2025-15605, and CVE-2025-62673. These issues impact network-facing components and could allow attackers to gain unauthorized access, alter configurations, or disrupt network operations. CVE-2025-15517 has a CVSS score of 8.6, which is High severity. CVE-2025-15518 has a CVSS score of 8.5, which is High severity. CVE-2025-15519 has a CVSS score of 8.5, which is High severity. CVE-2025-15605 has a CVSS score of 8.5, which is High severity. CVE-2025-62673 has a CVSS score of 8.6, which is High severity.

There is no verified evidence of active exploitation or publicly available proof-of-concept code for these vulnerabilities. However, given that TP-Link devices often sit at the edge of networks, these weaknesses present a serious risk if exploited, especially in environments with exposed management interfaces.

 

QNAP QVR Pro

“When surveillance breaks, visibility turns into exposure.”

This patch addresses CVE-2026-22898 in QNAP QVR Pro, a critical vulnerability that could allow unauthorized access or control over the surveillance management system. Successful exploitation could expose sensitive video data or disrupt monitoring operations. The CVSS score is 9.3, which is Critical severity.

There is no verified evidence of active exploitation or publicly available proof-of-concept code at this time. Despite this, the high severity and exposure of surveillance infrastructure make this a high-priority patch for affected environments.

 

Harbor

“A trusted registry can become the attacker’s entry point.”

This patch addresses CVE-2026-4404 in Harbor, a critical vulnerability that could allow attackers to compromise container registry environments. Successful exploitation may lead to unauthorized access, manipulation of stored images, or disruption of software supply chains. The CVSS score is 9.4, which is Critical severity.

There is no verified evidence of active exploitation or publicly available proof-of-concept code at this time. However, due to Harbor’s central role in managing and distributing container images, this vulnerability poses a serious risk to application integrity and deployment pipelines.

 

IDrive

“Backup systems are only safe if attackers can’t rewrite the rules.”

This patch addresses CVE-2026-1995 in IDrive, a high severity vulnerability that could allow attackers to compromise backup integrity or access stored data under certain conditions. The issue introduces risk to data confidentiality and reliability, especially in environments relying on automated or remote backup processes. The CVSS score is 7.8, which is High severity.

There is no verified evidence of active exploitation or publicly available proof-of-concept code at this time. However, given IDrive’s role in safeguarding critical data, this vulnerability could weaken recovery capabilities and expose sensitive information if not remediated.

 

Windchill and FlexPLM

“When product data systems are exposed, the entire supply chain is at risk.”

This patch addresses CVE-2026-4681 in PTC Windchill and FlexPLM, a critical vulnerability that could allow attackers to gain unauthorized access or manipulate product lifecycle management data. Exploitation could impact intellectual property, design integrity, and downstream manufacturing processes. The CVSS score is 9.3, which is Critical severity.

There is no verified evidence of active exploitation or publicly available proof-of-concept code at this time. However, due to the central role of these platforms in managing product data and workflows, the potential business impact is significant if left unpatched.

Hikvision Camera Firmware

“A silent entry point into surveillance systems can turn security into exposure overnight.”

Hikvision addressed CVE-2025-66176, a high-severity vulnerability impacting its camera firmware. The issue allows unauthorized access through improper authentication handling, potentially enabling attackers to bypass security controls and gain control over affected devices. This creates direct risk to video surveillance integrity, device configuration, and network exposure.

CVE-2025-66176 has a CVSS score of 8.8, which is High severity. There is no verified evidence of active exploitation or public proof-of-concept code at this time. The patch strengthens authentication mechanisms and closes the access gap that could allow unauthorized control.

 

Node.js HTTP Module

“A single crafted request can quietly knock a server offline.”

Node.js addressed CVE-2026-21710, a high-severity vulnerability in its HTTP handling that can lead to denial of service. The issue allows attackers to send specially crafted requests that exhaust server resources or disrupt normal processing, causing applications to become unresponsive. This directly impacts availability for services built on Node.js.

CVE-2026-21710 has a CVSS score of 7.5, which is High severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code. The patch improves how the HTTP module processes incoming requests, preventing resource exhaustion and stabilizing server performance under malicious input.

 

NVIDIA Apex

“When a performance tool turns into a control point, the entire system is at risk.”

NVIDIA addressed CVE-2025-33244 in Apex, a critical vulnerability that allows privilege escalation within affected environments. The issue stems from improper handling of system-level operations, enabling attackers to gain elevated permissions and potentially take full control of the host system. This directly impacts environments relying on Apex for high-performance computing and AI workloads.

CVE-2025-33244 has a CVSS score of 9.0, which is Critical severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code. The patch enforces stricter permission controls and corrects the underlying privilege handling flaw, reducing the risk of unauthorized system access.

 

Synology DiskStation Manager

“One exposed interface can give attackers full control of your storage.”

Synology addressed CVE-2026-32746 in DiskStation Manager (DSM), a critical vulnerability that allows remote code execution through improper handling of network-facing services. An attacker can exploit this issue to execute arbitrary code without authentication, putting stored data, system integrity, and connected services at immediate risk.

CVE-2026-32746 has a CVSS score of 9.8, which is Critical severity. Verified proof-of-concept code exists, increasing the likelihood of exploitation. The patch fixes the vulnerable service handling and strengthens input validation to block unauthorized code execution.

 

libpng Image Processing

“A corrupted image file shouldn’t be able to crash or control your system.”

libpng addressed multiple high-severity vulnerabilities affecting how PNG images are processed. CVE-2026-33416 and CVE-2026-33636 both stem from improper memory handling when parsing crafted image data. These issues could allow attackers to trigger crashes or potentially execute arbitrary code by supplying malicious PNG files, impacting applications that rely on libpng for image processing.

CVE-2026-33416 has a CVSS score of 7.5, which is High severity. CVE-2026-33636 has a CVSS score of 7.6, which is High severity. There is no verified evidence of active exploitation or publicly available proof-of-concept code for either vulnerability. The patch improves memory validation and bounds checking to prevent misuse during image parsing.

 

Veeam Backup & Replication Security

“If attackers can execute code inside the backup platform, they gain leverage over the systems meant to recover the business.”

Veeam released security updates addressing several vulnerabilities in Veeam Backup & Replication, including CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708. These vulnerabilities impact core backup server operations, repository controls, and privilege handling within the platform. Multiple issues allow authenticated domain users to perform remote code execution on the backup server, while others enable privilege escalation or the ability to manipulate files in backup repositories. Because backup infrastructure interacts closely with production systems and recovery data, compromise of this platform could disrupt disaster recovery capabilities and expose sensitive data.

CVE-2026-21666 has a CVSS score of 10.0, which is Critical severity. CVE-2026-21667 has a CVSS score of 9.9, which is Critical severity. CVE-2026-21668 has a CVSS score of 8.8, which is High severity. CVE-2026-21672 has a CVSS score of 8.8, which is High severity. CVE-2026-21708 has a CVSS score of 9.9, which is Critical severity. CVE-2026-21669 has a CVSS score of 9.9, which is Critical severity. CVE-2026-21671 has a CVSS score of 9.1, which is Critical severity. Several of these vulnerabilities enable authenticated users to execute code on backup servers or escalate privileges, which significantly increases the risk for environments where backup systems are integrated with domain credentials and administrative roles.

 

Marimo

“When a developer tool is actively exploited, every connected environment becomes a target.”

Marimo addressed CVE-2026-39987, a critical vulnerability that allows remote code execution within its platform. The issue impacts how user input or workflows are processed, enabling attackers to execute arbitrary code and potentially gain full control over the host system and associated environments.

CVE-2026-39987 has a CVSS score of 9.3, which is Critical severity. Active exploitation has been observed, confirming real-world attacks are already underway. The patch fixes the execution pathway and strengthens input validation to prevent further compromise.

SPEAKER NOTES

• “When a developer tool is actively exploited, every connected environment becomes a target.”
• The vulnerability allows remote code execution.
• Active exploitation increases urgency for patching.
• The fix secures execution paths and input handling.