#Security

Apache ActiveMQ Jolokia API RCE CVE-2026-34197 Added to CISA KEV, April 30 Deadline for Federal Agencies

CVE-2026-34197 (CVSS 8.8), an RCE in Apache ActiveMQ Classic that lurked for 13 years, was added to the CISA KEV catalog. Authenticated attackers can achieve remote code execution via the Jolokia API. Affects versions below 5.19.4 and 6.0.0–6.2.2.

NIST NVD Abandons Full CVE Enrichment, Shifts to Priority Triage

NIST has changed NVD's operational policy. Full CVE enrichment is over — only CISA KEV, federal software, and EO 14028 critical software will be prioritized.

nginx-ui MCP Endpoint Missing Authentication (CVE-2026-33032) Exploited in the Wild, No Patch Available

A CVSS 9.8 authentication bypass in nginx-ui's /mcp_message endpoint lets unauthenticated remote attackers rewrite nginx configurations. Active exploitation confirmed, no patch yet.

How LLM Safety Filters Actually Work, and What Abliterated Models Really Are

LLM safety is built from multiple layers: RLHF, Constitutional AI, system prompts, and input/output filters. A breakdown of how cloud providers differ, what abliterated vs uncensored actually means, and the default censorship levels baked into local LLMs.

Cloudflare Mesh and Enterprise MCP Reference Architecture

Two announcements from Cloudflare Agents Week 2026 on April 14: Mesh connects AI agents to private networks, and the Enterprise MCP Reference Architecture governs tool access at organizational scale.

April 2026 Patch Tuesday: 163 CVEs Patched, SharePoint Zero-Day Exploited in the Wild, BlueHammer PoC Published

Microsoft's second-largest Patch Tuesday ever. SharePoint Server XSS zero-day (CVSS 6.5) confirmed in active exploitation and added to CISA KEV. Windows Defender BlueHammer LPE (CVSS 7.8) has a full public PoC. Also includes a wormable IKE RCE at CVSS 9.8.

CISA KEV Adds 7 Fortinet, Microsoft, and Adobe Vulnerabilities (April 13)

CISA added 7 actively exploited vulnerabilities to the KEV catalog including FortiClient EMS SQL injection (CVSS 9.1). Federal deadline is April 16 for Fortinet, April 27 for the remaining six.

ShowDoc File Upload RCE (CVE-2025-0520) Sees First In-the-Wild Exploitation After 5 Years

A CVSS 9.4 file upload vulnerability in ShowDoc, disclosed in 2020, was first observed being exploited in the wild by VulnCheck Canaries in April 2026. Over 2,000 exposed instances remain, primarily in China.

CVE-2026-40175: axios acted as a prototype pollution gadget, enabling CRLF header injection

CVE-2026-40175: unrelated to the March supply-chain compromise. axios's config merge picked up tainted Object.prototype values and passed them through as HTTP headers without CRLF validation, chaining to SSRF. Fixed in 1.15.0.

How 8 AI Agent Benchmarks Were Gamed to Near-Perfect Scores Without Solving a Single Task

UC Berkeley's RDI team demonstrated that major benchmarks including SWE-bench and WebArena can be manipulated to near-perfect scores without completing any tasks. They identified 7 vulnerability patterns and released BenchJack, an automated benchmark attack tool.

Adobe Acrobat Reader Patches Actively Exploited Zero-Day (CVE-2026-34621 / APSB26-43)

Adobe released a patch on April 11, 2026 for a Prototype Pollution RCE in Acrobat Reader that had been exploited since December 2025. CVSS 8.6, Priority 1. Apply within 72 hours.

The 49.7-Day macOS Bug That Silently Kills All New TCP Connections

A 32-bit integer overflow in macOS's XNU kernel renders all new TCP connections impossible after 49.7 days of continuous uptime. Apple has not implemented the workaround defined in RFC 7323 over two decades ago.