A vulnerability in iTerm2 3.6.9 and earlier where simply displaying a malicious file with cat triggers local code execution. Caused by conductor impersonation in SSH Integration, fixed in 3.7.0.
The WordPress plugin Vertex Addons for Elementor (<= v1.6.4) has a broken authorization check in activate_required_plugins() that lets Subscriber-level users install and activate arbitrary plugins. CWE-862, CVSS 8.8.
CVE-2026-34197 (CVSS 8.8), an RCE in Apache ActiveMQ Classic that lurked for 13 years, was added to the CISA KEV catalog. Authenticated attackers can achieve remote code execution via the Jolokia API. Affects versions below 5.19.4 and 6.0.0–6.2.2.
NIST has changed NVD's operational policy. Full CVE enrichment is over — only CISA KEV, federal software, and EO 14028 critical software will be prioritized.
LLM safety stacks five layers — input filter, system prompt, RLHF, Constitutional AI, output filter — and each provider blocks at different layers. A breakdown of where abliterated vs uncensored models cut, and the default censorship level baked into local LLMs.
Two announcements from Cloudflare Agents Week 2026 on April 14: Mesh connects AI agents to private networks, and the Enterprise MCP Reference Architecture governs tool access at organizational scale.
Microsoft's second-largest Patch Tuesday ever. SharePoint Server XSS zero-day (CVSS 6.5) confirmed in active exploitation and added to CISA KEV. Windows Defender BlueHammer LPE (CVSS 7.8) has a full public PoC. Also includes a wormable IKE RCE at CVSS 9.8.
CISA added 7 actively exploited vulnerabilities to the KEV catalog including FortiClient EMS SQL injection (CVSS 9.1). Federal deadline is April 16 for Fortinet, April 27 for the remaining six.
A CVSS 9.4 file upload vulnerability in ShowDoc, disclosed in 2020, was first observed being exploited in the wild by VulnCheck Canaries in April 2026. Over 2,000 exposed instances remain, primarily in China.
CVE-2026-40175: unrelated to the March supply-chain compromise. axios's config merge picked up tainted Object.prototype values and passed them through as HTTP headers without CRLF validation, chaining to SSRF. Fixed in 1.15.0.
UC Berkeley's RDI team demonstrated that major benchmarks including SWE-bench and WebArena can be manipulated to near-perfect scores without completing any tasks. They identified 7 vulnerability patterns and released BenchJack, an automated benchmark attack tool.