#Vulnerability

April 2026 Patch Tuesday: 163 CVEs Patched, SharePoint Zero-Day Exploited in the Wild, BlueHammer PoC Published

Microsoft's second-largest Patch Tuesday ever. SharePoint Server XSS zero-day (CVSS 6.5) confirmed in active exploitation and added to CISA KEV. Windows Defender BlueHammer LPE (CVSS 7.8) has a full public PoC. Also includes a wormable IKE RCE at CVSS 9.8.

CISA KEV Adds 7 Fortinet, Microsoft, and Adobe Vulnerabilities (April 13)

CISA added 7 actively exploited vulnerabilities to the KEV catalog including FortiClient EMS SQL injection (CVSS 9.1). Federal deadline is April 16 for Fortinet, April 27 for the remaining six.

ShowDoc File Upload RCE (CVE-2025-0520) Sees First In-the-Wild Exploitation After 5 Years

A CVSS 9.4 file upload vulnerability in ShowDoc, disclosed in 2020, was first observed being exploited in the wild by VulnCheck Canaries in April 2026. Over 2,000 exposed instances remain, primarily in China.

Adobe Acrobat Reader Patches Actively Exploited Zero-Day (CVE-2026-34621 / APSB26-43)

Adobe released a patch on April 11, 2026 for a Prototype Pollution RCE in Acrobat Reader that had been exploited since December 2025. CVSS 8.6, Priority 1. Apply within 72 hours.

Adobe Reader Zero-Day Exploited via PDF for 4 Months, Unpatched RCE Still Active

An Adobe Reader/Acrobat zero-day actively exploited since November 2025. A two-bug chain achieves sandbox bypass and RCE, affecting all versions including the latest. No patch available.

UAT-10608 used React2Shell to steal credentials from 766 Next.js hosts

Cisco Talos tracked UAT-10608 exploiting CVE-2025-55182 (React2Shell) to compromise 766 Next.js hosts and automatically collect DB credentials, SSH keys, and AWS/Stripe/GitHub tokens.

OpenClaw's SSH sandbox can be escaped through a symlink, CVSS 8.8

A symlink validation bug in OpenClaw's SSH sandbox sync path lets an AI agent read or write arbitrary local files outside the sandbox. GHSA-fv94-qvg8-xqpw, CVSS 8.8.

Chrome 146's Dawn use-after-free is the fourth Chrome zero-day exploited in the wild in 2026

CVE-2026-5281, a UAF in Dawn, the WebGPU implementation used by Chrome, was confirmed in-the-wild. Update to Chrome 146.0.7680.177/178 immediately.

PolyShell flaw in Magento's REST API enables unauthenticated RCE

A Magento product-option API bug allows unauthenticated uploads of polyglot files that execute PHP code. In nginx 2.0.0-2.2.x environments it becomes full RCE; in other setups it can lead to XSS and account takeover.

TrustedSec reveals four techniques to authenticate Azure Entra ID sign-in logs without recording them

All four methods to avoid Azure Entra ID sign-in logs by exploiting SQL column overflow in RoPC flow have been disclosed. GraphGoblin issues access tokens valid with CVSS v4.0=8.7.

CyberStrikeAI compromised 600 FortiGates, Cloudflare shipped always-on WAF detection, RFC 9849 standardized ECH, and VMware Aria landed in KEV

Four infrastructure-security stories from early March 2026: AI attack tool CyberStrikeAI compromising 600 FortiGates, Cloudflare's split detection/blocking WAF architecture, standardization of TLS Encrypted Client Hello, and CISA's KEV addition for VMware Aria Operations.

Critical vulnerabilities in pnpm < 10.26: Update now

Two critical vulnerabilities (CVE-2025-69263, CVE-2025-69264) were discovered in pnpm 10.0.0–10.25. They allow lockfile integrity bypass and remote code execution, so immediate updates are required.