Adobe released a patch on April 11, 2026 for a Prototype Pollution RCE in Acrobat Reader that had been exploited since December 2025. CVSS 8.6, Priority 1. Apply within 72 hours.
An Adobe Reader/Acrobat zero-day actively exploited since November 2025. A two-bug chain achieves sandbox bypass and RCE, affecting all versions including the latest. No patch available.
Anthropic's unreleased Claude Mythos Preview discovered thousands of zero-day vulnerabilities including a 27-year OpenBSD bug and a 16-year FFmpeg bug. Deemed too dangerous for public release, it ships exclusively through Project Glasswing to 12 founding partners.
Cisco Secure FMC's unauthenticated RCE flaw CVE-2026-20131 (CVSS 10.0) was added to CISA's KEV catalog after Interlock ransomware had been abusing it for 36 days before Cisco's public disclosure. Amazon Threat Intelligence later dissected the toolkit in detail.
Google released an emergency update for Chrome 146.0.7680.75 on March 13 to fix two CVSS 8.8 zero-days, both confirmed exploited in the wild. It was Chrome's third emergency patch of 2026.
In the same week, CISA's KEV catalog gained a Chromium CSS engine UAF, a Roundcube RCE that hid for over a decade, a BeyondTrust RCE abused by ransomware, and a Dagu RCE due to no default authentication. All four require immediate patching.
A CVSS 10.0 vulnerability in Dell RecoverPoint for VMs was found to have been exploited by the China-linked threat group UNC6201 for more than a year and a half.
