2026-04-14
2026-04-14 22:16Z
CRIT

CVE-2026-27304 — ColdFusion: versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27304

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. CVSSv3.1 9.3 (CRITICAL)

CWECWE 20VNDColdfusionTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-04-14
2026-04-14 22:00Z
INFO

v9.0.1-rc1

BloodHound releases·github.com

BloodHound v9.0.1-rc1 release candidate published with dependency updates and DAWGS library bump to 0.4.16. This is a routine maintenance release addressing identified vulnerabilities in upstream dependencies.

SRFApplicationVNDSpecter OpsTYPToolSTGDiscoverySTGRecon
25
Edit Score
2026-04-14
2026-04-14 21:48Z
CRIT

Patch Tuesday - April 2026

Microsoft released 167 vulnerabilities in April 2026 Patch Tuesday, including a critical unauthenticated RCE in Windows IKE (CVE-2026-33824, CVSS 9.8) with pre-auth network exposure, a local privilege escalation in Microsoft Defender (CVE-2026-33825) with public disclosure, and a SharePoint spoofing zero-day (CVE-2026-32201) already exploited in the wild. The patch batch reflects a significant industry-wide surge in vulnerability reporting driven by expanding AI capabilities, with 80 browser vulnerabilities patched separately.

SRFApplicationSRFOsTACTA0004TACTA0001VNDMicrosoftTYPVulnerabilityTYPAdvisorySTGPrivesc
9.8
CVSS v3.1
82
Edit Score
2026-04-14
2026-04-14 21:16Z
HIGH

CVE-2026-34160 — Chamilo Chamilo_lms: In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34160

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network CVSSv3.1 8.6 (HIGH)

CWECWE 306CWECWE 918VNDChamiloTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-14
2026-04-14 21:16Z
HIGH

CVE-2026-24893 — openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24893

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validatio CVSSv3.1 8.8 (HIGH)

CWECWE 20CWECWE 78TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game

GitHub Security·github.blogCVE-2026-25253

GitHub released Season 4 of the Secure Code Game, a free interactive training platform focused on agentic AI security vulnerabilities. The game simulates a deliberately vulnerable AI assistant (ProdBot) across five progressive levels, teaching developers to identify and exploit real-world attack patterns including prompt injection, tool misuse, and sandbox escapes. The release addresses a critical gap: 83% of organizations plan agentic AI deployment but only 29% feel secure doing so.

TACTA0005TACTA0002SRFAiTYPResearchTYPToolSTGDefense EvasionSTGExecutionTECT1566
72
Edit Score
2026-04-14
2026-04-14 18:17Z
CRIT

CVE-2026-5752 — Sandbox: Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5752

Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. CVSSv3.1 9.3 (CRITICAL)

TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-34617 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34617

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised we CVSSv3.1 8.7 (HIGH)

CWECWE 79VNDAdobeTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:17Z
CRIT

CVE-2026-34615 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34615

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. CVSSv3.1 9.3 (CRITICAL)

CWECWE 502VNDAdobeTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-33827 — Concurrent: execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33827

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network. CVSSv3.1 8.1 (HIGH)

CWECWE 362VNDConcurrentTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-33826 — Windows: Improper input validation in Windows Active Directory allows an authorized attacker to execute code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33826

Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network. CVSSv3.1 8.0 (HIGH)

CWECWE 20TYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-14
2026-04-14 18:17Z
CRIT

CVE-2026-33824 — Double: free in Windows IKE Extension allows an unauthorized attacker to execute code over

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33824

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. CVSSv3.1 9.8 (CRITICAL)

CWECWE 415VNDDoubleTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-33120 — Untrusted: pointer dereference in SQL Server allows an authorized attacker to execute code over

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33120

Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network. CVSSv3.1 8.8 (HIGH)

CWECWE 822VNDUntrustedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-33115 — Use: after free in Microsoft Office Word allows an unauthorized attacker to execute code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33115

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)

CWECWE 416TYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-33114 — Untrusted: pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33114

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)

CWECWE 822VNDUntrustedTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32225 — Protection: mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32225

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network. CVSSv3.1 8.8 (HIGH)

CWECWE 693VNDProtectionTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32221 — Heap: Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32221

Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)

CWECWE 122VNDHeapTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 18:17Z
MED

CVE-2026-32202 — Microsoft Windows_10_1607: Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32202in the wild

Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network. CVSSv3.1 4.3 (MEDIUM) · EPSS 92th percentile

CWECWE 693VNDMicrosoftVNDProtectionTYPVulnerabilitySTAitw exploited
4.3
CVSS v3.1
74
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32190 — Use: after free in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32190

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH)

CWECWE 416TYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32171 — Insufficiently: protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32171

Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. CVSSv3.1 8.8 (HIGH)

CWECWE 522VNDInsufficientlyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32162 — Acceptance: of extraneous untrusted data with trusted data in Windows COM allows an unauthorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32162

Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.4 (HIGH)

CWECWE 349VNDAcceptanceTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32157 — Use: after free in Remote Desktop Client allows an unauthorized attacker to execute code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32157

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. CVSSv3.1 8.8 (HIGH)

CWECWE 416TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-32091 — Concurrent: execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32091

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.4 (HIGH)

CWECWE 416CWECWE 362VNDConcurrentTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-14
2026-04-14 18:17Z
HIGH

CVE-2026-27928 — Windows: Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27928

Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network. CVSSv3.1 8.7 (HIGH)

CWECWE 20TYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:16Z
HIGH

CVE-2026-27912 — Microsoft Windows_server_2012: Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27912

Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network. CVSSv3.1 8.0 (HIGH)

CWECWE 285VNDMicrosoftTYPVulnerability
8.0
CVSS v3.1
90
Edit Score