2026-04-14
2026-04-14 18:16Z
HIGH

CVE-2026-27912 — Microsoft Windows_server_2012: Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27912

Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network. CVSSv3.1 8.0 (HIGH)

CWECWE 285VNDMicrosoftTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-14
2026-04-14 18:16Z
CRIT

CVE-2026-27303 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27303

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. CVSSv3.1 9.6 (CRITICAL)

CWECWE 502VNDAdobeTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-14
2026-04-14 18:16Z
CRIT

CVE-2026-27246 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27246

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. CVSSv3.1 9.3 (CRITICAL)

CWECWE 79VNDAdobeTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-04-14
2026-04-14 18:16Z
CRIT

CVE-2026-27245 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27245

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. CVSSv3.1 9.3 (CRITICAL)

CWECWE 79VNDAdobeTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-04-14
2026-04-14 18:16Z
CRIT

CVE-2026-27243 — Adobe: Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27243

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. CVSSv3.1 9.3 (CRITICAL)

CWECWE 79VNDAdobeTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2026-04-14
2026-04-14 18:16Z
HIGH

CVE-2026-26178 — Microsoft Windows_10_1607: Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-26178

Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally. CVSSv3.1 8.8 (HIGH)

CWECWE 190CWECWE 681VNDMicrosoftTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 18:16Z
HIGH

CVE-2026-26167 — Microsoft Windows_10_1607: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-26167

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. CVSSv3.1 8.8 (HIGH) · EPSS 14th percentile

CWECWE 416CWECWE 362VNDMicrosoftVNDConcurrentTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-14
2026-04-14 18:16Z
CRIT

CVE-2026-26149 — Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-26149

Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network. CVSSv3.1 9.0 (CRITICAL)

CWECWE 150TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-04-14
2026-04-14 17:16Z
HIGH

CVE-2026-34622 — Acrobat: Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34622

Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. CVSSv3.1 8.6 (HIGH)

CWECWE 1321VNDAcrobatTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-14
2026-04-14 16:16Z
HIGH

CVE-2026-39815 — A improper neutralization of special elements used in an sql command ('sql injection') vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39815

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests CVSSv3.1 8.8 (HIGH)

CWECWE 89TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 16:16Z
CRIT

CVE-2026-39813 — A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39813

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here> CVSSv3.1 9.8 (CRITICAL)

CWECWE 24TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-14
2026-04-14 16:16Z
CRIT

CVE-2026-39808 — A improper neutralization of special elements used in an os command ('os command injection')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39808

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here> CVSSv3.1 9.8 (CRITICAL)

CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-14
2026-04-14 16:16Z
HIGH

CVE-2026-38532 — Webkul Krayin_crm: A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-38532

A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request. CVSSv3.1 8.1 (HIGH)

CWECWE 639VNDBrokenVNDWebkulTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-14
2026-04-14 16:16Z
HIGH

CVE-2026-38530 — Webkul Krayin_crm: A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-38530

A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request. CVSSv3.1 8.1 (HIGH)

CWECWE 639VNDBrokenVNDWebkulTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-14
2026-04-14 16:16Z
HIGH

CVE-2026-38529 — Webkul Krayin_crm: A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-38529

A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request. CVSSv3.1 8.8 (HIGH)

CWECWE 269CWECWE 639VNDBrokenVNDWebkulTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 16:16Z
HIGH

CVE-2026-38527 — Server: A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-38527

A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. CVSSv3.1 8.5 (HIGH)

CWECWE 918TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2026-04-14
2026-04-14 16:16Z
CRIT

CVE-2026-38526 — An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-14
2026-04-14 16:16Z
HIGH

CVE-2026-22828 — A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22828

A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation CVSSv3.1 8.1 (HIGH)

CWECWE 122TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-14
2026-04-14 16:16Z
CRIT

CVE-2025-65135 — School: In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65135

In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDSchoolTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-14
2026-04-14 16:16Z
CRIT

CVE-2025-63939 — Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-63939

Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-14
2026-04-14 14:16Z
CRIT

CVE-2026-31049 — Hostbill: An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31049

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile

CWECWE 1236VNDHostbillTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-14
2026-04-14 13:00Z
HIGH

Anthropic’s Claude Mythos Preview: The AI Cybersecurity Inflection Point

Bishop Fox Labs·bishopfox.com

Anthropic announced Claude Mythos Preview, a frontier AI model capable of autonomously discovering and chaining multiple vulnerabilities across major operating systems and browsers, including a 27-year-old flaw in OpenBSD. Access is restricted to ~50 organizations via Project Glasswing, a controlled industry initiative, but the capability signals that AI-driven vulnerability discovery at scale is now operationalized and will likely become more widely accessible.

SRFApplicationSRFOsTACTA0043VNDAnthropicTYPResearchTYPThreat IntelSTGDiscoverySTGExecution
78
Edit Score
2026-04-14
2026-04-14 09:16Z
HIGH

CVE-2026-27668 — This could allow an authenticated User Administrator to escalate their own privileges and grant

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-27668

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 09:16Z
HIGH

CVE-2026-25654 — This could allow an authenticated remote attacker to bypass authorization checks, leading to the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25654

A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. CVSSv3.1 8.8 (HIGH)

CWECWE 639TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-14
2026-04-14 04:17Z
CRIT

CVE-2026-40313 — PraisonAI: In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40313

PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), CVSSv3.1 9.1 (CRITICAL)

CWECWE 829VNDPraisonaiTYPVulnerability
9.1
CVSS v3.1
96
Edit Score