2026-04-07
2026-04-07 13:00Z
CRIT

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

Bishop Fox Labs·bishopfox.comCVE-2026-35616in the wild

Bishop Fox researchers reverse-engineered CVE-2026-35616, a critical authentication bypass in FortiClient EMS 7.4.5-7.4.6 affecting the management plane for entire endpoint fleets. The vulnerability stems from two independent flaws: Django trusts user-controllable HTTP headers (X-SSL-CLIENT-VERIFY, X-SSL-CLIENT-CERT) as equivalent to Apache mod_ssl WSGI variables, and certificate chain validation performs only DN string matching with zero cryptographic signature verification. Fortinet confirmed active exploitation and released a hotfix that strips headers at the Apache layer; a permanent code-level fix is deferred to 7.4.7.

SRFApplicationTACTA0001SRFNetworkTACTA0006VNDFortinetTYPWriteupTYPVulnerabilitySTGInitial Access
9.8
CVSS v3.1
92
Edit Score
2026-04-07
2026-04-07 11:00Z
HIGH

What we learned about TEE security from auditing WhatsApp's Private Inference

Trail of Bits·blog.trailofbits.com

Trail of Bits published findings from a pre-launch security audit of WhatsApp's Private Inference system, which uses AMD SEV-SNP and Nvidia confidential GPUs to process encrypted messages with AI features. The audit identified 28 issues including 8 high-severity vulnerabilities—such as unmeasured configuration loading (LD_PRELOAD injection), unvalidated ACPI tables, incorrect firmware patch verification, and missing attestation freshness—all of which Meta has patched before launch. The research demonstrates that TEE deployments require rigorous validation of all inputs, cryptographic measurement of critical data, and comprehensive negative testing to prevent subtle implementation gaps from becoming exploitable.

TACTA0005TACTA0006SRFCloudTACTA0009SRFHardwareVNDMetaVNDAmdVNDNvidia
82
Edit Score
2026-04-07
2026-04-07 09:16Z
HIGH

CVE-2026-34197 — Input: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-34197

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke the CVSSv3.1 8.8 (HIGH)

CWECWE 94CWECWE 20VNDInputTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 07:16Z
HIGH

CVE-2026-5465 — Booking: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5465

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. CVSSv3.1 8.8 (HIGH)

CWECWE 639VNDBookingTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 07:16Z
CRIT

CVE-2026-1114 — In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalat CVSSv3.1 9.8 (CRITICAL)

CWECWE 284TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-07
2026-04-07 06:30Z
CRIT

EvilTokens: an AI-augmented Phishing-as-a-Service for automating BEC fraud – Part 2

Sekoia.io·sekoia.ioin the wild

Sekoia disclosed EvilTokens, an AI-augmented Phishing-as-a-Service (PhaaS) kit leveraging Microsoft device code phishing to harvest OAuth tokens and automate Business Email Compromise (BEC) fraud. The platform integrates LLM-driven analysis (Groq and OpenAI APIs) to automatically identify financial exposure in compromised mailboxes, generate tailored BEC attack scenarios, and draft convincing phishing emails—reducing manual effort and lowering the barrier to entry for threat actors. Since February 2026, EvilTokens has been actively sold via Telegram with structured affiliate programs, custom browsers for token management, and backend infrastructure supporting reconnaissance via Microsoft Graph API and persistence mechanisms.

SRFApplicationTACTA0001TACTA0006SRFIdentitySRFCloudTACTA0009VNDMicrosoftVNDOpenai
92
Edit Score
2026-04-07
2026-04-07 06:16Z
HIGH

CVE-2025-65115 — Code: Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65115

Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Managem CVSSv3.1 8.8 (HIGH)

CWECWE 73VNDCodeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-07
2026-04-07 05:16Z
CRIT

CVE-2026-0740 — Ninja: The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0740

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in v CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDNinjaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-07
2026-04-07 04:17Z
HIGH

CVE-2026-20433 — Mediatek Mt2735_firmware: In Modem, there is a possible out of bounds write due to a missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-20433

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460. CVSSv3.1 8.8 (HIGH)

CWECWE 787VNDMediatekVNDModemTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 04:17Z
HIGH

CVE-2026-20432 — Mediatek Mt2735_firmware: In Modem, there is a possible out of bounds write due to a missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-20432

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461. CVSSv3.1 8.0 (HIGH)

CWECWE 787VNDMediatekVNDModemTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-07
2026-04-07 00:00Z
HIGH

Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do

Trend Micro Research·trendmicro.comin the wild

Threat actors exploited Anthropic's Claude Code npm packaging error to distribute trojanized archives via a fake GitHub repository (leaked-claude-code), delivering Vidar, GhostSocks, and PureLog Stealer malware. The campaign has been active since February 2026, cycling through 25+ software brands as lures, with 533+ confirmed downloads of the Claude Code payload as of April 7, 2026. The malware enables credential theft, cryptocurrency wallet exfiltration, session hijacking, and residential proxy abuse on Windows systems.

SRFApplicationTACTA0001TACTA0006TACTA0007SRFSupply ChainVNDAnthropicVNDGithubTYPResearch
72
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5709 — Amazon Research_and_engineering_studio: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5709

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDAmazonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5708 — Amazon Research_and_engineering_studio: Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5708

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to th CVSSv3.1 8.8 (HIGH)

CWECWE 915VNDAmazonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5707 — Amazon Research_and_engineering_studio: Unsanitized input in an OS command in the virtual desktop session name handling in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5707

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDAmazonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5687 — This manipulation of the argument page causes stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5687

A weakness has been identified in Tenda CX12L 16.03.53.12. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. This manipulation of the argument page causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5686 — The manipulation of the argument page results in stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5686

A security flaw has been discovered in Tenda CX12L 16.03.53.12. This vulnerability affects the function fromRouteStatic of the file /goform/RouteStatic. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5685 — Tenda: The manipulation of the argument page leads to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5685

A vulnerability was identified in Tenda CX12L 16.03.53.12. This affects the function fromAddressNat of the file /goform/addressNat. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. CVSSv3.1 8.8 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-5684 — Tenda: Executing a manipulation of the argument page can lead to stack-based buffer overflow.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5684

A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized. CVSSv3.1 8.0 (HIGH)

CWECWE 121CWECWE 119VNDTendaTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-06
2026-04-06 22:16Z
CRIT

CVE-2026-35471 — Goshs Goshs: Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35471

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3. CVSSv3.1 9.8 (CRITICAL)

CWECWE 22VNDGoshsVNDSimplehttpserverTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-35442 — Directus: Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35442

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulne CVSSv3.1 8.1 (HIGH)

CWECWE 863CWECWE 200VNDDirectusTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-06
2026-04-06 22:16Z
HIGH

CVE-2026-35408 — Directus: Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35408

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controll CVSSv3.1 8.7 (HIGH)

CWECWE 693CWECWE 346VNDDirectusTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 22:00Z
HIGH

Milking the last drop of Intego - Time for Windows to get its LPE

Quarkslab·blog.quarkslab.com

Quarkslab disclosed a local privilege escalation vulnerability in Intego 3.0.0.1 for Windows affecting the Optimization module. The vulnerability stems from a time-of-check-time-of-use (TOCTOU) race condition where IavService.exe deletes files as SYSTEM without validating whether targets are symlinks or directories, allowing attackers to chain the deletion with the Config.msi rollback primitive to achieve SYSTEM code execution.

SRFOsTACTA0004VNDIntegoTYPWriteupTYPVulnerabilitySTGPrivescTECT1548TECT1036.006
78
Edit Score
2026-04-06
2026-04-06 21:49Z
INFO

v3.4.0.53

Mythic releases·github.com

Mythic v3.4.0.53 released with a Dockerfile tag bump to match the release version. This is a routine version bump with no disclosed security fixes, features, or breaking changes in the available metadata.

VNDMythicTYPTool
15
Edit Score
2026-04-06
2026-04-06 21:16Z
HIGH

CVE-2026-35395 — Wegia Wegia: Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35395

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the database. This vulnerability is fixed in 3.6.9. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDWegiaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-06
2026-04-06 21:16Z
HIGH

CVE-2026-35394 — Mobilenexthq Mobile_mcp: Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35394

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50. CVSSv3.1 8.3 (HIGH)

CWECWE 939VNDMobilenexthqVNDMobileTYPVulnerability
8.3
CVSS v3.1
92
Edit Score