|
PatchDayAlert
April 16, 2026
|
20 CVEs
|
|
|
Heads up: CVE-2026-34197 is a remote code execution bug in Apache ActiveMQ that attackers are already exploiting in the wild. No CVSS score published yet, but that barely matters when exploitation is confirmed. Behind it, you've got a stack of 19 more CVEs scoring 9.4 or higher, including a Chrome sandbox escape (CVE-2026-6296, CVSS 9.6), an Adobe Connect deserialization RCE (CVE-2026-27303, CVSS 9.6), and a NuGet Gallery supply chain bug (CVE-2026-39399, CVSS 9.6). Not a light day. Let's get into it.
|
|
Attackers can inject and run arbitrary code on your Apache ActiveMQ brokers due to an input validation bug. This one is already exploited in the wild, so treat it as a fire drill. No CVSS score has been published yet, but active exploitation makes the score academic.
Affects: Anyone running Apache ActiveMQ, especially internet-facing brokers
| |
Patch immediately.
Update Apache ActiveMQ to the latest patched release immediately and audit broker access logs for signs of exploitation.
|
|
|
An unauthenticated SQL injection in the parking management page lets an attacker dump or modify the entire database. CVSS 9.8, no authentication required. If this app is exposed to any untrusted network, your data is at risk right now.
Affects: Anyone running SourceCodester Vehicle Parking Area Management System v1.0
| |
Patch immediately.
Pull the app offline or restrict network access to it until a patched version is available, then apply the fix.
|
|
|
An attacker can get remote code execution on Slah CMS v1.5.0 and below by sending crafted input to the session() function in config.php. CVSS 9.8, and it takes no special privileges to pull off. If you're hosting anything on Slah CMS, an attacker can own the server.
Affects: Anyone running Slah CMS v1.5.0 or earlier
| |
Patch immediately.
Upgrade Slah CMS above v1.5.0 immediately, or take the site offline until a fix is applied.
|
|
|
Upsonic 0.71.6 lets users create MCP tasks that run OS commands. The allowlist is supposed to block dangerous commands, but allowed entries like npm and npx accept flags that let an attacker run anything they want. CVSS 9.8. An attacker with task creation access gets full command execution as the Upsonic process.
Affects: Anyone running Upsonic versions before 0.72.0
| |
Patch within 24 hours.
Upgrade Upsonic to 0.72.0 or later and review any existing MCP task definitions for suspicious command arguments.
|
|
|
The goodoneuz/pay-uz Laravel package (v2.2.24 and below) exposes an unauthenticated endpoint that lets anyone overwrite PHP payment hook files with arbitrary code. Those files are then executed automatically during normal payment processing. CVSS 9.8. No credentials needed, no special conditions. This is a direct path to remote code execution on your Laravel app.
Affects: Laravel developers and operators using the goodoneuz/pay-uz package v2.2.24 or earlier
| |
Patch immediately.
Update the pay-uz package above v2.2.24, or remove it entirely and block the /payment/api/editable/update route until a fix is confirmed.
|
|
|
Hostbill builds from late 2025 (v2025-11-24 and 2025-12-01) let a remote attacker execute arbitrary code and escalate privileges through the CSV registration field. CVSS 9.8. If your billing panel is internet-facing, an attacker can take over the system without any prior access.
Affects: Anyone running Hostbill versions 2025-11-24 or 2025-12-01
| |
Patch immediately.
Update Hostbill to the latest release that fixes the CSV registration field handling.
|
|
|
A type confusion bug in transloadit uppy v0.25.6 lets an attacker access resources using an incompatible type. CVSS 9.8. Details are thin, but the score suggests it can be triggered remotely and the impact is severe.
Affects: Developers and operators using transloadit uppy v0.25.6
| |
Patch within 24 hours.
Upgrade uppy to a version newer than v0.25.6 and review your deployment for any signs of unexpected behavior.
|
|
|
Unauthenticated SQL injection in the School Management System v1.0 by manikandan580 lets an attacker extract the entire database without logging in. CVSS 9.8. If this is on the internet, assume the data is compromised.
Affects: Anyone running the manikandan580 School Management System v1.0
| |
Patch immediately.
Take the application offline or restrict access to trusted networks until a patched version is available.
|
|
|
OpenAI Codex CLI v0.23.0 and earlier automatically loads .env and .codex/config.toml files from the current directory without asking. An attacker who plants a malicious config in a repo can execute arbitrary commands the moment you run codex in that directory. CVSS 9.8. All it takes is cloning the wrong repo.
Affects: Developers using OpenAI Codex CLI v0.23.0 or earlier
| |
Patch within 24 hours.
Upgrade Codex CLI above v0.23.0 and audit any recently cloned repos for unexpected .codex/config.toml or .env files.
|
|
|
The Riaxe Product Customizer WordPress plugin (v2.1.2 and below) exposes an unauthenticated AJAX endpoint that lets anyone overwrite arbitrary WordPress options. No nonce check, no capability check, no allowlist. An attacker can flip on user registration, set the default role to administrator, and create an admin account. CVSS 9.8. Full site takeover with zero credentials.
Affects: WordPress site owners running Riaxe Product Customizer v2.1.2 or earlier
| |
Patch immediately.
Deactivate and remove the Riaxe Product Customizer plugin until a patched version is released, then check your site for unauthorized admin accounts.
|
|
|
An unauthenticated attacker can hit Openfind MailGates or MailAudit with a crafted request that overflows a stack buffer, hijacks execution flow, and runs arbitrary code on your mail gateway. No credentials needed, no user interaction. CVSS 9.8, not yet exploited in the wild, but this is your email security appliance sitting on the network edge.
Affects: Anyone running Openfind MailGates or MailAudit appliances
| |
Patch within 24 hours.
Apply the latest firmware or software update from Openfind immediately and verify the appliance is not directly exposed to the internet without additional access controls.
|
|
|
Gravity, the embeddable scripting language from Creolabs, has a heap buffer overflow in its VM execution path. An attacker who can feed a crafted script to your application can corrupt heap metadata and get arbitrary code execution. This only matters if your app evaluates untrusted Gravity scripts, but if it does, this is a full compromise.
Affects: Developers or teams running applications that embed the Gravity scripting engine (versions before 0.9.6)
| |
Patch this week.
Upgrade Gravity to version 0.9.6 or later, and audit whether your application accepts untrusted script input.
|
|
|
Talend JobServer and Talend Runtime expose a JMX monitoring port that lets an unauthenticated attacker run arbitrary code remotely. CVSS 9.8. No credentials, no user interaction. If your JMX port is reachable from the network, you're one packet away from full compromise.
Affects: Anyone running Talend JobServer or Talend ESB Runtime with the JMX monitoring port enabled
| |
Patch within 24 hours.
Apply the latest Talend patch, then confirm TLS client authentication is enforced on the JobServer JMX port. For Talend ESB Runtime, verify the JMX monitoring port is disabled if you're on a release older than R2024-07-RT.
|
|
|
An attacker with access to your UniFi Play network can enable SSH on UniFi Play PowerAmp and Audio Port devices and make unauthorized system changes. The access requirement is network-level, not physical, so anyone on the Play VLAN can exploit this. CVSS 9.8.
Affects: Anyone running UniFi Play PowerAmp (v1.0.35 or earlier) or UniFi Play Audio Port (v1.0.24 or earlier)
| |
Patch this week.
Update UniFi Play PowerAmp to v1.0.38 or later and UniFi Play Audio Port to v1.1.9 or later.
|
|
|
Attackers on the UniFi Play network can inject OS commands into UniFi Play PowerAmp and Audio Port devices due to missing input validation. This is a full command injection, so exploitation gives the attacker shell access on the device. CVSS 9.8, requires network access to the Play VLAN.
Affects: Anyone running UniFi Play PowerAmp (v1.0.35 or earlier) or UniFi Play Audio Port (v1.0.24 or earlier)
| |
Patch this week.
Update UniFi Play PowerAmp to v1.0.38 or later and UniFi Play Audio Port to v1.1.9 or later.
|
|
|
A path traversal bug in UniFi Play device firmware lets an attacker on the Play network write arbitrary files to the system, which can be chained into remote code execution. CVSS 9.8. The attacker needs network access to the Play VLAN but nothing else.
Affects: Anyone running UniFi Play PowerAmp (v1.0.35 or earlier) or UniFi Play Audio Port (v1.0.24 or earlier)
| |
Patch this week.
Update UniFi Play PowerAmp to v1.0.38 or later and UniFi Play Audio Port to v1.1.9 or later.
|
|
|
A heap buffer overflow in Chrome's ANGLE graphics layer (the component that translates WebGL to native GPU calls) lets an attacker escape the browser sandbox via a crafted web page. CVSS 9.6. That's a critical severity rating from Chromium's own team. All it takes is visiting a malicious page.
Affects: Everyone running Google Chrome, Chromium, or any Chromium-based browser (Edge, Brave, etc.) on any platform
| |
Patch immediately.
Update Chrome to 147.0.7727.101 or later immediately, and confirm auto-updates are working across your fleet.
|
|
|
Adobe Connect has a deserialization vulnerability that lets an attacker run arbitrary code as the current user with no user interaction required. CVSS 9.6 with a changed scope, meaning compromise can spread beyond the vulnerable component. This is a serious one for any org using Connect for meetings or training.
Affects: Anyone running Adobe Connect 2025.3, 12.10, or earlier
| |
Patch within 24 hours.
Update Adobe Connect to the latest patched version from Adobe's security bulletin and verify the update on all Connect servers.
|
|
|
The NuGet Gallery backend doesn't properly validate .nuspec metadata in uploaded packages. An attacker can craft a malicious package that injects metadata into other packages and writes to arbitrary blobs in the storage container. This can lead to remote code execution or tampering with legitimate packages. CVSS 9.6.
Affects: Anyone running a self-hosted NuGet Gallery instance (nuget.org itself has been patched)
| |
Patch within 24 hours.
Deploy the fix from commit 0e80f876 to your NuGet Gallery instance, then audit recently uploaded packages for suspicious .nuspec content.
|
|
|
The Simple Music Cloud Community System v1.0 has a SQL injection in /music/view_user.php. An attacker can dump your database, modify data, or potentially escalate to OS-level access depending on your DB configuration. CVSS 9.4. This is a low-effort, high-reward attack.
Affects: Anyone running SourceCodester Simple Music Cloud Community System v1.0
| |
Patch this week.
Take the application offline or restrict access until a patched version is available, and audit your database for signs of unauthorized access.
|
|
|
That's your patch day digest. Reply to this email with questions, war stories, or broken-patch reports. They may end up in tomorrow's edition.
|
