|
PatchDayAlert
April 15, 2026
|
20 CVEs
|
|
|
Two bugs are being exploited in the wild right now, and neither is the scariest thing on the list. CVE-2026-32201 is a SharePoint spoofing bug (CVSS 6.5) that attackers are already using, and an old Excel RCE (CVE-2009-0238) is back in active phishing campaigns. Meanwhile, Cisco dropped three separate CVSS 9.9 command injection bugs in ISE that let a read-only admin escalate to root, so if you run ISE, clear your afternoon.
|
|
CVE-2026-32201
|
MEDIUM
EXPLOITED
|
Attackers are exploiting this one right now. A spoofing bug in SharePoint lets an unauthenticated attacker trick the server into misrepresenting content or identity over the network due to poor input validation. CVSS 6.5, but the fact that it's exploited in the wild bumps the real-world urgency.
Affects: Anyone running on-prem SharePoint Server 2016, 2019, or Subscription Edition
| |
Patch within 24 hours.
Apply the latest SharePoint security update from Microsoft's July patch cycle via Windows Update or WSUS.
|
|
|
An attacker can take full control of a system if a user opens a malicious Excel file containing a malformed object. This requires user interaction (opening the file), but it's exploited in the wild, so phishing campaigns are the likely delivery vector. No CVSS score is published, but remote code execution plus active exploitation makes this critical.
Affects: Anyone running Microsoft Office with Excel, especially older unpatched versions
| |
Patch immediately.
Apply all available Microsoft Office security updates and remind users not to open unexpected Excel attachments.
|
|
|
An attacker with even Read Only Admin credentials on Cisco ISE can send a crafted HTTP request and get command execution on the underlying OS, then escalate to root. CVSS 9.9. On single-node deployments, a successful attack can also knock the ISE node offline, blocking new endpoint authentication until you restore it.
Affects: Network and security teams running Cisco Identity Services Engine (ISE)
| |
Patch immediately.
Upgrade Cisco ISE to the fixed release listed in Cisco's advisory and audit all accounts with Read Only Admin or higher privileges.
|
|
|
Same pattern as CVE-2026-20186: an attacker with Read Only Admin credentials on Cisco ISE can execute arbitrary OS commands via a crafted HTTP request and escalate to root. CVSS 9.9. Single-node ISE deployments face a denial-of-service risk on top of the code execution.
Affects: Network and security teams running Cisco Identity Services Engine (ISE)
| |
Patch immediately.
Upgrade Cisco ISE to the fixed release per Cisco's advisory. If you're patching CVE-2026-20186 at the same time, confirm the fix covers both CVEs.
|
|
|
Yet another command injection in Cisco ISE (and ISE-PIC this time). An attacker with valid admin credentials can run OS commands and escalate to root through a crafted HTTP request. CVSS 9.9. Exploitation on a single-node deployment can take the node down, locking out unauthenticated endpoints.
Affects: Network and security teams running Cisco ISE or Cisco ISE-PIC
| |
Patch immediately.
Upgrade Cisco ISE and ISE-PIC to the patched versions listed in Cisco's advisory. Bundle this with your fixes for CVE-2026-20186 and CVE-2026-20180.
|
|
|
Any user with the write:rules role in OpenRemote (not just superusers) can create JavaScript rules that run with full JVM access, giving them remote code execution as root. The Groovy sandbox filter exists in the code but is commented out, so even superuser-created Groovy rules are unsandboxed. CVSS 9.9. This also breaks multi-tenant isolation, meaning an attacker in one realm can access data across all realms.
Affects: Anyone self-hosting OpenRemote IoT platform version 1.21.0 or earlier
| |
Patch immediately.
Upgrade OpenRemote to version 1.22.0 and audit which users hold the write:rules role.
|
|
|
The subtitle upload endpoint in Jellyfin doesn't validate the Format field, letting an attacker do path traversal to write arbitrary files. From there, the bug chains into arbitrary file reads, database extraction, privilege escalation, and remote code execution as root via ld.so.preload. CVSS 9.9. Exploitation requires an admin account or a user explicitly granted "Upload Subtitles" permission, so the blast radius depends on who you've given that permission to.
Affects: Anyone self-hosting Jellyfin media server versions before 10.11.7
| |
Patch immediately.
Upgrade Jellyfin to version 10.11.7 and review which non-admin users have the "Upload Subtitles" permission.
|
|
|
An authenticated attacker can upload a malicious PHP file through the TinyMCE upload endpoint in Krayin CRM and get arbitrary code execution on the server. CVSS 9.9. Any user with access to the admin panel can pull this off.
Affects: Anyone running Webkul Krayin CRM v2.2.x
| |
Patch immediately.
Update Krayin CRM to the latest patched release and restrict access to the /admin/tinymce/upload endpoint until the update is confirmed.
|
|
|
An authenticated user in SAP BPC (Business Planning and Consolidation) or SAP BW (Business Warehouse) can craft SQL statements that read, modify, or delete database data due to missing authorization checks. CVSS 9.9. This is full-blown SQL injection with high impact on confidentiality, integrity, and availability.
Affects: SAP teams running SAP Business Planning and Consolidation or SAP Business Warehouse
| |
Patch immediately.
Apply the relevant SAP Security Note from the latest SAP Patch Day and review database access logs for suspicious query patterns.
|
|
|
This WordPress plugin leaks valid auth tokens through the barcodeScannerConfigs action, and an unauthenticated attacker can spoof the admin user ID to grab the admin's token. From there, they can call setUserMeta to set any user's wp_capabilities to administrator. No login required. CVSS 9.8. This is a full unauthenticated privilege escalation to WordPress admin.
Affects: WordPress site owners running the Barcode Scanner (+Mobile App) plugin version 1.11.0 or earlier
| |
Patch immediately.
Update the Barcode Scanner plugin to version 1.11.1 or later immediately, then audit your WordPress user list for any unexpected admin accounts.
|
|
|
An attacker could impersonate any Cisco Webex user, including admins, by sending a crafted SSO token to a service endpoint. The root cause is broken certificate validation in the SSO/Control Hub integration, so no credentials or user interaction are needed. CVSS 9.8, not yet exploited in the wild.
Affects: Anyone running Cisco Webex Services with SSO integrated through Control Hub
| |
Patch within 24 hours.
Apply the Cisco-published fix for Webex SSO certificate validation and verify your SSO trust chain is intact.
|
|
|
Pyro v3.x deserializes pickle data from the network without sanitization. An attacker who can reach a Pyro endpoint can send a crafted pickle payload and get full remote code execution on the host. CVSS 9.8, not yet exploited in the wild.
Affects: Anyone running services built on Pyro v3.x (the Python remote objects library)
| |
Patch immediately.
Upgrade to a patched version of Pyro, or migrate to Pyro5 which does not use pickle by default. If you can't upgrade immediately, restrict network access to Pyro endpoints with firewall rules.
|
|
|
The Visa Acceptance Solutions WordPress plugin (versions up to 2.1.0) lets an unauthenticated attacker log in as any user, including admins, just by supplying that user's billing email during guest checkout. There's no password check, no email verification, no token. CVSS 9.8, full site takeover.
Affects: WordPress site owners running the Visa Acceptance Solutions plugin version 2.1.0 or earlier
| |
Patch immediately.
Update the Visa Acceptance Solutions plugin past version 2.1.0 immediately. If no patch is available yet, deactivate the plugin until one ships.
|
|
|
The WebStack WordPress theme (up to version 1.2024) has an image upload function that doesn't validate file types at all. An unauthenticated attacker can upload a PHP webshell and get remote code execution on your server. CVSS 9.8, no authentication required.
Affects: WordPress site owners using the WebStack theme version 1.2024 or earlier
| |
Patch immediately.
Update the WebStack theme to a version newer than 1.2024. If no fix exists yet, deactivate the theme and check your uploads directory for suspicious files.
|
|
|
A double-free bug in the Windows IKE Extension (used by IPsec VPN) lets an unauthenticated attacker execute code over the network. No user interaction needed. CVSS 9.8, not yet exploited in the wild, but network-reachable RCE in a Windows kernel component is about as bad as it gets.
Affects: Windows sysadmins running any system with IKE/IPsec services enabled, especially VPN gateways and servers with IKEv1 or IKEv2 listeners exposed to the network
| |
Patch immediately.
Apply the relevant Microsoft security update via Windows Update or WSUS. If you can't patch immediately, restrict inbound UDP 500 and 4500 to trusted peers only.
|
|
|
A time-based blind SQL injection exists in the admin date report page of School-management-system 1.0 via the fromdate POST parameter. An attacker can extract the entire database contents. CVSS 9.8, though this is a niche open-source student project, not enterprise software.
Affects: Anyone running manikandan580's School-management-system 1.0 in production
| |
Monitor and patch.
Stop exposing this application to untrusted networks. Check for a patched release or fork the code and add parameterized queries to between-date-reprtsdetails.php.
|
|
|
SQL injection in the product search page of Grocery Store Management System 1.0 via the sitem_name POST parameter. An attacker can dump or modify your database without authentication. CVSS 9.8, but this is a small open-source demo project.
Affects: Anyone running anirudhkannan's Grocery Store Management System 1.0 in a reachable environment
| |
Monitor and patch.
Take the application offline or place it behind authentication. Fix the query in search_products_itname.php to use prepared statements.
|
|
|
Totara LMS v19.1.5 and earlier has no rate limiting on the forgot-password API. An attacker can spam password reset emails to any address at high volume, which means email bombing that can fill inboxes, trigger spam blacklisting of your mail server, or be used for harassment. CVSS 9.8 feels over-scored for the actual impact, but it's still worth fixing.
Affects: Totara LMS admins running version 19.1.5 or earlier
| |
Patch this week.
Update Totara LMS to a version that includes rate limiting on the forgot-password endpoint. As a stopgap, add rate limiting at your reverse proxy or WAF for the password reset API path.
|
|
|
Totara LMS v19.1.5 and earlier lets attackers reveal a hidden login form and then brute-force credentials because there's no rate limiting on login attempts. If your users have weak passwords, this is a direct path to account compromise. CVSS 9.8, not exploited in the wild yet.
Affects: Totara LMS admins running version 19.1.5 or earlier
| |
Patch this week.
Update Totara LMS to a patched version. In the meantime, enforce rate limiting on login endpoints at your WAF or reverse proxy, and make sure MFA is enabled for all accounts.
|
|
|
A path traversal bug in FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 lets an attacker escalate privileges. Fortinet's advisory is light on details (the description literally says "insert attack vector here"), but a CVSS 9.8 path traversal on a security appliance is not something to sit on. Not yet exploited in the wild.
Affects: Anyone running Fortinet FortiSandbox 4.4.0 through 4.4.8 or 5.0.0 through 5.0.5
| |
Patch within 24 hours.
Upgrade FortiSandbox to 4.4.9+ or 5.0.6+ (check Fortinet's advisory for the exact fixed version). Restrict management access to trusted networks only.
|
|
|
That's your patch day digest. Reply to this email with questions, war stories, or broken-patch reports. They may end up in tomorrow's edition.
|
