Adobe Patches Reader Zero Day Exploited for Months
Adobe released emergency updates for CVE-2026-34621 after confirming exploitation in the wild for several months. The flaw can lead to arbitrary code execution when a victim opens a malicious PDF and affects Acrobat and Reader on Windows and macOS.
Source: SecurityWeek

Microsoft Patches SharePoint Zero Day and 168 Other New Vulnerabilities
Microsoft’s April Patch Tuesday fixed 169 vulnerabilities, including the actively exploited SharePoint flaw CVE-2026-32201. Its KEV inclusion makes it a high priority issue despite the lower severity score compared with many other Patch Tuesday entries.
Source: The Hacker News

Cisco Patches Critical ISE and Webex Flaws Requiring Immediate Action
Cisco fixed critical vulnerabilities in Identity Services Engine and Webex Services that could enable code execution or unauthenticated user impersonation. For the Webex issue, customers need to take additional remediation steps and not rely only on Cisco’s backend update.
Source: SecurityWeek

Smart Slider 3 Pro Backdoor Distributed Through Official Update Channel
Attackers compromised Nextend’s update infrastructure and pushed a trojanized Smart Slider 3 Pro build to WordPress and Joomla sites. The malicious release added backdoors, hidden administrator access, and persistence, turning a routine update into a supply chain incident.
Source: Patchstack

CPUID Site Served Malware Through CPU Z and HWMonitor Downloads
Attackers abused CPUID’s download infrastructure to redirect CPU Z and HWMonitor users to trojanized files. Because the payload was delivered from the official site, the incident shows how trusted software portals remain a high value supply chain target.
Source: BleepingComputer

Iran Linked Actors Target Internet Exposed Rockwell and Allen Bradley PLCs
A joint US advisory said Iranian affiliated actors are exploiting internet facing operational technology, especially Rockwell Automation and Allen Bradley PLCs. The activity has been tied to disruption and manipulation of industrial control environments, not just reconnaissance.
Source: CISA

Marimo Pre Auth RCE Moved from Disclosure to Exploitation Within Hours
CVE-2026-39987 in marimo was exploited within hours of public disclosure and later used to deploy NKAbuse malware from Hugging Face infrastructure. The bug gives unauthenticated remote code execution through exposed notebook instances.
Source: Sysdig

Fortinet FortiClient EMS Zero Day Added to KEV After Active Exploitation
Fortinet rushed fixes for CVE-2026-35616 after exploitation was observed in the wild. The flaw affects FortiClient EMS and can lead to remote code execution without authentication, making exposed management servers an immediate risk.
Source: SecurityWeek

AI Enabled Device Code Phishing Pushes OAuth Abuse at Scale
Microsoft observed an automated device code phishing campaign that uses dynamic code generation and workflow automation to improve success rates and extend abuse of the OAuth device flow. The campaign shows how attackers are turning a previously narrower technique into repeatable account takeover at scale.
Source: Microsoft Security Blog

Attackers Hunt High Impact Node.js Maintainers After Axios Compromise
Research following the Axios incident points to a broader campaign targeting trusted Node.js and npm maintainers through tailored social engineering. The risk extends beyond one package because a compromised maintainer account can push malicious code into widely used dependencies and developer pipelines.
Source: Socket