CISA KEV additions — 2026-04

Digest of CISA KEV Additions

CVEs TopVuln recorded for CISA KEV digest days 2026-04-01 – 2026-04-30 (calendar month 2026-04).

Official CISA alerts: https://www.cisa.gov/news-events/alerts/2026/04/16/cisa-adds-one-known-exploited-vulnerability-catalog https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog (TopVuln is not affiliated with CISA.)

#1 Apache ActiveMQ Improper Input Validation Vulnerability

CVE: CVE-2026-34197

CVSS: 8.8

Risk level: HIGH

Affected versions: cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*

Summary: Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.

Remediation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Exploit info: No exploit-tagged NVD references in our cache; see the CISA KEV link below.

#2 Microsoft Defender Insufficient Granularity of Access Control Vulnerability

CVE: CVE-2026-33825

CVSS: N/A

Risk level: HIGH

Affected versions: Defender

Summary: Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

Remediation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Exploit info: No exploit-tagged NVD references in our cache; see the CISA KEV link below.

#3 Marimo Remote Code Execution Vulnerability

CVE: CVE-2026-39987

CVSS: 9.3

Risk level: CRITICAL

Affected versions: All unpatched Marimo releases prior to the vendor's fixed update

Summary: This is a pre-authorization remote code execution vulnerability in Marimo software. It allows unauthenticated remote attackers to gain full shell access and execute arbitrary system commands on affected hosts. The vulnerability has a 9.8 CVSS v3 score and is listed in CISA KEV.

Remediation: Apply the vendor's security patch for this vulnerability as soon as possible. Block all public access to affected Marimo instances until patching is completed. Follow CISA BOD 22-01 guidance for mitigating known exploited vulnerabilities.

Exploit info: This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.

#4 SimpleHelp Missing Authorization Vulnerability

CVE: CVE-2024-57726

CVSS: 9.9

Risk level: CRITICAL

Affected versions: SimpleHelp remote support software versions prior to the fixed vendor release

Summary: This critical vulnerability allows low-privileged authenticated technicians to create overprivileged API keys in SimpleHelp. Attackers can exploit the missing authorization control to escalate privileges to full server administrator access. This flaw is confirmed to be actively exploited and has publicly available exploit details.

Remediation: Immediately apply the latest security update from SimpleHelp to patch this vulnerability. If patches cannot be deployed immediately, restrict network access to SimpleHelp instances to only trusted IP addresses. Follow BOD 22-01 guidance for known exploited vulnerability mitigation.

#5 SimpleHelp Path Traversal Vulnerability

CVE: CVE-2024-57728

CVSS: 7.2

Risk level: HIGH

Affected versions: cpe:2.3:a:simple-help:simplehelp:*:*:*:*:*:*:*:*

Summary: SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

Remediation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Exploit info: No exploit-tagged NVD references in our cache; see the CISA KEV link below.

#6 Samsung MagicINFO 9 Server Path Traversal Vulnerability

CVE: CVE-2024-7399

CVSS: 8.8

Risk level: HIGH

Affected versions: Samsung MagicINFO 9 Server versions before the vendor's security update

Summary: This high-severity path traversal flaw impacts Samsung MagicINFO 9 Server, a common digital signage content management platform. Attackers can exploit the vulnerability to write arbitrary files with system-level privileges on the affected server. This can lead to full remote code execution and complete system compromise. Public exploit code is available for this issue.

Remediation: Apply the official security patch released by Samsung for MagicINFO 9 Server as soon as possible. Limit external network access to MagicINFO instances to only trusted business IP ranges. Follow CISA KEV guidance to prioritize remediation of this known exploited flaw.

#7 D-Link DIR-823X Command Injection Vulnerability

CVE: CVE-2025-29635

CVSS: 7.2

Risk level: HIGH

Affected versions: All D-Link DIR-823X wireless router firmware versions

Summary: This command injection vulnerability impacts the D-Link DIR-823X wireless router. An authenticated attacker can send a malicious POST request to the router's management interface to execute arbitrary system commands. The affected product is likely end-of-life and will not receive an official security patch from D-Link.

Remediation: Replace end-of-life D-Link DIR-823X devices with a currently supported router model. If replacement is not immediate, disable public internet access to the router's management interface and restrict access only to trusted local networks. Follow CISA guidance for EOL device risk mitigation.

#8 ConnectWise ScreenConnect Path Traversal Vulnerability

CVE: CVE-2024-1708

CVSS: 8.4

Risk level: HIGH

Affected versions: ConnectWise ScreenConnect versions before 23.9.7, 22.9.10, 21.9.6

Summary: This flaw exists in ConnectWise ScreenConnect, a widely used enterprise remote access and IT support tool. A path traversal vulnerability allows unauthenticated remote attackers to access files outside of the intended restricted file system path. Successful exploitation can lead to remote code execution, unauthorized access to sensitive organizational data, and full system compromise.

Remediation: Administrators should immediately apply the official security patches released by ConnectWise for all affected ScreenConnect instances. If patching cannot be done immediately, block public exposure of ScreenConnect instances and restrict access to only trusted internal IP addresses. Monitor affected systems for suspicious or unauthorized activity to detect potential exploitation attempts.

Exploit info: This exploit has been recorded in CISA KEV (CISA Known Exploited Vulnerabilities catalog, dateAdded 2026-04-28). You may check Exploit-DB or GitHub for potential exploit details.

#9 Microsoft Windows Protection Mechanism Failure Vulnerability

CVE: CVE-2026-32202

CVSS: 4.3

Risk level: HIGH

Affected versions: cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:* cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:* cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:* cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:* cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:* cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:* cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:* cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:* cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*

Summary: Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.

Remediation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Exploit info: Not available in our cache.