April 2026 · Up to 3 high-risk CVEs per stream for this month.
General stream — our standard high-risk CVE mix from the covered month. CVEs in this section are ordered by threat for the month: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-6349
CVSS: 10.0
Risk level: CRITICAL
Affected versions: All affected versions of HGiga iSherlock
Summary: HGiga iSherlock contains an unauthenticated local OS command injection vulnerability. Attackers can inject arbitrary malicious operating system commands that execute on the target server with the privileges of the running iSherlock process. Successful exploitation leads to full compromise of the affected system.
Remediation: Apply the latest official security patch from HGiga to affected iSherlock installations as soon as possible. Restrict local access to affected systems until patching is completed to reduce attack exposure.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-41679
CVSS: 10.0
Risk level: CRITICAL
Affected versions: Paperclip Node.js/React AI orchestrator prior to 2026.416.0
Summary: This critical flaw allows unauthenticated attackers to achieve full remote code execution on any network-accessible Paperclip instance running in default authenticated mode. The attack can be fully automated with only the target network address, requiring no credentials or user interaction. The vulnerability is patched in version 2026.416.0.
Remediation: Immediately upgrade Paperclip to version 2026.416.0 or newer. Restrict public network access to Paperclip instances to only trusted IP ranges until patching is completed.
Exploit info: No public exploit found yet.
ᵉ‣ᵉCVE: CVE-2026-4370
CVSS: 10.0
Risk level: CRITICAL
Affected versions: Juju 3.2.0 - 3.6.19, Juju 4.0 - 4.0.4
Summary: This flaw allows unauthenticated attackers to join the Juju controller's Dqlite database cluster due to missing TLS client and server certificate validation. Attackers with network reachability to the Dqlite port can exploit this issue to gain full access. Successful exploitation results in complete read and write compromise of all Juju controller data.
Remediation: Upgrade Juju to version 3.6.20 or later for 3.x branches, and 4.0.5 or later for 4.x branches. Restrict network access to the Dqlite port to only trusted cluster nodes until patching is complete. Verify the integrity of your database after patching to rule out tampering.
Exploit info: No public exploit found yet.
Public-exploit stream — CVEs with CISA KEV / exploit signals from the covered month. CVEs in this section are ordered by threat for the month: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2024-57726
CVSS: 9.9
EPSS: 49.2% probability · 97.8th percentile (via first.org)
Risk level: CRITICAL
Affected versions: SimpleHelp remote support software v5.5.7 and earlier
Summary: This vulnerability allows low-privilege technicians to create over-privileged API keys in SimpleHelp remote support software. The flaw enables attackers to escalate privileges to full server administrator access. It is listed in CISA KEV as a known exploited vulnerability.
Remediation: Immediately update SimpleHelp to the latest secure version released by the vendor. Restrict public network access to your SimpleHelp server until patching is completed. Audit existing API keys to remove any unauthorized entries after applying the patch.
Exploit info: This exploit has been recorded in <strong>CISA KEV</strong> (CISA Known Exploited Vulnerabilities catalog, dateAdded 2026-04-24). You may check Exploit-DB or GitHub for potential exploit details.
ʳ·ʳCVE: CVE-2026-39987
CVSS: 9.3
EPSS: 79.6% probability · 99.1th percentile (via first.org)
Risk level: CRITICAL
Affected versions: Marimo reactive Python notebook versions prior to 0.23.0
Summary: This is a critical pre-authentication remote code execution vulnerability in the open-source Marimo reactive Python notebook. The /terminal/ws WebSocket endpoint incorrectly skips required authentication validation, allowing unauthenticated remote attackers to obtain a full PTY shell on affected hosts. Attackers can leverage this flaw to execute arbitrary system commands with the privileges of the running Marimo process.
Remediation: Organizations running affected Marimo versions should immediately upgrade to version 0.23.0, which officially patches this authentication bypass vulnerability. If immediate patching is not possible, restrict network access to Marimo instances to only trusted, authorized IP addresses. Block all external unauthenticated access to the /terminal/ws endpoint until patching is fully completed.
Exploit info: This exploit has been recorded in <strong>CISA KEV</strong> (CISA Known Exploited Vulnerabilities catalog, dateAdded 2026-04-23). You may check Exploit-DB or GitHub for potential exploit details.
ᵉ‣ᵉCVE: CVE-2024-7399
CVSS: 8.8
EPSS: 81.3% probability · 99.2th percentile (via first.org)
Risk level: HIGH
Affected versions: Samsung MagicINFO 9 Server versions before 21.1050
Summary: This flaw is a path traversal vulnerability in Samsung MagicINFO 9 Server that allows attackers to write arbitrary files with system-level privileges. Successful exploitation can lead to full remote code execution and complete system compromise. It is listed as a known exploited vulnerability in CISA KEV.
Remediation: Upgrade Samsung MagicINFO 9 Server to version 21.1050 or later immediately. Restrict network access to MagicINFO servers to only trusted authorized IP ranges until patching is complete. Scan for unauthorized files after patching to rule out prior compromise.
Exploit info: This exploit has been recorded in <strong>CISA KEV</strong> (CISA Known Exploited Vulnerabilities catalog, dateAdded 2026-04-24). You may check Exploit-DB or GitHub for potential exploit details.
IoT / OT / Automotive stream — embedded, industrial, and vehicle-related high-risk CVEs from the covered month. CVEs in this section are ordered by threat for the month: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2019-6550
CVSS: 9.8
Risk level: CRITICAL
Affected versions: Advantech WebAccess/SCADA 8.3.5 and prior
Summary: Multiple stack-based buffer overflow vulnerabilities exist in widely used Advantech WebAccess/SCADA. The flaws are caused by insufficient validation of the length of untrusted user input. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code on the affected system.
Remediation: Apply the latest official security patch from Advantech for WebAccess/SCADA. Restrict public network access to affected SCADA systems to only trusted management IP ranges. Monitor for unauthorized activity on unpatched devices until updates are applied.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-40620
CVSS: 9.3
Risk level: CRITICAL
Affected versions: All SenseLive X3050 industrial IoT gateway devices
Summary: This unauthenticated remote vulnerability impacts the embedded management service of SenseLive X3050 industrial IoT devices. Any attacker that can reach the device's management service over the network can gain full administrative access without any credentials. Successful exploitation allows attackers to modify critical configurations, alter operational modes, and fully control the device's core state.
Remediation: Apply the official vendor security patch or firmware update for this vulnerability as soon as it is released. Restrict management service access to trusted internal networks only and do not expose the management interface to the public internet. Disable any unused management services to reduce the device's attack surface.
Exploit info: No public exploit found yet.
ᵉ‣ᵉCVE: CVE-2026-7242
CVSS: 8.9
Risk level: CRITICAL
Affected versions: Totolink A8000RU firmware 7.1cu.643_b20200521
Summary: This is another unauthenticated remote OS command injection vulnerability affecting Totolink A8000RU wireless routers. The flaw exists in the setOpenVpnClientCfg function of the device's CGI handler. Attackers can inject arbitrary commands via the enabled parameter in a crafted request to achieve full device compromise.
Remediation: Follow the same mitigation steps for this flaw as other command injection issues in the Totolink A8000RU. Restrict access to the device's web interface from public networks and monitor for official security patches. Apply any available firmware update immediately once it is released.
Exploit info: This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
Cloud Infrastructure stream — container and cluster-related high-risk CVEs from the covered month. CVEs in this section are ordered by threat for the month: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-35469
CVSS: 8.7
Risk level: HIGH
Affected versions: spdystream versions 0.5.0 and below
Summary: This vulnerability impacts the open source Go spdystream library for multiplexing streams over SPDY connections. The SPDY/3 frame parser does not validate attacker-controlled frame counts and lengths before allocating memory, affecting three distinct code paths. A small compressed on-the-wire payload can decompress into extremely large attacker-controlled allocation sizes, leading to process out-of-memory crashes. A remote unauthenticated attacker can trigger this denial of service with a single crafted SPDY frame.
Remediation: Upgrade the spdystream library to version 0.5.1 or later, which fixes this issue. Audit application dependencies to confirm the patched version is pulled into your build and runtime environments. If immediate upgrade is not possible, restrict access to SPDY endpoints to only trusted peers.
Exploit info: No public exploit found yet.
AI / LLM stream — model-stack and framework-related high-risk CVEs from the covered month. CVEs in this section are ordered by threat for the month: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-42249
CVSS: 7.7
Risk level: HIGH
Affected versions: Ollama for Windows 0.12.10 to 0.17.5; other versions may also be vulnerable
Summary: This vulnerability exists in the update mechanism of popular open-source model serving tool Ollama for Windows. It stems from improper validation of attacker-controlled HTTP response headers when constructing file paths for downloaded updates, allowing path traversal to write arbitrary files outside the intended update directory. When chained with CVE-2026-42248, it enables automatic persistent remote code execution without user awareness.
Remediation: Until an official patch is released, disable automatic updates for Ollama on Windows systems. Avoid running Ollama on untrusted public networks that expose update requests to interception. Regularly monitor the Windows Startup directory and system for unauthorized executables.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-42248
CVSS: 7.7
Risk level: HIGH
Affected versions: Ollama for Windows 0.12.10 to 0.17.5; other versions may also be vulnerable
Summary: This vulnerability affects the update workflow of Ollama for Windows. The platform's update verification routine unconditionally returns success, skipping all integrity and authenticity checks for downloaded update payloads. Any malicious executable supplied by an attacker during a man-in-the-middle update attack will be accepted and executed automatically due to Ollama's default silent automatic update behavior.
Remediation: Disable automatic updates for Ollama on Windows until an official patched version is released. Only manually download updates from the official Ollama GitHub repository if an update is required. Always verify the checksum of manually downloaded installation files before execution.
Exploit info: No public exploit found yet.
This digest is for your personal use only. Please do not share or forward. Unauthorized distribution may result in account termination.