Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

CISA Confirms Active Exploitation of Three Cisco Networking Vulnerabilities
published: yesterday
CISA has confirmed the active exploitation of three Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133) that allow attackers to overwrite system files, steal credentials, and access sensitive data. Federal agencies are required to patch these flaws by April 23, 2026, to mitigate risks of unauthorized system takeover.
Take action: If you use Cisco Catalyst SD-WAN Manager check your versions against the February advisory. CISA has confirmed these flaws are exploited, so start patching.
CISA Warns of Active Exploitation in Apache ActiveMQ Jolokia API Vulnerability
published: April 17, 2026
CISA added a high-severity Apache ActiveMQ vulnerability (CVE-2026-34197) to its KEV catalog due to active exploitation that allows attackers to run arbitrary OS commands via the Jolokia API. The flaw is particularly dangerous when chained with CVE-2024-32114, which enables unauthenticated remote code execution in certain versions.
Take action: If you're running Apache ActiveMQ, upgrade to version 5.19.4 or 6.2.3 ASAP. Atackers are actively exploiting this right now. While you're at it, make sure your ActiveMQ console is not exposed to the internet, change any default admin:admin credentials, and disable the Jolokia endpoint entirely if you don't need it.
Critical nginx-ui Vulnerability CVE-2026-33032 Under Active Exploitation
published: April 15, 2026
nginx-ui patched a critical authentication bypass (CVE-2026-33032) in its MCP integration that allows unauthenticated attackers to take over Nginx services and intercept traffic. The flaw is actively exploited in the wild and affects over 2,600 internet-exposed instances.
Take action: Make sure your nginx-ui instances are isolated from the internet and accessible from trusted networks only. Then update nginx-ui to version 2.3.4 or later to patch CVE-2026-33032, and change the IP whitelist default from allow-all to deny-all so only trusted addresses can reach the management interface.
ShowDoc Document Management Platform Targeted by Active RCE Exploitation
published: April 15, 2026
ShowDoc is facing active exploitation of a critical unauthenticated remote code execution vulnerability (CVE-2025-0520) caused by improper file upload validation. Attackers are using this flaw to deploy web shells and gain full control over unpatched servers.
Take action: If you're running ShowDoc, update it to version 2.8.7 or higher immediately. This flaw has been patched since 2020 but attackers are actively exploiting unpatched instances. Then check your image upload folders for any suspicious PHP files that shouldn't be there, and make sure ShowDoc is not exposed to the internet.
CPUID Website Compromised to Distribute STX RAT Malware via CPU-Z and HWMonitor
published: April 11, 2026
CPUID's official website was compromised to distribute the STX RAT infostealer through poisoned download links for popular tools like CPU-Z and HWMonitor. The attack used DLL sideloading and masquerading to bypass security defenses and target organizations across multiple global sectors.
Take action: If you downloaded CPU-Z, HWMonitor, or PerfMonitor between April 9–10, 2026, assume your system is compromised. Immediately change all your passwords (especially those saved in your browser), enable multi-factor authentication everywhere, and run a full security scan or reinstall your OS. Going forward, always verify software downloads by checking file signatures and hashes against the vendor's official published values before running any installer.
Marimo Python Notebook RCE Exploited Hours After Disclosure
published: April 10, 2026
Marimo patched a critical RCE vulnerability (CVE-2026-39987) that was exploited within 10 hours of disclosure to steal cloud credentials and SSH keys. The flaw allows unauthenticated attackers to gain full interactive shell access via a WebSocket authentication bypass.
Take action: If you're running Marimo notebooks, update to version 0.23.0 immediately and rotate any credentials (AWS keys, SSH keys, database passwords, API secrets) that were stored on or accessible from that system. If you can't update right away, block access to the /terminal/ws endpoint or put the notebook behind a reverse proxy with authentication and never expose notebook platforms directly to the internet.
Adobe Reader Zero-Day Exploited in Targeted Fingerprinting Campaign
published: April 10, 2026
A zero-day actively exploited vulnerability in Adobe Reader's JavaScript engine allows attackers to exfiltrate system data and potentially execute remote code via malicious PDF files.
Take action: If you use Adobe Reader, open it right now and disable JavaScript by going to Edit > Preferences > JavaScript and uncheck "Enable Acrobat JavaScript". This blocks the exploit's main attack path. Until Adobe releases a patch, don't open any PDF files from unknown or unexpected sources, and if you must view untrusted PDFs, use a browser-based viewer like Chrome or Edge instead of Adobe Reader. Always verify the source of PDF files before opening them.
Flowise AI Platform Targeted by Active Exploitation of Critical RCE Flaw
published: April 8, 2026
Flowise is facing active exploitation of CVE-2025-59528, a critical vulnerability that allows attackers to execute arbitrary JavaScript and take full control of AI workflow servers.
Take action: If you're running Flowise, this is urgent. Your tool is being attacked. Make sure Flowise is isolated from the internet unless absolutely necessary, and update to version 3.0.6 ASAP. Until you can update, restrict access to trusted IPs only. After isolating or patching (whichever comes first), rotate all API tokens and credential.
36 Malicious npm Packages Target Guardarian Infrastructure via Strapi Plugins
published: April 5, 2026
A coordinated supply chain attack involving 36 malicious npm packages targeted the cryptocurrency platform Guardarian to steal database credentials and wallet keys. The campaign exploited Redis and Docker vulnerabilities to deploy persistent, fileless backdoors on production Strapi CMS servers.
Take action: If you use Strapi, immediately audit your node_modules for any of these 36 malicious packages: legitimate Strapi plugins are always scoped under @strapi/, so any unscoped strapi-plugin-* package should be treated as suspicious and removed. If any were installed, assume full compromise: rotate all credentials, secrets, and keys, revoke database and API tokens, and investigate your environment for reverse shells or unauthorized cron jobs.
Fortinet Issues Emergency Hotfix for Actively Exploited FortiClient EMS Zero-Day
published: April 4, 2026
Fortinet has released emergency hotfix for an actively exploited critical zero-day vulnerability (CVE-2026-35616) in FortiClient EMS that allows unauthenticated attackers to bypass API security and run arbitrary commands.
Take action: If you use FortiClient EMS versions 7.4.5 or 7.4.6, apply Fortinet's emergency hotfix ASAP. It's being actively exploited andcan give attackers full control of your endpoint management server. While you're at it, check your EMS API logs for any signs of unauthorized access or unusual command execution that might indicate you've already been compromised.