Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Vercel confirms breach - attackers got in through Context.ai AI tool's Google Workspace OAuth, stole customer environment variables

Cloud development platform Vercel disclosed a security incident on April 19 after a threat actor claiming to be ShinyHunters posted stolen data for sale on a hacking forum. Vercel CEO Guillermo Rauch confirmed the initial access came through a breach at Context.ai, an enterprise AI platform one Vercel employee had signed up for using their Vercel enterprise account with 'Allow All' OAuth permissions. Attackers compromised Context.ai, stole the OAuth token, took over the employee's Google Workspace account, and pivoted into Vercel environments. Once inside, they accessed environment variables not marked as 'sensitive' - these are stored unencrypted at rest, unlike sensitive env vars which Vercel encrypts. The attacker posted 580 employee records (names, emails, account status, activity timestamps) as a teaser, plus screenshots of an internal Vercel Enterprise dashboard. They claim to also have access keys, source code, database data, and API keys, though Vercel characterizes impact as a 'limited subset' of customers. Mandiant is engaged. This is the cleanest real-world example to date of the AI supply chain risk pattern everyone has been warning about: a third-party AI tool with broad OAuth scopes becomes the initial access vector into your primary infrastructure.

Check
If you deploy apps on Vercel, rotate all environment variables immediately - especially any not marked 'sensitive'. Also audit every third-party AI/SaaS tool that has OAuth access to your Google Workspace or similar identity provider.
Affected
Any Vercel customer with environment variables not marked 'sensitive'. Vercel has directly contacted a 'limited subset' of customers whose credentials were compromised. If you weren't contacted, Vercel says it has no evidence of your data being accessed at this time. Separately: any organization using Context.ai with Google Workspace OAuth granted 'Allow All' permissions.
Fix
Rotate every Vercel environment variable and redeploy applications to pick up the new values. Mark any secret as 'sensitive' in Vercel's dashboard going forward - this encrypts at rest. In Google Workspace Admin, search for and revoke OAuth App ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Review Google Workspace audit logs between April 1-19 for unusual OAuth grants or token access. Audit every third-party tool connected to your Google Workspace - specifically those granted broad OAuth scopes - and remove any your team isn't actively using.

Critical protobuf.js RCE hits JavaScript ecosystem - 50M weekly npm downloads, PoC published (GHSA-xq3m-2v4x-88gg)

Security firm Endor Labs disclosed a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly downloads on npm. The bug lets attackers achieve RCE when an application loads a malicious protobuf schema. Root cause: protobuf.js builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but doesn't validate schema-derived identifiers like message names. An attacker can supply a crafted schema that injects arbitrary JavaScript into the generated function, which then runs when the app processes any message using that schema. This opens access to environment variables, credentials, databases, and internal systems - plus lateral movement within infrastructure. Developer machines are also at risk if they load and decode untrusted schemas locally. The flaw has a proof-of-concept exploit in Endor Labs' advisory and 'exploitation is straightforward' per the researchers, but no in-the-wild exploitation has been observed yet. No official CVE assigned - tracked as GHSA-xq3m-2v4x-88gg. Reported March 2 by Cristian Staicu, patched on GitHub March 11, npm patches released April 4 (8.x branch) and April 15 (7.x branch).

Check
Audit your JavaScript and Node.js codebases plus transitive dependencies for protobuf.js. If you run any service that deserializes protobuf messages, treat this as urgent.
Affected
protobuf.js versions 8.0.0 and earlier on the 8.x branch, and 7.5.4 and earlier on the 7.x branch. The library is used for inter-service communication, real-time applications, and structured data storage in databases and cloud environments. Any app that loads attacker-influenced protobuf schemas is at risk - this includes services accepting schemas from users, partners, or untrusted registries.
Fix
Upgrade to protobuf.js 8.0.1 (8.x branch) or 7.5.5 (7.x branch). Check your package.json and package-lock.json for both direct and transitive dependencies - protobuf.js is often pulled in by other packages. For defense-in-depth per Endor Labs' guidance: treat schema-loading as untrusted input, prefer precompiled or static schemas in production, and audit transitive dependencies that may still pin an older protobuf.js version even after you upgrade your direct dependency.

Microsoft April patches cause reboot loops on Windows Server 2025 and 2022 domain controllers - LSASS crash breaks authentication

Microsoft has confirmed that the April 2026 cumulative updates (KB5082063 for Windows Server 2025, KB5082142 for Windows Server 2022) are causing LSASS crashes that trigger reboot loops on non-Global Catalog domain controllers in environments using Privileged Access Management (PAM). Affected DCs restart repeatedly, preventing authentication and directory services from functioning, potentially rendering the entire domain unavailable. The issue also occurs when setting up new domain controllers or on existing ones processing authentication requests early in startup. A separate bug causes the April update to fail installation entirely on some Windows Server 2025 systems with error code 0x800F0983. A third issue forces some servers into BitLocker recovery mode due to Secure Boot changes bundled in the update. This is the third consecutive year April Patch Tuesday has broken Windows Server authentication - similar LSASS/domain controller issues hit in April 2024 and April 2025.

Check
If you run Active Directory and use Privileged Access Management (PAM), do NOT deploy the April 2026 updates to domain controllers without Microsoft mitigation guidance.
Affected
Non-Global Catalog (non-GC) domain controllers on Windows Server 2025 (KB5082063), Windows Server 2022 (KB5082142), Server 23H2, Server 2019, and Server 2016, specifically in environments using Privileged Access Management (PAM). Consumer Windows devices are not affected.
Fix
Hold deployment of the April 2026 cumulative update on affected domain controllers. Contact Microsoft Support for Business to access the official mitigation - it can be applied both before and after the April update. Microsoft is working on a permanent fix in a future Windows update. For BitLocker recovery issues: ensure you have recovery keys accessible before patching. Non-DC member servers and workstations should still be patched on schedule to close the zero-day vulnerabilities (SharePoint CVE-2026-32201, Defender CVE-2026-33825) covered in our April 15 report.

13-year-old Apache ActiveMQ code injection flaw actively exploited - CISA gives federal agencies until April 30 to patch (CVE-2026-34197)

A critical code injection flaw in Apache ActiveMQ Classic has been under active exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on April 16 with a federal patch deadline of April 30. The flaw, tracked as CVE-2026-34197 (CVSS 8.8), has been 'hiding in plain sight' for 13 years according to Horizon3.ai researcher Naveen Sunkavally. The vulnerability is in the Jolokia JMX-HTTP bridge exposed at /api/jolokia/. An attacker can send crafted HTTP requests with a malicious discovery URI that forces the broker to load a remote Spring XML configuration. Because Spring initializes beans before validation, attackers execute arbitrary OS commands via Runtime.exec() - effectively turning a messaging broker into a remote command runner. Fortinet FortiGuard Labs telemetry shows exploitation attempts peaking on April 14, 2026. SAFE Security reports threat actors actively scanning for exposed Jolokia management endpoints.

Check
Inventory every ActiveMQ instance in your environment. If you don't know whether you run ActiveMQ, check with your dev team - it's embedded in many enterprise messaging pipelines and IoT data flows.
Affected
Apache ActiveMQ Classic versions 5.x before 5.19.4, and 6.0.0 before 6.2.3. The vulnerable component is the Jolokia JMX-HTTP bridge exposed via the web console at /api/jolokia/. Any internet-exposed ActiveMQ broker with default Jolokia configuration is at risk.
Fix
Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3. If you cannot patch immediately: block external access to the /api/jolokia/ endpoint at your firewall or reverse proxy, restrict the Jolokia policy to specific MBeans only (not the default org.apache.activemq:* wildcard), and require authentication for all management operations. Check your access logs for HTTP requests to /api/jolokia/ with suspicious URI parameters over the past 30 days - exploitation requires only one successful request.

NIST stops enriching most new CVEs - only KEV-listed and federal-used software will get full NVD data going forward

NIST has announced major changes to how the National Vulnerability Database processes new CVEs, driven by a 263% surge in submissions that the agency can no longer keep up with. As of April 15, 2026, NIST will only provide full enrichment (CVSS scoring, CWE mapping, CPE identification) for CVEs that meet specific criteria: vulnerabilities in the CISA KEV catalog, those in software used by the federal government, and a small set of other priority categories. Everything else remains listed in the NVD but without the detailed metadata that security teams rely on for automated patch prioritization. Dustin Childs at ZDI noted during Patch Tuesday coverage that AI-driven vulnerability discovery has tripled his own triage volume. The same pressure is hitting NIST. Practical impact: vulnerability management tools, automated scanners, and patch prioritization workflows that depend on NVD enrichment data will have blind spots for the majority of new CVEs. Private vulnerability intelligence feeds (VulnCheck, Tenable, Qualys) become more important for anyone who relied on NVD as the single source of truth.

Check
Review how your vulnerability management program depends on NVD data. If your scanner or SIEM pulls CVSS scores and CPE data directly from NVD, many new CVEs will return incomplete results.
Affected
Any organization relying primarily on NVD as a vulnerability intelligence source. Automated patch prioritization tools, SIEM integrations, asset management platforms, and compliance reporting that map CVEs to systems via CPE identifiers will have coverage gaps for non-KEV, non-federal-priority CVEs.
Fix
Layer additional vulnerability intelligence sources on top of NVD. Consider subscribing to VulnCheck KEV (expanded exploitation data), CISA KEV directly (smaller but authoritative), or commercial feeds from Tenable, Qualys, or Rapid7. For patch prioritization, weight exploitation evidence (KEV listing, public PoC, threat intel reports) more heavily than CVSS scores alone - since many new CVEs won't have CVSS scores at all. Review your vulnerability SLAs - 'patch all criticals within N days' policies need rewording if criticality can't be automatically determined from NVD.

Fortinet FortiSandbox unauthenticated RCE (CVE-2026-39808) has public PoC - day-after recovery from April 17

Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.

Check
If your organization uses Fortinet FortiSandbox, apply Fortinet's security update immediately. Treat as priority-1 even without confirmed in-the-wild exploitation.
Affected
Fortinet FortiSandbox appliances running unpatched firmware. Check Fortinet's PSIRT advisory for CVE-2026-39808 for exact affected firmware versions and upgrade paths for your model.
Fix
Apply Fortinet's security update from the official PSIRT advisory. If patching is delayed, restrict network access to the FortiSandbox management interface to trusted admin IPs only - do not expose the management interface to the internet. Review FortiSandbox access logs for unusual HTTP requests to the management interface over the past 30 days.

Nginx UI authentication bypass actively exploited - one unauthenticated request gives attackers full server takeover via MCP endpoint (CVE-2026-33032)

A CVSS 9.8 authentication bypass in nginx-ui, the popular open-source web management interface for Nginx servers, is being actively exploited in the wild. The flaw, codenamed MCPwn by Pluto Security, exists because the /mcp_message endpoint added for Model Context Protocol (AI integration) support only checks IP whitelisting - and the default whitelist is empty, meaning it allows all connections. One unauthenticated HTTP POST request lets an attacker invoke all MCP tools: rewrite Nginx config files, reload the server, intercept all traffic, and harvest admin credentials. Attackers chain it with CVE-2026-27944 (exposed encryption keys via the backup API) to extract the node_secret needed for full MCP access. Recorded Future flagged active exploitation and assigned a risk score of 94/100. Shodan shows 2,600 publicly exposed instances, mostly in China, the US, Indonesia, and Germany. Pluto Security's key lesson: AI integration endpoints expose the same capabilities as the core application but often skip its security controls.

Check
Check if you or any managed clients run nginx-ui (web-based Nginx management dashboard). If MCP support is enabled, this is urgent - you're likely exposed.
Affected
nginx-ui versions 2.3.5 and earlier with MCP support enabled. The tool has 11,000+ GitHub stars and 430,000 Docker pulls. Any instance reachable from the network is exploitable without credentials.
Fix
Update nginx-ui to version 2.3.6 immediately (2.3.4 was the first fix, 2.3.6 is current). If you can't patch: restrict network access to the nginx-ui management interface to trusted IPs only. Add authentication middleware to the /mcp_message endpoint. As defense-in-depth, audit all MCP-integrated tools in your environment - this class of flaw (AI integration endpoints skipping auth) will appear in other products.

Second Microsoft Defender zero-day PoC released - 'RedSun' grants SYSTEM privileges on fully-patched Windows including this week's April patches

Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.

Check
Assume unprivileged-to-SYSTEM escalation is available to any attacker on your Windows endpoints until Microsoft patches RedSun. Defense-in-depth measures matter more than usual.
Affected
Windows 10, Windows 11, and Windows Server 2019 and later systems with Windows Defender enabled. The exploit works on fully-patched systems including the April 2026 Patch Tuesday updates. Any attacker with local unprivileged access (via phishing, drive-by download, or stolen credentials) can escalate to SYSTEM.
Fix
No patch available yet. Immediate mitigations: (1) Block execution of untrusted binaries from user-writable directories via AppLocker or Windows Defender Application Control - this prevents the initial foothold required for RedSun. (2) Monitor EDR for unexpected file writes to System32 and NTFS junction creation. (3) Apply the April Patch Tuesday updates anyway to close BlueHammer (CVE-2026-33825) and other critical flaws - RedSun is a separate issue. (4) Watch for Microsoft's out-of-band update or May Patch Tuesday fix.

Attacker bought 30+ WordPress plugins on Flippa, planted backdoor in August 2025, activated it 8 months later across hundreds of thousands of sites

One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.

Check
Check if any of your WordPress sites use plugins from the Essential Plugin / WP Online Support author. The full list of 31 affected plugins includes Starter Templates, Starter Templates for Starter Template, Blog Designer, Countdown Timer Ultimate, Starter Templates Manager, and many more.
Affected
WordPress sites running any of the 31 Essential Plugin plugins that were active before April 8, 2026. The backdoor was present since version 2.6.7 (August 2025). Affected plugins include: Starter Templates for starter template themes, Blog Designer for Post and Widget, Countdown Timer Ultimate, Album and Image Gallery Plus Lightbox, Audio Player with Playlist Ultimate, and 26+ others.
Fix
If any affected plugin was active on your site: (1) Check wp-config.php for injected code and clean it manually - the WordPress.org forced update did NOT fix this. (2) Search for and remove wp-comments-posts.php if present. (3) Scan all files for additional payloads. (4) Rotate all admin and database credentials. (5) Check for hidden admin accounts. The WordPress.org forced update to 2.6.9.1 disabled the phone-home mechanism but did not remediate existing compromise. Treat affected sites as fully compromised.

Cisco Webex SSO flaw lets unauthenticated attackers impersonate any user (CVE-2026-20184) - four critical bugs patched this week

Cisco has patched four critical vulnerabilities this week across Webex and Identity Services Engine (ISE). The standout flaw is CVE-2026-20184 in Cisco Webex Services with SSO integration via Control Hub - it allows an unauthenticated remote attacker to impersonate any user in the service due to incorrect certificate validation in the SSO flow. This is particularly dangerous for organizations using Webex with SAML and centralized identity management. Alongside it: CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) affect Cisco ISE and ISE Passive Identity Connector, allowing authenticated attackers with even read-only admin credentials to execute arbitrary commands on the underlying OS and escalate to root. CVE-2026-20147 is a path traversal flaw in the same products. ISE versions before 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches are all affected. No workarounds - only software updates fix these. In single-node ISE deployments, exploitation can also knock the node offline, blocking network access for unauthenticated endpoints.

Check
If you use Cisco Webex with SSO via Control Hub, treat CVE-2026-20184 as urgent - it's unauthenticated. If you run Cisco ISE for network access control, plan to patch this week.
Affected
Cisco Webex Services configured with SSO integration via Control Hub (CVE-2026-20184, unauthenticated impersonation). Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) versions prior to 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches (CVE-2026-20180, CVE-2026-20186, CVE-2026-20147).
Fix
Apply Cisco's software updates from the April 15 advisories. For ISE, upgrade to the fixed release matching your branch - there are no workarounds. For Webex with SSO, the fix is included in Cisco's latest Control Hub release. If patching is delayed, restrict admin access to ISE management interfaces to trusted IPs only via network-level ACLs - this doesn't fix CVE-2026-20184 but reduces the risk from ISE credential theft to RCE chains. Review Cisco admin account hygiene: read-only credentials are enough to chain to root on unpatched ISE.