Researchers at Cyera disclosed a critical bug in Ollama, the open-source tool that runs large language models locally on laptops and servers. The flaw, called Bleeding Llama (CVE-2026-7482), lets anyone with network access send a malformed model file and read raw process memory back - which typically contains API keys, environment variables, system prompts, and other users' chat history. Ollama ships without authentication by default, so an estimated 300,000 instances are exposed on the internet. Ollama 0.17.1 fixes it. Separately, Striga disclosed two unpatched Ollama Windows desktop flaws (CVE-2026-42248 and CVE-2026-42249) that chain into persistent code execution at login.
Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.
Google patched a critical flaw in Gemini CLI, the command-line tool developers use to interact with Gemini models from CI pipelines and dev workstations. CVSS 10.0. The bug let an attacker execute arbitrary code on the developer's machine by feeding crafted input to the CLI - specifically through the same pattern that compromised LiteLLM and several other AI tools recently. A separate but related set of flaws in Cursor, the AI-powered IDE, also enables code execution. The pattern across all these AI dev tools is the same: input validation gaps where attacker-controlled prompts or model output reach a shell or code execution path.
Update on the GitHub flaw covered yesterday: Wiz, who found the bug, published its full disclosure showing 88% of self-hosted GitHub Enterprise Servers were still unpatched at public disclosure on April 28. The bug let any user with push access to one repository run code on the GitHub server itself with a single 'git push'. On GitHub.com, the same bug exposed millions of public and private repositories belonging to other users sharing the same storage node. GitHub.com was patched within 75 minutes, but Enterprise Server installs need patching manually. Wiz found the bug using AI-augmented reverse engineering on closed-source GitHub binaries.
Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.
Forescout Vedere Labs disclosed BRIDGE:BREAK, a set of 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex that together expose roughly 20,000 devices visible on the open internet. Serial-to-IP converters bridge legacy serial-port equipment (older industrial PLCs, building-automation controllers, medical devices, laboratory instruments) to modern TCP/IP networks, so attackers compromising them can read and tamper with the raw serial traffic flowing to field equipment. Eight flaws affect Lantronix EDS3000PS and EDS5000 series; fourteen affect Silex SD330-AC. The categories span unauthenticated remote code execution (CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67034 through 67038, CVE-2025-67041), authentication bypass (CVE-2026-32960, CVE-2025-67039), full device takeover (CVE-2026-32965, CVE-2025-70082, plus FSCT-2025-0021 with no CVE assigned), firmware tampering (CVE-2026-32958), arbitrary file upload (CVE-2026-32957), and information disclosure (CVE-2026-32959). The researchers describe a realistic kill chain where an attacker first pops an internet-facing edge device like an industrial router, then pivots through a compromised serial-to-IP converter to silently alter sensor readings or actuator commands flowing to field assets - data-integrity attacks that are invisible to most OT monitoring. Both vendors have released firmware updates.
Security firm Endor Labs disclosed a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly downloads on npm. The bug lets attackers achieve RCE when an application loads a malicious protobuf schema. Root cause: protobuf.js builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but doesn't validate schema-derived identifiers like message names. An attacker can supply a crafted schema that injects arbitrary JavaScript into the generated function, which then runs when the app processes any message using that schema. This opens access to environment variables, credentials, databases, and internal systems - plus lateral movement within infrastructure. Developer machines are also at risk if they load and decode untrusted schemas locally. The flaw has a proof-of-concept exploit in Endor Labs' advisory and 'exploitation is straightforward' per the researchers, but no in-the-wild exploitation has been observed yet. No official CVE assigned - tracked as GHSA-xq3m-2v4x-88gg. Reported March 2 by Cristian Staicu, patched on GitHub March 11, npm patches released April 4 (8.x branch) and April 15 (7.x branch).
Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.
Cisco has patched four critical vulnerabilities this week across Webex and Identity Services Engine (ISE). The standout flaw is CVE-2026-20184 in Cisco Webex Services with SSO integration via Control Hub - it allows an unauthenticated remote attacker to impersonate any user in the service due to incorrect certificate validation in the SSO flow. This is particularly dangerous for organizations using Webex with SAML and centralized identity management. Alongside it: CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) affect Cisco ISE and ISE Passive Identity Connector, allowing authenticated attackers with even read-only admin credentials to execute arbitrary commands on the underlying OS and escalate to root. CVE-2026-20147 is a path traversal flaw in the same products. ISE versions before 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches are all affected. No workarounds - only software updates fix these. In single-node ISE deployments, exploitation can also knock the node offline, blocking network access for unauthenticated endpoints.
Adobe has released an emergency security update (APSB26-43, priority-1) to patch CVE-2026-34621, the Adobe Reader zero-day we reported on April 10 that had been exploited since December 2025 via malicious PDF documents. The flaw has now been classified as a prototype pollution vulnerability leading to arbitrary code execution - more severe than the initial fingerprinting and data theft we described. Adobe confirmed it's worse than just information leakage: the underlying bug can achieve full RCE, not just the reconnaissance stage observed in early exploitation. CVSS was initially scored 9.6 but Adobe revised it down to 8.6 after changing the attack vector from Network to Local. EXPMON researcher Haifei Li, who first disclosed the flaw, was credited by Adobe. All users on Windows and macOS should update immediately - Adobe assigned this patch its highest priority rating.
TrustStrike Labs