Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Apple pushes emergency iOS patch for notification-storage flaw that let the FBI recover deleted Signal messages (CVE-2026-28950)

Apple released out-of-band iOS and iPadOS updates to fix a Notification Services flaw that kept notifications marked for deletion sitting in internal storage, where they could be pulled off the device later. The bug (CVE-2026-28950) landed after 404 Media reported that the FBI recovered Signal messages from a suspect's iPhone even after the user deleted them and even after Signal itself was uninstalled. The recovered text did not come from Signal's encrypted message store - it came from iPhone's internal notification buffer, which silently preserved incoming notification contents that the app and the OS both thought had been erased. Apple's advisory does not name the FBI case but describes exactly the data-persistence behavior 404 Media documented. Signal's team publicly thanked Apple for the fix. Beyond Signal users, this flaw matters for anyone who assumed that deleting a message or uninstalling an app wiped the underlying notification data from the phone - it did not. Forensic extraction of an unlocked iPhone could have surfaced any sensitive content ever pushed as a notification.

Check
Update any iPhone or iPad you manage (BYOD or corporate) to the patched build and audit MDM compliance reports for devices that have not yet installed the emergency update.
Affected
All iOS and iPadOS builds prior to iOS 26.4.2 / iPadOS 26.4.2, and prior to iOS 18.7.8 / iPadOS 18.7.8 for older devices on the 18.x train.
Fix
Install iOS 26.4.2 / iPadOS 26.4.2 (or iOS 18.7.8 / iPadOS 18.7.8 on supported older hardware). For Signal users who want belt-and-braces protection against any future notification-storage issue, change Signal Settings > Notifications > Notification content to 'Name Only' or 'No Name or Content' so message bodies never appear in the notification stream in the first place.

Over 1,300 SharePoint servers still exposed to ongoing spoofing attacks a week after Microsoft's patch (CVE-2026-32201)

Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.

Check
Inventory every on-premises SharePoint instance in your environment (including dev and staging that may be exposed to the internet) and verify that the April 2026 Patch Tuesday update for CVE-2026-32201 is installed.
Affected
SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the 'continuous update' on-premises edition) without the April 2026 security update.
Fix
Install the April 2026 Patch Tuesday security updates for each affected SharePoint version. If a server cannot be patched immediately, pull it off the public internet and put it behind a VPN or Zero Trust gateway, and monitor authentication logs for unexpected token-generation patterns. After patching, audit the last 10 days of SharePoint auth logs and any connected Office 365 federated token issuance for anomalies, since the patch will not retroactively invalidate tokens minted during exploitation.

Cohere's Terrarium AI code sandbox has a root-level escape with no patch coming (CVE-2026-5752, CVSS 9.3)

A critical sandbox-escape flaw in Cohere AI's open-source Terrarium project lets code running inside the sandbox break out and execute arbitrary commands as root on the host Node.js process. Terrarium is a Python sandbox built on Pyodide (a browser- and Node.js-compatible Python distribution running in WebAssembly) and deployed as a Docker container to safely run untrusted code submitted by users or generated by a large language model. That exact use case makes the blast radius real: any AI product using Terrarium to evaluate LLM-generated Python code is giving its models a direct path to root on the container and, from there, potentially on the host. The flaw (CVE-2026-5752, CVSS 9.3) stems from JavaScript prototype chain traversal in the Pyodide WebAssembly environment: sandboxed code can reach parent and global object prototypes to manipulate objects in the host, a technique SentinelOne describes as prototype pollution bypassing the intended security boundaries. Exploitation needs local access to the sandbox but no special privileges or user interaction. The project has been starred 312 times and forked 56 times. Because Cohere is no longer actively maintaining Terrarium, the flaw is unlikely to ever be patched. Security researcher Jeremy Brown reported the issue.

Check
Search your AI and data-engineering stack for any use of Cohere's Terrarium (direct or as a dependency or fork) and identify whether user-submitted or LLM-generated code is routed through it.
Affected
All versions of Cohere AI Terrarium and any fork that inherits the Pyodide prototype traversal issue. The project is unmaintained - no patched version will be published.
Fix
Stop accepting user- or LLM-submitted code into Terrarium sandboxes. CERT/CC advises disabling any feature that submits code to Terrarium, segmenting the network so a compromised container cannot reach other services, restricting container and orchestrator access to authorized personnel, and deploying a WAF to block exploitation patterns. The only durable fix is to migrate off Terrarium to a maintained sandbox (gVisor, Firecracker, or a commercially supported code-execution service) with per-request ephemeral VMs and strict egress controls.

Cohere's Terrarium AI sandbox breaks out to root on the host with no vendor patch in sight (CVE-2026-5752)

CERT Coordination Center disclosed CVE-2026-5752, a CVSS 9.3 sandbox escape in Cohere's open source Terrarium, a Python sandbox that runs on Pyodide (a WebAssembly Python distribution for Node.js) and is used to execute untrusted or LLM-generated code inside a Docker container. The flaw lets code running inside the Pyodide sandbox traverse the JavaScript prototype chain to reach the host Node.js Function constructor, compile arbitrary JavaScript in the host realm, and execute it as root inside the container. From that point attackers can read /etc/passwd and environment variables, reach other services on the container network, and attempt a further container escape. Critically, CERT/CC notes it was unable to coordinate a patch with Cohere, so no fix has shipped. Terrarium has 312 GitHub stars and 56 forks - a moderate audience, but anyone running it is a poster-child target for prompt-injection attacks that instruct the LLM to emit sandbox-breaking code. The underlying prototype-chain traversal pattern is the same technique seen in January's CVE-2026-22686 against the enclave-vm sandbox.

Check
If you run Terrarium anywhere in your stack (including behind an AI product that evaluates user-supplied Python) take it offline until you can wrap it in a second isolation layer or replace it with a hardened alternative.
Affected
All currently-available versions of Cohere Terrarium (github.com/cohere-ai/cohere-terrarium). The JavaScript prototype-chain traversal in Pyodide WebAssembly is exploitable by any code the sandbox accepts for execution - including code an LLM generates from a user prompt, which is the entire point of the product. CERT/CC confirmed there is no vendor patch as of the advisory.
Fix
Disable any feature that lets users (or an upstream LLM) submit arbitrary code to Terrarium. Wrap Terrarium deployments in a second isolation layer - gVisor or Firecracker microVMs for stronger kernel isolation, strict network egress policies, read-only root filesystems, and dropped Linux capabilities including CAP_SYS_ADMIN. Segment Terrarium containers so they cannot reach internal APIs, databases, or metadata services. Monitor for unexpected root-level process creation inside Terrarium containers and alert on any Node.js Function constructor invocation originating from sandbox code. For new AI-code-execution use cases, evaluate alternatives like the Deno-based approach with explicit permission flags or E2B's hardened cloud sandboxes.

12-year-old 'Pack2TheRoot' bug in PackageKit gives any local user root on default Ubuntu, Debian, Fedora, and RHEL/Cockpit installs (CVE-2026-41651)

Deutsche Telekom's Red Team disclosed CVE-2026-41651, a local privilege escalation in the PackageKit daemon that has shipped in default Linux installations since November 2014. Any unprivileged local user can invoke 'pkcon install' without a polkit prompt, install or remove arbitrary packages, and escalate to root. CVSS 8.8. Confirmed-vulnerable defaults include Ubuntu Desktop and Server LTS, Debian Trixie, Rocky Linux 10.1, and Fedora 43; any RHEL server running Cockpit is also exposed because Cockpit loads PackageKit on demand via D-Bus. PackageKit 1.3.5 fixes it. The researchers credited Anthropic's Claude Opus with helping guide the discovery.

Check
Inventory every Linux endpoint and server for PackageKit, patch to 1.3.5 today, and audit historical journalctl output for the assertion-failure IoC.
Affected
PackageKit versions 1.0.2 through 1.3.4 (every release between November 2014 and the April 22, 2026 fix). Default Ubuntu Desktop and Server LTS, Debian Trixie 13.4, Rocky Linux 10.1, Fedora 43. Plus any RHEL or CentOS server running Cockpit, which loads PackageKit on demand via D-Bus.
Fix
Update PackageKit to 1.3.5 across the fleet. Verify with 'dpkg -l | grep packagekit' or 'rpm -qa | grep packagekit'. A process-list grep is insufficient because PackageKit is D-Bus-activated. Hunt past exploitation via 'journalctl -u packagekit | grep emitted_finished' for assertion-failure crashes. Where patching is delayed, mask the systemd unit and disable Cockpit.

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.

Check
If you run Cisco Catalyst SD-WAN Manager (or the old vManage), patch today. CISA's 4-day federal deadline is the clearest signal yet that exploitation is widespread.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.
Fix
Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.

6,400 exposed Apache ActiveMQ servers still vulnerable to actively exploited CVE-2026-34197 - ShadowServer data shows Asia most impacted

Day-after follow-up to our April 18 coverage: Shadowserver has published telemetry showing 6,400+ Apache ActiveMQ servers exposed online are still vulnerable to CVE-2026-34197, the 13-year-old code injection flaw CISA added to KEV last week with an April 30 federal patch deadline. Geographic breakdown: Asia leads with 2,925 vulnerable servers, North America follows at 1,409, Europe at 1,334. Horizon3's Naveen Sunkavally (who discovered the flaw using the Claude AI assistant as his research tool) is urging admins to treat this as high priority, noting ActiveMQ has been a repeated target for real-world attackers - CVE-2016-3088 and CVE-2023-46604 are both on KEV, with the latter used as a zero-day by the TellYouThePass ransomware gang. The Apache maintainers patched the flaw on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4. Horizon3 recommends searching broker logs for suspicious connections using the internal VM transport protocol with the brokerConfig=xbean:http:// query parameter as an indicator of exploitation.

Check
If you haven't patched ActiveMQ since March 30, check now. ShadowServer data shows thousands of exposed servers are still unpatched two weeks after the advisory.
Affected
Apache ActiveMQ Classic versions 5.x before 5.19.4, and 6.0.0 before 6.2.3, with the Jolokia JMX-HTTP bridge exposed via the web console at /api/jolokia/. ShadowServer identifies 6,400+ internet-exposed vulnerable instances as of April 20.
Fix
Upgrade to ActiveMQ Classic 5.19.4 or 6.2.3. For retroactive detection, search broker logs for connections using the internal VM transport protocol combined with the brokerConfig=xbean:http:// parameter - this pattern indicates an exploitation attempt regardless of success. If an exploit signature is found, treat the broker host as potentially compromised and rotate all credentials that passed through it.

Google patches Antigravity IDE prompt injection RCE - and Claude GitHub Actions can be tricked by spoofed Git metadata

Two related stories show AI-powered developer tools becoming a fresh attack surface. First, Pillar Security disclosed a now-patched vulnerability in Google's agentic IDE Antigravity that allowed prompt injection to escape the Strict Mode sandbox and achieve arbitrary code execution. The flaw combined Antigravity's file-creation capability with insufficient input sanitization in its find_by_name tool: injecting the -X (exec-batch) flag via the Pattern parameter forced the underlying fd utility to execute arbitrary binaries against workspace files. An attacker could stage a malicious script then trigger it through a seemingly legitimate search - no user interaction needed once the prompt injection lands. The attack can be delivered via indirect prompt injection: a user pulls a harmless-looking file from an untrusted source containing hidden comments that instruct the AI agent to stage and trigger the exploit. Google patched on February 28. Second, Manifold Security researchers showed a Claude-powered GitHub Actions workflow (claude-code-action) can be tricked into approving and merging malicious pull requests by setting Git's user.name and user.email to match a trusted developer (in the demo: Andrej Karpathy). On first submission Claude flagged for manual review. On resubmission, Claude approved it - the AI overrode its own earlier judgment on retry. The common thread: AI agents cannot treat attacker-controllable metadata as a trust signal, and non-determinism across retries means you cannot build a security control on an AI that changes its mind.

Check
If your team uses AI coding agents (Antigravity, Cursor with autonomous modes, Claude Code, claude-code-action, or similar), audit what those agents can do without human approval - and tighten the boundaries.
Affected
Development teams using Google Antigravity before February 28 patch. Repositories using Claude's claude-code-action or similar AI code review automation, especially if author-identity metadata influences review decisions. Any AI-agent workflow that auto-approves or auto-merges based on perceived author trust. Codebases that pull external content into AI agent context (READMEs, docs, dependencies) without treating it as untrusted input.
Fix
For Antigravity, confirm you're on the patched February 28+ build. For claude-code-action and similar workflows, configure them to never auto-merge based on author identity signals - require human review for every merge to protected branches regardless of PR author. Treat Git author metadata as user-controllable and untrusted in any AI agent prompt context. For AI agents that might retry or re-evaluate the same decision, pin the first response rather than accepting an optimistic retry (don't let an agent 'change its mind' in favor of the attacker). Review every input channel your AI agents consume - PR descriptions, commit messages, external dependencies, documentation - and assume each can contain hidden instructions.

Cisco Catalyst SD-WAN Manager users have until today to patch three actively-exploited flaws as CISA adds eight to the KEV catalog

CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.

Check
Check your environment for any exposed or internal instances of Cisco Catalyst SD-WAN Manager, Quest KACE SMA, PaperCut NG/MF, JetBrains TeamCity, Zimbra Collaboration Suite, or Kentico Xperience and confirm patch status against the specific CVEs below.
Affected
Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133). Quest KACE SMA unpatched against CVE-2025-32975 (CVSS 10.0). PaperCut NG/MF against CVE-2023-27351. JetBrains TeamCity against CVE-2024-27199. Synacor Zimbra Collaboration Suite against CVE-2025-48700. Kentico Xperience against CVE-2025-2749.
Fix
Apply vendor-released patches for each product. Cisco SD-WAN Manager needs fixing by end of day April 23 to meet the CISA federal deadline - treat the same as a commercial deadline and patch today. The other five carry a May 4 CISA deadline. If you cannot patch immediately, remove affected products from direct internet exposure and monitor for the exploitation patterns each vendor describes. For Zimbra specifically, check mailbox audit logs for unusual TGZ archive creation and review MFA backup code usage.

BRIDGE:BREAK - 22 new flaws expose ~20,000 internet-facing Lantronix and Silex serial-to-IP converters to full takeover

Forescout Vedere Labs disclosed BRIDGE:BREAK, a set of 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex that together expose roughly 20,000 devices visible on the open internet. Serial-to-IP converters bridge legacy serial-port equipment (older industrial PLCs, building-automation controllers, medical devices, laboratory instruments) to modern TCP/IP networks, so attackers compromising them can read and tamper with the raw serial traffic flowing to field equipment. Eight flaws affect Lantronix EDS3000PS and EDS5000 series; fourteen affect Silex SD330-AC. The categories span unauthenticated remote code execution (CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67034 through 67038, CVE-2025-67041), authentication bypass (CVE-2026-32960, CVE-2025-67039), full device takeover (CVE-2026-32965, CVE-2025-70082, plus FSCT-2025-0021 with no CVE assigned), firmware tampering (CVE-2026-32958), arbitrary file upload (CVE-2026-32957), and information disclosure (CVE-2026-32959). The researchers describe a realistic kill chain where an attacker first pops an internet-facing edge device like an industrial router, then pivots through a compromised serial-to-IP converter to silently alter sensor readings or actuator commands flowing to field assets - data-integrity attacks that are invisible to most OT monitoring. Both vendors have released firmware updates.

Check
Search your asset inventory and external-attack-surface data for any Lantronix EDS3000PS, EDS5000, or Silex SD330-AC devices, then confirm they are both patched and not directly internet-exposed.
Affected
Lantronix EDS3000PS Series and EDS5000 Series; Silex SD330-AC. Vulnerable firmware versions listed per device in the respective Lantronix and Silex advisories.
Fix
Apply the firmware updates Lantronix and Silex have released for each affected model (see vendor advisories for version-specific fixes). Replace default credentials, put these devices behind network segmentation, and remove all direct internet exposure - serial-to-IP converters have no business being reachable from the public internet. Add Shodan/Censys monitoring for your ASN to catch rogue or forgotten deployments. If you cannot patch immediately, take the devices offline rather than leave them on the internet.