A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.
A high-severity Docker Engine flaw allows attackers to bypass authorization plugins with a single oversized HTTP request. CVE-2026-34040 (CVSS 8.8) stems from an incomplete fix for CVE-2024-41110 from July 2024 - the original patch missed requests over 1MB, which get forwarded to the Docker daemon without their body, so the AuthZ plugin sees nothing to block while the daemon processes the full malicious payload. The result: a privileged container with root access to the host filesystem, exposing AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. Critically, Cyera researchers demonstrated that AI coding agents running inside Docker sandboxes can be tricked via prompt injection into crafting the bypass request themselves - no human attacker needed.
A frustrated security researcher published working exploit code for an unpatched Windows local privilege escalation flaw after Microsoft's Security Response Center mishandled the disclosure. The researcher, posting as Chaotic Eclipse, dropped the proof-of-concept on GitHub on April 3 with the message "I was not bluffing Microsoft." Will Dormann of Tharsos confirmed the exploit works - it combines a TOCTOU race condition with path confusion to access the SAM database containing local account password hashes, enabling escalation to SYSTEM privileges. The exploit is confirmed working on Windows desktop but unreliable on Windows Server. The researcher deliberately included bugs in the PoC, but the underlying technique is now public and weaponizable.
If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.
Cisco Talos uncovered a large-scale automated campaign by threat cluster UAT-10608 that exploits React2Shell - a CVSS 10.0 pre-auth RCE flaw in React Server Components used by Next.js. One crafted HTTP request is all it takes to get code execution, no credentials needed. The attackers scan with Shodan and Censys, breach Next.js apps, then deploy the NEXUS Listener framework to harvest database credentials, SSH keys, AWS tokens, Stripe API keys, Kubernetes secrets, and GitHub tokens at scale. At least 766 hosts across multiple cloud providers were compromised within 24 hours.
Two flaws in Progress ShareFile's Storage Zones Controller can be chained for unauthenticated remote code execution - no credentials needed. An attacker first bypasses authentication via improper HTTP redirect handling, then uploads a malicious webshell through the file upload function. watchTowr published full technical details and a proof-of-concept. Around 30,000 instances are exposed online. File transfer solutions are a favorite ransomware target - Clop hit Accellion, GoAnywhere, MOVEit, and Cleo the same way.
Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.
Google pushed an emergency Chrome update to fix a use-after-free bug in Dawn, the engine behind Chrome's WebGPU graphics standard. CVE-2026-5281 is already being exploited - an attacker who has compromised the browser's renderer process can use a crafted HTML page to execute arbitrary code, potentially escaping Chrome's sandbox. This is the fourth actively exploited Chrome zero-day in 2026, and the third targeting graphics or rendering subsystems. CISA added it to the KEV catalog with an April 15 deadline.
Check Point uncovered Operation TrueChaos - a Chinese-nexus espionage campaign that turned a video conferencing platform's update mechanism into a malware delivery system. The attackers compromised a central on-premises TrueConf server used by a government IT department, then swapped the legitimate client update with a weaponized package that deployed the Havoc post-exploitation framework. Every connected government agency pulled the poisoned update automatically, no individual endpoint compromise needed.
A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.
TrustStrike Labs