ScanForge Security Digest 2614-03

April 5, 2026200 items

77 critical53 high10 news

This week's threat landscape remains elevated with 77 critical vulnerabilities (CVSS 9.0+) requiring immediate attention, though no newly exploited zero-days were added to CISA's KEV catalog. Notable critical issues include sandbox bypass in PraisonAI, SQL injection in Kestra, and multiple memory safety vulnerabilities across Apple platforms that have already shipped patches. Supply chain threats continue to dominate the news cycle, with coordinated attacks on npm packages targeting database infrastructure and a credential harvesting campaign against maintainer accounts through social engineering. Organizations should prioritize patching Apple devices and updating Kestra deployments while strengthening access controls for open-source package maintainers. The surge in device code phishing (up 37x) and persistent focus on compromising development tools warrant heightened security awareness training across technical teams.

Critical

10.0 PraisonAI 5 CVEs

CVE-2026-34938, CVE-2026-34935, CVE-2026-34934, CVE-2026-34953, CVE-2026-34952

10.0 An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS CVE-2025-43300

10.0 An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. Thi CVE-2025-24201

10.0 A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18. CVE-2025-24085

9.9 Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (defau CVE-2026-34612

9.8 A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an CVE-2026-35616

9.8 llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's CVE-2026-34159

9.8 An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag CVE-2026-30643

9.8 A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated CVE-2026-20160

9.8 A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) CVE-2026-20093

9.8 A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 all CVE-2024-43028

9.8 There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filte CVE-2024-40489

High Severity

8.9 A vulnerability has been found in Tenda A15 15.13.07.13. The impacted element is CVE-2026-4567

8.9 A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue CVE-2026-4252

8.8 The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion i CVE-2026-3666

8.8 PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSand CVE-2026-34955

8.8 OAuthenticator is software that allows OAuth2 identity providers to be plugged i CVE-2026-33175

8.8 Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT CVE-2015-10148

8.8 Storage credentials are hardcoded in the mobile app and device firmware. These c CVE-2025-10681

8.8 A vulnerability in the web-based management interface of Cisco IMC could allow a CVE-2026-20094

8.8 NVIDIA BioNeMo contains a vulnerability where a user could cause a deserializati CVE-2026-24164

8.8 Moby is an open source container framework. Prior to version 29.3.1, a security CVE-2026-34040

+31 more products affected

Security News

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants The Hacker News

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plu

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS The Hacker News

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been e

Axios npm hack used fake Teams error fix to hijack maintainer account Bleeping Computer

The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its develop

Device code phishing attacks surge 37x as new kits spread online Bleeping Computer

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged mor

European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack SecurityWeek

Hackers stole over 300GB of data from the Commission’s AWS environment, including personal information. The post Europea

Inconsistent Privacy Labels Don't Tell Users What They Are Getting Dark Reading

Data privacy labels are a great idea for mobile apps, but the current versions just aren't good enough.

LinkedIn secretely scans for 6,000+ Chrome extensions, collects data Bleeping Computer

A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to s

LinkedIn secretly scans for 6,000+ Chrome extensions, collects data Bleeping Computer

A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to s