ScanForge Security Digest 2615-02

April 12, 2026200 items

47 critical43 high10 news

This week saw a moderate vulnerability landscape with 47 critical CVEs identified but no new actively exploited vulnerabilities added to CISA's catalog. Notable critical issues include pre-authentication remote code execution in ChurchCRM's setup wizard, broken access control in Genealogy PHP application, and unauthenticated path traversal in FalkorDB Browser that enables arbitrary file writes and RCE. Organizations should prioritize patching these vulnerabilities immediately, particularly in internet-facing systems using these applications. In parallel, security teams should monitor ongoing developments in law enforcement's use of ad data for tracking and the Hims healthcare breach as indicators of broader privacy and authentication risks in their own environments.

Critical

10.0 ChurchCRM 4 CVEs

CVE-2026-39337, CVE-2026-39342, CVE-2026-39339, CVE-2026-35573

10.0 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to CVE-2026-34208

10.0 FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvi CVE-2026-32871

9.9 Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnera CVE-2026-39355

9.8 FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload A CVE-2026-6057

9.8 MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/ CVE-2026-31272

9.8 megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition func CVE-2026-31271

9.8 Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface t CVE-2026-4631

9.8 The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injec CVE-2024-36058

9.8 changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login CVE-2026-35490

9.8 Memory-safety vulnerability in github.com/jackc/pgx/v5. 2 CVEs

CVE-2026-33816, CVE-2026-33815

9.8 An issue was discovered in the Wi-Fi driver in Samsung Mobil 2 CVEs

CVE-2025-52908, CVE-2025-52909

High Severity

8.9 ChurchCRM 12 CVEs CVE-2026-39328, CVE-2026-39334, CVE-2026-39330, CVE-2026-39329 +8

8.8 The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalat CVE-2026-5144

8.8 Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicep CVE-2026-39621

8.8 FTLDNS (pihole-FTL) provides an interactive API and also gen 2 CVEs CVE-2026-35520, CVE-2026-35519

8.8 Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote CVE-2026-30460

8.8 In Modem, there is a possible out of bounds write due to a missing bounds check. CVE-2026-20433

8.8 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web g CVE-2026-35395

8.8 BentoML is a Python library for building online serving systems optimized for AI CVE-2026-35044

8.8 Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scri CVE-2026-33510

8.8 An issue was discovered in Biztalk360 before 11.5. Because of incorrect access c CVE-2025-59710

+17 more products affected

Security News

Over 20,000 crypto fraud victims identified in international crackdown Bleeping Computer

An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims

Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data The Hacker News

Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police de

ChatGPT rolls out new $100 Pro subscription to challenge Claude Bleeping Computer

OpenAI has rolled out a new Pro subscription that costs $100 and is in line with Claude's pricing, which also has a $100

Friday Squid Blogging: Squid Overfishing in the South Pacific Schneier on Security

Regulation is hard: The South Pacific Regional Fisheries Management Organization (SPRFMO) oversees fishing across roughl

Hims Breach Exposes the Most Sensitive Kinds of PHI Dark Reading

Threat actors breached the telehealth brand, and now they may know who's bald, overweight, and impotent. What could they

Your Next Breach Will Look Like Business as Usual Dark Reading

These are the fundamental detection model shifts cybersecurity teams need to make to keep up with the rising number of c

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks Bleeping Computer

The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks incl

FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats Dark Reading

Exploits & Threats

[webapps] D-Link DIR-650IN - Authenticated Command Injection

[local] NetBT e-Fatura - Privilege Escalation

[webapps] Jumbo Website Manager - Remote Code Execution

[webapps] React Server 19.2.0 - Remote Code Execution

[local] ZSH 5.9 - RCE