ScanForge Security Digest 2616-01

April 15, 2026200 items

69 critical57 high10 news

This week presented a significant vulnerability landscape with 69 critical CVEs and 57 high-severity vulnerabilities identified, though no actively exploited zero-days were added to CISA's KEV list. Notable threats include a prototype pollution vulnerability in Axios affecting Node.js environments, a privilege escalation flaw in Azure Cloud Shell, and multiple memory safety issues in Firefox and compiler infrastructure that could enable code execution. Microsoft's extensive April 2026 Patch Tuesday update addresses privilege elevation vulnerabilities and includes new Remote Desktop protections, making immediate patching a priority for Windows environments. Organizations should prioritize patching Azure deployments and updating Axios libraries to version 1.15.0 or later, while Windows administrators should evaluate the latest Microsoft protections against malicious RDP files. The continued discovery of similar vulnerability patterns across major platforms underscores the need for proactive code review and compiler-level security checks in software development pipelines.

Critical

10.0 Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerab CVE-2026-34865

10.0 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library CVE-2026-40175

10.0 Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate p CVE-2026-32169

10.0 Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a CVE-2025-2857

9.8 Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. A CVE-2026-27143

9.8 Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging confi CVE-2026-35171

9.8 Improper neutralization of special elements used in a command ('command injection') in Microsoft Bin CVE-2026-32194

9.8 Improper neutralization of special elements used in an os command ('os command injection') in Micros CVE-2026-32191

9.8 `simple-git`, an interface for running git commands in any node.js application, has an issue in vers CVE-2026-28292

9.8 Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Th CVE-2025-14326

9.8 JIT miscompilation in the JavaScript Engine: JIT component. 2 CVEs

CVE-2025-14324, CVE-2025-13024

9.8 Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Fire CVE-2025-14321

High Severity

8.9 A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191 CVE-2026-6156

8.9 A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted elem CVE-2026-6155

8.9 A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. Th CVE-2026-6154

8.9 A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20 2 CVEs CVE-2026-6140, CVE-2026-6131

8.9 A vulnerability 4 CVEs CVE-2026-6139, CVE-2026-6116, CVE-2026-23818, CVE-2026-27664

8.9 A flaw 2 CVEs CVE-2026-6138, CVE-2026-6115

8.9 A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affecte CVE-2026-6132

8.9 H3 is a minimal H(TTP) framework built for high performance and portability. Pri CVE-2026-23527

8.8 Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid para CVE-2019-25710

8.8 CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated CVE-2019-25697

+41 more products affected

Security News

Microsoft Bets $10 Billion to Boost Japan's AI, Cybersecurity Dark Reading

The deal aims to accelerate AI adoption, train workers, and develop cybersecurity partnerships — the latest move by a hy

Microsoft adds Windows protections for malicious Remote Desktop files Bleeping Computer

Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection

Crypto-exchange Kraken extorted by hackers after insider breach Bleeping Computer

The Kraken cryptocurrency exchange announced that a cybercrime group is trying to extort the company by threatening to r

Patch Tuesday, April 2026 Edition Krebs on Security

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating system

Privilege Elevation Dominates Massive Microsoft Patch Update Dark Reading

Elevation-of-privilege bugs accounted for more than half of the 165 vulnerabilities patched, with two zero-days in that

Over 100 Chrome Web Store extensions steal user accounts, data Bleeping Computer

More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens,

EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses Dark Reading

Stopping EDR killers, which employ bring-your-own-vulnerable-driver (BYOVD) attack techniques, is difficult, but not imp

Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities SecurityWeek

Experts say this is the second-largest Microsoft Patch Tuesday ever based on CVE count. The post Microsoft Patches Explo