ScanForge Security Digest 2617-01

April 21, 2026200 items

25 critical90 high10 news

This week brought 25 critical vulnerabilities requiring immediate attention, including SQL injection flaws in OpenProject and privilege escalation risks in Percona PMM and Quest KACE systems, though no actively exploited zero-days were added to CISA's catalog. Notable threat activity includes Chinese APT groups targeting financial institutions in Asia and attackers increasingly leveraging identity-based attacks to bypass traditional security controls. Organizations should prioritize patching Quest KACE and OpenProject instances, conducting access reviews for privileged accounts, and reinforcing identity verification practices given the prevalence of credential-based compromise techniques. The 49 security articles this period highlight continued targeting of unpatched infrastructure, underscoring the importance of timely vulnerability remediation across all systems.

Critical

10.0 Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x CVE-2025-32975

9.9 OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the = CVE-2026-34717

9.9 An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specifi CVE-2026-25212

9.8 SAIL 3 CVEs

CVE-2026-40494, CVE-2026-40493, CVE-2026-40492

9.8 SourceCodester Simple Music Cloud Community System 2 CVEs

CVE-2026-37340, CVE-2026-37339

9.8 A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSand CVE-2026-39813

9.8 A improper neutralization of special elements used in an os command ('os command injection') vulnera CVE-2026-39808

9.8 PraisonAI 3 CVEs

CVE-2026-40288, CVE-2026-40313, CVE-2026-40289

9.8 In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authen CVE-2026-0545

9.8 Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to acce CVE-2026-2699

9.4 A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability al CVE-2026-6644

9.4 protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 CVE-2026-41242

High Severity

8.9 Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file up CVE-2026-40487

8.8 The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress i CVE-2026-6518

8.8 Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and belo CVE-2026-35582

8.8 A improper neutralization of special elements used in an sql command ('sql injec CVE-2026-39815

8.8 Hydrosystem Control System does not enforce authorization for some directories. CVE-2026-34184

8.8 Improper Restriction of XML External Entity Reference vulnerability in RTI Conne CVE-2026-4374

8.8 qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated att CVE-2018-25208

8.8 Each RPCSEC_GSS data packet is validated by a routine which checks a signature i CVE-2026-4747

8.8 Improper Restriction of Operations within the Bounds of a Me 3 CVEs CVE-2026-33849, CVE-2026-33848, CVE-2026-33847

8.8 AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to CVE-2026-21853

+57 more products affected

Security News

Unsecured Perforce Servers Expose Sensitive Data From Major Orgs SecurityWeek

Things are improving, but a researcher has still identified over 1,500 Perforce P4 instances allowing attackers to read

CISA flags new SD-WAN flaw as actively exploited in attacks Bleeping Computer

CISA has given U.S. government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulne

Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster SecurityWeek

The security defects could be exploited for remote code execution, OS command injection, and WAF detection bypass. The p

Chinese APT Targets Indian Banks, Korean Policy Circles Dark Reading

China is spying on India's financial sector, for some reason, and it's not putting much effort into it, judging by some

No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks The Hacker News

The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain c

Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities SecurityWeek

CISA expanded the KEV catalog with eight flaws, but five of them have been flagged as exploited before. The post Organiz

Actively exploited Apache ActiveMQ flaw impacts 6,400 servers Bleeping Computer

Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable

Mexican Surveillance Company Schneier on Security

Grupo Seguritech is a Mexican surveillance company that is expanding into the US.