The CVE Watchtower: Weekly Threat Intelligence Briefing (April 6 – April 12, 2026)

Welcome to this week’s vulnerability digest. As we close out the first full week of April, security teams are faced with a challenging landscape of critical zero-days, active exploitations, and severe architectural flaws. Whether you are a seasoned CISO presenting risk metrics to the board or a junior system administrator prioritizing your patching schedule, this briefing distills the noise into actionable intelligence.

Between April 6 and April 12, 2026, the global security community published 1,615 new vulnerabilities. Among these, several carry maximum CVSS scores and, more concerningly, a concentrated group is currently being exploited in the wild.

Here is the intelligence you need to secure your perimeter this week.

By the Numbers: The Week at a Glance

Triaging 1,615 vulnerabilities requires immediate context. Here is the severity breakdown for the past 7 days:

• Critical (CVSS 9.0–10.0): 130
• High (CVSS 7.0–8.9): 515
• Medium (CVSS 4.0–6.9): 530
• Low (CVSS 0.1–3.9): 44
• Unknown/Pending: 395

While the 130 Critical flaws represent significant potential risk, your immediate priority must be the vulnerabilities that threat actors are actively leveraging.

The CISA KEV Hotlist: Immediate Action Required

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week. If your infrastructure utilizes these platforms, drop everything and patch them immediately:

1. Ivanti Endpoint Manager Mobile (CVE-2026-1340): This code injection vulnerability (CVSS 9.8) is under active exploitation, allowing attackers to achieve unauthenticated remote code execution (RCE). As Mobile Device Management (MDM) platforms hold the keys to enterprise fleets, this represents a severe organizational risk.
2. Fortinet FortiClientEMS (CVE-2026-35616): Affecting versions 7.4.5 through 7.4.6, this improper access control vulnerability (CVSS 9.8) permits an unauthenticated attacker to execute unauthorized code or commands via crafted requests. If you rely on Fortinet for endpoint management, assume your instance is currently being targeted.

In the Wild: Active Exploitation

Beyond the CISA KEV list, our threat intelligence has flagged six additional vulnerabilities currently under active exploitation. This group is highly diverse, impacting everything from AI deployment tools to common web plugins:

• Flowise AI Interface (CVE-2025-59528): This maximum-severity (CVSS 10.0) RCE vulnerability exists in version 3.0.5 of Flowise, a UI used to build large language model flows. The CustomMCP node allows attackers to input configuration data that leads to full system compromise.
• Marimo Python Notebooks (CVE-2026-39987): Prior to version 0.23.0, the terminal WebSocket endpoint lacks authentication, leading to a critical (CVSS 9.3) Pre-Auth RCE.
• Tianxin Internet Behavior Management System (CVE-2021-4473): An unauthenticated command injection flaw (CVSS 9.8) in the Reporter component allows attackers to execute arbitrary commands.
• Weaver E-cology (CVE-2026-22679): Unauthenticated RCE (CVSS 9.3) in the devops/dubboApi/debug endpoint affecting version 10.0.
• Ninja Forms WordPress Plugin (CVE-2026-0740): A missing file type validation flaw (CVSS 9.8) allows for arbitrary file uploads, leading to complete website takeover.
• Adobe Acrobat Reader (CVE-2026-34621): A high-severity (CVSS 8.6) ‘Prototype Pollution’ vulnerability that could result in arbitrary code execution.

Multiple Maximum Severity Flaws

A CVSS score of 10.0 indicates a vulnerability that is trivial to exploit remotely, requires no authentication, and yields total control over the affected system. Keep a close eye on these maximum-severity disclosures:

• ChurchCRM (CVE-2026-39337): A critical pre-authentication RCE in the setup wizard allows attackers to compromise the system entirely.
• SandboxJS (CVE-2026-34208): A protection bypass allows malicious code to directly assign values to global objects, defeating the purpose of the sandbox.
• Dgraph (CVE-2026-34976): A severe oversight in the authorization middleware leaves the restoreTenant admin mutation completely unauthenticated.
• Sonos Era 300 (CVE-2026-4149): An out-of-bounds access vulnerability in the SMB response handler allows for remote code execution on these smart speakers.

The Bottom Line

For the System Administrators and Engineers: You should prioritize patching security vulnerabilities in Ivanti Endpoint Manager and Fortinet FortiClientEMS. Next, sweep your public-facing web assets for the Ninja Forms plugin and ensure Adobe Acrobat Reader is updated across your fleet.

For the CISOs and Security Directors: The active exploitation of AI workflow tools like Flowise and Marimo highlights a rapidly accelerating trend. As development teams rush to deploy Large Language Models and AI agents, they are leaving the underlying infrastructure exposed. You must ensure that your AI development environments are subjected to the exact same stringent access controls and vulnerability management protocols as your production web servers.