The April 2026 Security Update Review
Monthly patch roundup focused on Adobe and Microsoft; particular priority given to an active Reader exploit and multiple elevation-of-privilege vulnerabilities in Windows components and SQL Server.
CTI status
As of:
Last pipeline run:
Source reliability
Information credibility
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Monthly patch roundup focused on Adobe and Microsoft; particular priority given to an active Reader exploit and multiple elevation-of-privilege vulnerabilities in Windows components and SQL Server.
First documented exploitation of CVE-2026-12569 in Windchill demonstrates that threat actors are operationalizing PTC products as targets immediately after patches became available,German authorities have also previously warned about this vulnerability and a related CVE-2026-4681.
DirtyClone is the third variant in a series of Linux kernel flaws in the DirtyFrag family caused by incomplete flag propagation during packet cloning; each patch closed one code path while leaving others open.
Authenticated users with limited permissions can remove Admin accounts from an organization through a missing role hierarchy check in the bulk-delete API.
Turla continuously develops new .NET backdoors such as STOCKSTAY for targeted state-sponsored espionage against Ukraine and entities with Italy-related interests , signals escalating Russian-Ukrainian cyber-warfare with relevance to European critical infrastructure.
Russian state actors are conducting systematic social-engineering campaigns against messaging services, indicating operationalization of credential-harvesting as a geopolitical weapon.
Russian intelligence expands its Signal phishing campaign to specifically target backup recovery keys, which provide unlimited access to restored accounts and complete message history.
A double-free vulnerability in Windows IKEv2 enables unauthenticated remote code execution via crafted packets.
The vulnerability allows authenticated users to retrieve billing data from any organization without explicit authorization,a control loss over sensitive business data in the multi-organization model.
The vulnerability is already actively exploited for web shell deployment; it is the first PTC product vulnerability added to CISA's KEV catalog and signals rapid weaponization of newly disclosed flaws by threat actors.
May release covers 52 Adobe CVEs and numerous Microsoft patches with Adobe Commerce and Connect highest priority; no active wild exploitations reported.
The vulnerability allows authenticated users to inject arbitrary key-value pairs into webhook and SIEM payloads, undermining the reliability of security events and their interpretation in downstream systems.
An obsolete but still-signed Windows kernel driver can be abused as an attack vector in BYOVD scenarios to manipulate privileged processes like lsass.exe and extract credentials.
Node.js ignores CWE-427 risks on Windows systems through flawed module resolution logic that allows non-admin users to plant malicious modules under C:\node_modules, compromising installed applications.
HTML content in PDF rendering contexts can leak information about the rendering server via <img> tags with remote URLs or be exploited as an SSRF vector in the local network.
The vulnerability enables denial-of-service attacks against HMI and configuration functions via malformed network requests over exposed interfaces, causing critical downtime in production environments.
A vulnerability in PKCS#7 signature verification allows forged digital signatures to be accepted by failing to correctly bind the signer identity to the signature, affecting trust chains in Windows, Active Directory, and Office environments.
BSI warns of multiple vulnerabilities in widely deployed browsers with critical impact on code execution and denial-of-service capability.
BSI warns of multiple critical vulnerabilities in Microsoft Edge enabling remote code execution and security bypass; specific CVE numbers not provided.
The BSI warning indicates multiple patchable vulnerabilities, but without specific CVE numbers or exploit status this is a generic browser security notice without immediate escalation potential.
The Miasma campaign demonstrates a new escalation: attackers abuse compromised developer credentials to inject malware-laden packages via trusted npm registry and GitHub workflows, compromising downstream developers.
A popular Chrome extension with ten million installations was potentially compromised with a backdoor, pointing to an active supply-chain attack scenario.
BSI warning on multiple unspecified vulnerabilities in Chrome/Edge without concrete CVE numbers or exploitation details , typically aggregation of multiple CVEs from regular browser updates.
Authenticated attackers can exploit multiple vulnerabilities to manipulate critical password and management data or disclose sensitive information.
The Cisco SD-WAN vulnerability is already being actively exploited in the wild and enables attackers to gain root access to critical network devices.