Weekly Exploit Roundup

Generated 2026-04-21T08:00:15.584473+00:00 (UTC)

1. Patch Tuesday – April 2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-04-14T21:48:16+00:00 | Score: 29.011
   Microsoft is publishing 167 vulnerabilities on April 2026 Patch Tuesday . Microsoft is aware of exploitation in the wild for one of today’s vulnerabilities, and public disclosure for one other. Microsoft evaluates 19 of the vulnerabilities published today as more likely to see future exploitation. So far this month, Microsoft has provided patches to address 80 browser vulnerabilities, which are not included in the Patch Tuesday count above. Increasing volumes of vulnerabilities Regular Patch Tuesday watchers will know that these vulnerability totals are significantly higher than usual, especially the browser numbers. Late last week, Microsoft published patches to resolve more than 60 browser vulnerabilities in a single day, which is a new record in that very specific category. It might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing , but this is not the case. Edge is based on the Chromium engine, and the
2. SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
   Source: The Hacker News | Published: 2026-04-20T17:14:00+00:00 | Score: 26.16
   A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems.
   The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.
   SGLang is a high-performance, open-source serving
3. Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
   Source: Threat Intelligence | Published: 2026-04-16T14:00:00+00:00 | Score: 24.607
   Introduction Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities. Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened. As noted in Wiz’s blog post, Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever , now is the time to strengthen playbooks, reduce exposure, and incorporate AI into security programs. The following blog provides an overview of the evolving attack lifecycle, how t
4. Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
   Source: The Hacker News | Published: 2026-04-15T12:56:00+00:00 | Score: 24.461
   A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild.
   The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security.
   "
5. Metasploit Wrap-Up 04/17/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-04-17T20:35:42+00:00 | Score: 23.018
   Happy Friday – Seven New Metasploit Modules We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS. What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking. New module content (7) AVideo Unauthenticated SQL Injection Credential Dump Authors: Valentin Lobstein chocapikk@leakix.net and arkmarta Type: Auxiliary Pull request: #21075 contributed by Chocapikk Path: gather/avideo_catname_sqli AttackerKB reference: CVE-2026-28501 Description: Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo <= 22.0, along with a new BenchmarkBasedBlind SQLi mixin class an
6. Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
   Source: The Hacker News | Published: 2026-04-20T10:42:00+00:00 | Score: 16.966
   Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain.
   "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to
7. CVE-2026-33032: Nginx UI Missing MCP Authentication
   Source: Rapid7 Cybersecurity Blog | Published: 2026-04-16T19:44:49+00:00 | Score: 16.778
   Overview On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI . Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032 , was reported in early March by Pluto Security researcher Yotam Perkal and subsequently patched on March 15, 2026. That same day, Pluto Security published a technical blog post with some vulnerability details. CVE-2026-33032 is a missing authentication bug with a CVSS score of 9.8 ; as a result of missing authentication controls, an unauthenticated attacker who exploits CVE-2026-27944 to leak information can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service. Acco
8. Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
   Source: The Hacker News | Published: 2026-04-17T03:22:00+00:00 | Score: 16.605
   A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
   To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian
9. Project Glasswing and the Next Challenge for Defenders: Turning Faster Discovery into Faster Action
   Source: Rapid7 Cybersecurity Blog | Published: 2026-04-20T16:20:32+00:00 | Score: 16.034
   Anthropic’s Project Glasswing has sparked plenty of discussion about what AI might soon do for vulnerability discovery, but the more useful question for most security teams is how to prepare for, and more importantly seize the opportunity of, what comes next. As we wrote in our earlier blog, What Project Glasswing Means for Security Leaders , AI is becoming more capable of finding software flaws. The pressure that follows lands on the teams responsible for deciding what matters, validating risk, assigning ownership, and getting remediation moving across environments that were already hard to manage. We believe that the organizations that will benefit most from the next wave of AI will be the ones that understand their environment well enough to use these emerging AI models with intent, rather than layering them onto immature processes and hoping that speed alone will solve the backlog. What this moment means for security teams The number of publicly tracked software vulnerabilities has
10. Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
    Source: The Hacker News | Published: 2026-04-18T06:01:00+00:00 | Score: 15.898
    Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
    The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting

End of report.