CVE-2026-32201

Overview

Microsoft
Microsoft SharePoint Enterprise Server 2016

14 Apr 2026

Published

15 Apr 2026

Updated

CVSS v3.1

MEDIUM (6.5)

EPSS

1.19%

MITRE

KEV

Description

Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Statistics

9 Posts
5 Interactions

Last activity: 7 hours ago

Fediverse

Christoph Schmees @PC_Fluesterer

Microsoft Flickentag 2026-04: Fast Rekord!

Mit 165 oder 167 (je nach Zählung) geflickten Sicherheitslücken in Microsofts (MS) eigenen Produkten ist dieser der zweitgrößte Flickentag aller Zeiten. Wenn man die von Chromium geerbten Sicherheitslücken im Browser Edge hinzurechnet, kommt man auf 243 Sicherheitslücken. Puh. Von den 165 eigenen Sicherheitslücken stuft MS 8 als kritisch ein und 154 als wichtig. Fehlen noch drei? Ja, die sind nur als mittleres Risiko (moderat) eingestuft. Auch ein Flicken gegen die vorab veröffentlichte Sicherheitslücke im MS Defender ist enthalten.
Eine Sicherheitslücke, CVE-2026-32201 in MS Groupware SharePoint, wird bereits aktiv für

https://www.pc-fluesterer.info/wordpress/2026/04/15/microsoft-flickentag-2026-04-fast-rekord/

#Hintergrund #Warnung #exploits #Microsoft #office #unplugMicrosoft #UnplugTrump #windows #word

2
1
0
7h ago

CyberNetsecIO @netsecio

📰 Microsoft's Colossal April 2026 Patch Tuesday: 167 Flaws Patched, Two Zero-Days Under Fire

🚨 Microsoft's April Patch Tuesday is massive, fixing 167 flaws! Includes patches for an actively exploited SharePoint zero-day (CVE-2026-32201) & a public Defender EoP flaw (CVE-2026-33825). Patch NOW. #PatchTuesday #CyberSecurity #ZeroDay

🔗 https://cyber.netsecops.io/articles/microsoft-april-2026-patch-tuesday-fixes-167-flaws-including-two-zero-days/?utm_source=mastodon&utm_…

0
0
0
9h ago

Bluesky

Tech-News @technology-news.bsky.social

Microsoft fixes 169 vulnerabilities including exploited SharePoint CVE-2026-32201, prompting CISA remediation by April 28, 2026.

0
1
0
8h ago

Undercode Testing @undercode.bsky.social

Microsoft Confirms Actively Exploited SharePoint Zero-Day (CVE-2026-32201): Urgent Patch & Hardening Guide + Video Introduction: A critical zero-day spoofing vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-32201, is being actively exploited in the wild. Microsoft confirmed the…

0
0
0
20h ago

ohhara @shiojiri.com

「この内 CVE-2026-32201 の脆弱性について、Microsoft 社では悪用の事実を確認済みと公表しており、今後被害が拡大するおそれがあるため、至急、セキュリティ更新プログラムを適用してください。」

0
0
0
18h ago

ohhara @shiojiri.com

マイクロソフト、4月の月例パッチで悪用確認のゼロデイ含む脆弱性167件を修正（CVE-2026-32201ほか） | Codebook｜Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/45289/

0
0
0
18h ago

キタきつね @kitafox.bsky.social

CISAが既知の悪用された脆弱性2件をカタログに追加 CISA Adds Two Known Exploited Vulnerabilities to Catalog #CISA (Apr 14) CVE-2009-0238 Microsoft Officeのリモートコード実行の脆弱性 CVE-2026-32201 Microsoft SharePoint Server の入力検証の不備 www.cisa.gov/news-events/...

0
1
0
23h ago

ohhara @shiojiri.com

CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability

0
0
0
20h ago

piggo @pigondrugs.bsky.social

~Talos~ Microsoft patched 165 flaws, including 8 criticals and an actively exploited SharePoint spoofing bug (CVE-2026-32201). - IOCs: CVE-2026-32201, CVE-2026-33824, CVE-2026-33827 - #PatchTuesday #ThreatIntel #Vulnerability

0
0
0
19h ago

CVE-2026-40175

Overview

axios
axios

10 Apr 2026

Published

14 Apr 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

0.40%

MITRE

KEV

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.

Statistics

4 Posts
1 Interaction

Last activity: 12 hours ago

Bluesky

azu @azu.bsky.social

見てる: "Axios CVE-2026-40175: a critical bug that’s… not exploitable" https://www.aikido.dev/blog/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable

1
0
0
12h ago

セキュリティ対策Lab @securitylab-jp.bsky.social

Axios、CVE-2026-40175を修正-AWSなどのクラウド環境侵害やRCEに発展し得る重大な脆弱性 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews

0
0
0
23h ago

OpsMatters @opsmatters.com

The latest update for #AikidoSecurity includes "Axios CVE-2026-40175: a critical bug that's… not exploitable" and "Bug bounty isn't dead, but the old model is breaking". #Cybersecurity #AppSec #DevSecOps https://opsmtrs.com/48vGyRP

0
0
0
19h ago

Philippe Vynckier @pvynckier.bsky.social

Axios CVE-2026-40175: a critical bug that’s… not exploitable www.aikido.dev/blog/axios-c...

0
0
0
17h ago

CVE-2026-33032

Overview

0xJacky
nginx-ui

30 Mar 2026

Published

30 Mar 2026

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.06%

MITRE

KEV

Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

Statistics

5 Posts

Last activity: 7 hours ago

Fediverse

CyberNetsecIO @netsecio

📰 Critical Auth Bypass in nginx-ui (CVE-2026-33032) Actively Exploited for Full Nginx Takeover

🚨 CRITICAL FLAW: nginx-ui is being actively exploited via an auth bypass (CVE-2026-33032, CVSS 9.8). Unauthenticated attackers can gain full RCE. Patch to version 2.3.4+ immediately! #nginx #CyberSecurity #Vulnerability

🔗 https://cyber.netsecops.io/articles/critical-nginx-ui-auth-bypass-cve-2026-33032-under-active-exploit/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

0
0
0
9h ago

Patrick C Miller :donor: @patrickcmiller

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html

0
0
1
7h ago

Bluesky

Undercode Testing @undercode.bsky.social

MCPwn: The 27-Character Code That Hands Over Your Nginx Server to Anyone + Video Introduction The integration of AI agent protocols with critical infrastructure is creating a new and rapidly expanding attack surface. A critical vulnerability, CVE-2026-33032 (CVSS 9.8), is now being actively…

0
0
0
9h ago

Ninja Owl @ninjaowl.ai

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...

0
0
0
9h ago

CVE-2025-0520

Overview

ShowDoc
ShowDoc

29 Apr 2025

Published

19 Nov 2025

Updated

CVSS v4.0

CRITICAL (9.4)

EPSS

2.03%

MITRE

KEV

Description

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.

Statistics

5 Posts
1 Interaction

Last activity: 11 hours ago

Fediverse

Patrick C Miller :donor: @patrickcmiller

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html

0
1
1
15h ago

Bluesky

キタきつね @kitafox.bsky.social

攻撃者はCVE-2025-0520の脆弱性を悪用し、パッチが適用されていないShowDocサーバーを標的にしている Attackers target unpatched ShowDoc servers via CVE-2025-0520 #SecurityAffairs (Apr 14) securityaffairs.com/190790/hacki...

0
0
0
23h ago

キタきつね @kitafox.bsky.social

ShowDocのRCE脆弱性CVE-2025-0520が、パッチ未適用サーバーで積極的に悪用されている ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers #HackerNews (Apr 14) thehackernews.com/2026/04/show...

0
0
0
23h ago

Commonwealth Sentinel Cyber Security @cwealthsentinel.bsky.social

Attackers target unpatched ShowDoc servers via CVE-2025-0520

0
0
0
11h ago

CVE-2026-4631

Overview

Red Hat
Red Hat Enterprise Linux 10
cockpit

07 Apr 2026

Published

10 Apr 2026

Updated

CVSS

Pending

EPSS

0.10%

MITRE

KEV

Description

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

Statistics

2 Posts

Last activity: 9 hours ago

Fediverse

Phantasm @phnt

>CVE-2026-4631 [cockpit] Unauthenticated remote code execution due to SSH command-line argument injection

:comfythumbsup:

0
0
0
9h ago

Bluesky

キタきつね @kitafox.bsky.social

CVE-2026-4631: Cockpitにおける重大な9.8 RCE脆弱性により、認証なしでサーバーを乗っ取ることができる CVE-2026-4631: Critical 9.8 RCE Flaw in Cockpit Allows Unauthenticated Server Takeover #DailyCyberSecurity (Apr 14) securityonline.info/cockpit-rce-...

0
0
0
23h ago

CVE-2025-60710

Overview

Microsoft
Windows 11 Version 24H2

11 Nov 2025

Published

14 Apr 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

18.24%

MITRE

KEV

Description

Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

Statistics

2 Posts

Last activity: 6 hours ago

Fediverse

J4ck @jackryder

RE: https://infosec.exchange/@BleepingComputer/116409282041040406

CVE-2025-60710

https://nvd.nist.gov/vuln/detail/CVE-2025-60710

0
0
0
8h ago

Bluesky

Cybersecurity News Everyday @hendryadrian.bsky.social

CISA alerts U.S. agencies of a Windows Task Host vulnerability (CVE-2025-60710) allowing local privilege escalation to SYSTEM. Patch released in Nov 2025 for Windows 11 & Server 2025. #WindowsUpdate #PrivilegeEscalation #USA

0
0
0
6h ago

CVE-2026-33807

Overview

fastify
@fastify/express

15 Apr 2026

Published

15 Apr 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

0.05%

MITRE

KEV

Description

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required. Upgrade to @fastify/express v4.0.5 or later.

Statistics

3 Posts

Last activity: 12 hours ago

Fediverse

Ulises Gascon @ulisesgascon

🚨 Critical-severity security fix in @fastify/express@4.0.5 just released!

Patches CVE-2026-33807 — middleware path doubling causes authentication bypass in child plugin scopes

https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c

0
0
1
13h ago

OffSequence @offseq

🔥 CRITICAL vuln: @fastify/express ≤4.0.4 (CVE-2026-33807) lets attackers bypass Express middleware (auth, rate limiting, more) via path handling bug. Upgrade to 4.0.5+ ASAP! https://radar.offseq.com/threat/cve-2026-33807-cwe-436-interpretation-conflict-in--e2fb5055 #OffSeq #CVE202633807 #NodeJS #AppSec

0
0
0
12h ago

CVE-2026-5281

Overview

Google
Chrome

01 Apr 2026

Published

02 Apr 2026

Updated

CVSS

Pending

EPSS

3.28%

MITRE

KEV

Description

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Statistics

1 Post
7 Interactions

Last activity: 13 hours ago

Fediverse

N_{Dario Fadda} @nuke

Google Patches Actively Exploited Chrome Zero-Day CVE-2026-5281 — CISA Deadline Hits Today
#CyberSecurity
https://securebulletin.com/google-patches-actively-exploited-chrome-zero-day-cve-2026-5281-cisa-deadline-hits-today/

6
1
0
13h ago

CVE-2026-34621

Overview

Adobe
Acrobat Reader

11 Apr 2026

Published

14 Apr 2026

Updated

CVSS v3.1

HIGH (8.6)

EPSS

6.08%

MITRE

KEV

Description

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Statistics

1 Post
5 Interactions

Last activity: 12 hours ago

Fediverse

N_{Dario Fadda} @nuke

Adobe Acrobat Zero-Day CVE-2026-34621: Four Months of Targeted Espionage via Prototype Pollution Exploit
#CyberSecurity
https://securebulletin.com/adobe-acrobat-zero-day-cve-2026-34621-four-months-of-targeted-espionage-via-prototype-pollution-exploit/

5
0
0
12h ago

CVE-2026-33825

Overview

Microsoft
Microsoft Defender Antimalware Platform

14 Apr 2026

Published

15 Apr 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

0.04%

MITRE

KEV

Description

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Statistics

2 Posts

Last activity: 9 hours ago

Fediverse

CyberNetsecIO @netsecio

📰 Microsoft's Colossal April 2026 Patch Tuesday: 167 Flaws Patched, Two Zero-Days Under Fire

🚨 Microsoft's April Patch Tuesday is massive, fixing 167 flaws! Includes patches for an actively exploited SharePoint zero-day (CVE-2026-32201) & a public Defender EoP flaw (CVE-2026-33825). Patch NOW. #PatchTuesday #CyberSecurity #ZeroDay

🔗 https://cyber.netsecops.io/articles/microsoft-april-2026-patch-tuesday-fixes-167-flaws-including-two-zero-days/?utm_source=mastodon&utm_…

0
0
0
9h ago

Bluesky

tamosan @tamosan.bsky.social

『「CVE-2026-33825」は、すでに情報が公開されており、今後悪用される可能性が高い』：【セキュリティニュース】MS、4月の月例パッチで脆弱性167件に対応 - 一部で悪用を確認（1ページ目 / 全2ページ）：Security NEXT https://www.security-next.com/183438

0
0
0
22h ago