> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
CVE-2026-21643: Pre-Auth SQL Injection in FortiClient EMS 7.4.4 Under Active Exploitation — CISA Deadline Tomorrow
Critical pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 is being actively exploited. CISA KEV remediation deadline is April 16, 2026.
Composer Command Injection (CVE-2026-40261, CVE-2026-40176): Any Malicious Repository Can Execute Code on Your Build Machines
Two high-severity command injection flaws in PHP's Composer package manager allow arbitrary command execution via malicious repository metadata — no Perforce installation required for the worst one.
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
CVE-2026-31414: Linux Kernel Netfilter Conntrack Flaw Enables Container Escape Privilege Escalation
A use-after-free in Linux kernel netfilter connection tracking allows local privilege escalation from container workloads — patch your nodes now.
Red Hat OpenShift AI Dashboard Leaks Kubernetes Service Account Tokens (CVE-2026-5483)
A high-severity flaw in Red Hat OpenShift AI's odh-dashboard exposes Kubernetes Service Account tokens via a NodeJS endpoint, enabling unauthorized cluster access.
Anubis Ransomware Gang Claims 2TB Exfiltration from Signature Healthcare as Brockton Hospital Diverts Ambulances
Anubis RaaS group claims theft of 2TB of patient data from Signature Healthcare while Brockton Hospital diverts ambulances, cancels chemo, and operates on paper charts a week after the attack.
Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure
A missing authentication check on Marimo's terminal WebSocket endpoint (CVE-2026-39987, CVSS 9.3) gave attackers a root shell with no credentials required — and they were actively exploiting it less than 10 hours after the advisory dropped.
Adobe Acrobat Reader Zero-Day CVE-2026-34621: Prototype Pollution RCE Exploited Since December
Adobe patches APSB26-43 after confirming CVE-2026-34621, a CVSS 9.6 prototype pollution flaw in Acrobat Reader actively exploited via malicious PDFs since at least December 2025.
CPUID Website Compromised to Deliver STX RAT via CPU-Z and HWMonitor Downloads
Attackers compromised CPUID's download infrastructure for ~19 hours, replacing CPU-Z and HWMonitor installers with trojanized builds that sideload STX RAT via a malicious CRYPTBASE.dll.
Self-Hosted and Unprotected: The AI Workflow Tool Security Crisis
Langflow, Flowise, n8n, ComfyUI — every major self-hosted AI workflow tool has shipped unauthenticated RCE vulnerabilities in 2026. This isn't a coincidence. It's a structural failure baked into how these tools were designed.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Build Pushed to 800K+ WordPress Sites
Attackers compromised Nextend's update servers to distribute a weaponized Smart Slider 3 Pro build containing a multi-layered RAT with credential exfiltration and persistent backdoors.
GPUBreach: GDDR6 Rowhammer Attack Achieves Root Shell, Bypasses IOMMU
University of Toronto researchers demonstrate full CPU privilege escalation from an unprivileged CUDA kernel via GDDR6 bit-flips, bypassing IOMMU — no patch exists yet.
Project Glasswing: Anthropic's Claude Mythos AI Autonomously Found Thousands of Zero-Days in Every Major OS and Browser
Anthropic's Claude Mythos Preview autonomously discovered thousands of unpatched zero-days across FreeBSD, Linux, OpenBSD, FFmpeg, and every major browser — including a sandbox escape that emailed a researcher.
Chrome 147 Patches 60 Security Flaws Including Two Critical WebML RCE Bugs
Google ships Chrome 147.0.7727.55 with fixes for 60 vulnerabilities—two critical heap buffer overflow and integer overflow flaws in the WebML component enable remote code execution via crafted HTML pages.
CISA AA26-097A: CyberAv3ngers Exploit Rockwell PLCs Across US Water, Energy, and Government Systems
Six US agencies issue joint advisory after Iranian-affiliated CyberAv3ngers compromise Rockwell Allen-Bradley PLCs in water, energy, and government sectors, manipulating SCADA displays and control logic.
CVE-2026-39860: Nix Package Manager Symlink Bug Gives Any User Root on Multi-User Installs
A critical symlink-following flaw in the Nix daemon lets unprivileged users overwrite arbitrary files as root during fixed-output derivation builds.
CVE-2026-32922: OpenClaw Privilege Escalation Lets Any Paired Device Achieve Full RCE
A missing scope validation in OpenClaw's device.token.rotate endpoint lets any device with operator.pairing scope mint admin tokens and execute arbitrary code on connected nodes.
CISA Adds Ivanti EPMM Zero-Days to KEV as Mass Exploitation Ramps Up
CISA adds CVE-2026-1340 to the Known Exploited Vulnerabilities catalog as attackers chain two Ivanti EPMM zero-days for unauthenticated RCE against mobile device management infrastructure.
North Korea's Contagious Interview Campaign Hits 1,700 Malicious Packages Across Five Ecosystems
DPRK-linked Contagious Interview operation now spans npm, PyPI, Go Modules, crates.io, and Packagist with 1,700+ poisoned packages delivering BeaverTail and InvisibleFerret malware.
APT28's FrostArmada Hijacked 18,000 SOHO Routers to Steal Microsoft 365 Credentials — FBI Disrupts Operation
Russia-linked APT28 compromised 18,000 MikroTik and TP-Link routers across 120 countries to hijack DNS and steal Microsoft 365 OAuth tokens. FBI disrupts the operation.