Top Most Interesting CVEs of April 2026

We've gathered the most interesting CVEs of April in our traditional roundup. Critical vulnerabilities under RCE were noted last month by Microsoft Azure and Bing, as well as Mozilla Firefox and Thunderbird.

⚠ Warning ⚠
All information presented below is for informational purposes only. The author is not responsible for any harm that may be caused by the information provided.

April 2026 was marked by a surge in critical vulnerabilities in popular systems and applications, including remote code execution vulnerabilities and data leaks. Security updates from Microsoft and Google drew particular attention, as well as serious issues in web servers and telecommunications equipment. Let's recap the fourth month of the year, here we go!

Vulnerability Overview

➡️ Three vulnerabilities in Microsoft Azure and Bing (authorization errors and SSRF)
➡️ Arbitrary file upload vulnerabilities in WordPress plugins
➡️ Out-of-bounds memory access in Google Chrome WebCodecs
➡️ Two memory safety vulnerabilities in Mozilla Firefox and Thunderbird
➡️ Vulnerabilities in Cisco Secure Firewall and related components
➡️ Vulnerabilities in the Linux kernel
➡️ Critical vulnerabilities in the Samsung Exynos JavaScript engine
➡️ Authentication bypass in the TP-Link Tapo C520WS configuration service
➡️ Buffer overflow in Tenda AC10 Httpd
➡️ SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse
➡️ Buffer overflow in OpenSSL when processing OCTET STRING in X.509 certificates

🟣 Three vulnerabilities in Microsoft Azure and Bing (authorization errors and SSRF)

CVE-2026-33105 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-32186 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-26135 / CVSS:4.0 — 8.7 HIGH

About the vulnerabilities:

In early April, Microsoft reported three vulnerabilities in its cloud and web services, two of which were rated as critical.

CVE-2026-33105 is an improper authorization vulnerability in Microsoft Azure Kubernetes Service (AKS) that allows unauthorized attackers to escalate privileges over the network.

CVE-2026-32186 is a server-side request forgery (SSRF) vulnerability in Microsoft Bing, also leading to privilege escalation.

CVE-2026-26135 is a similar SSRF in Azure Custom Locations Resource Provider (RP), but restricted to authorized users.

All three vulnerabilities involve a breach of service isolation and potential compromise of internal resources. These vulnerabilities can be used to attack internal APIs, databases, and other infrastructure components behind a firewall. It is important to note that CVE-2026-33105 and CVE-2026-32186 do not require prior authentication, which poses a particular danger to publicly accessible interfaces.

Exploitation and Consequences:

CVE-2026-33105: An attacker can send a specially crafted network request to AKS, bypassing authorization checks. This allows access to internal Kubernetes clusters, where resources—including secrets and configurations—can be created, modified, or deleted. Successful exploitation can lead to full cluster compromise, including the ability to execute arbitrary code in containers.

CVE-2026-32186: An attacker can force the Bing server to make an internal HTTP request to another resource on the local network or within a private cloud segment. This bypasses restrictions on accessing internal APIs and exposes information not accessible from outside. The vulnerability can be used to extract confidential data, attack neighboring services, or execute commands on the server.

CVE-2026-26135: An attacker with legitimate Azure access via an authorized client can use SSRF to send requests to internal resources that should not be accessible externally. This bypasses isolation between tenants and grants access to configurations, secrets, or other resources in isolated Azure segments. Consequences include data leakage and the potential for further lateral movement within the network.

Recommendations:

  1. Update all Microsoft Azure Kubernetes Service instances to a version that includes security patches. Check access logs and monitor suspicious API requests to Kubernetes clusters.

  2. For Microsoft Bing and Azure Custom Locations Resource Provider, enable additional server-side checks, such as URL validation in requests and the use of firewalls with outbound request restriction policies.

  3. Conduct an audit of all client applications accessing Azure RP and Bing for the use of internal resources and potential SSRF. Implement outbound HTTP request restrictions in configurations and enable anomaly monitoring for network traffic.

🟣 Arbitrary File Upload Vulnerabilities in WordPress Plugins

CVE-2026-3535 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-1830 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-0740 / CVSS:4.0 — 9.3 CRITICAL

About the vulnerabilities:

Three critical vulnerabilities related to the lack of file type validation in popular WordPress plugins have been discovered. All three CVEs allow an unauthenticated attacker to upload arbitrary files to the server, including PHP web shells, leading to arbitrary server-side code execution. The vulnerabilities affect functions accessible via AJAX requests or the REST API.

In CVE-2026-3535 and CVE-2026-0740, the issue stems from a lack of MIME type and extension validation, while CVE-2026-1830 exists due to insufficient authorization control and the possibility of bypassing restrictions via path traversal. These vulnerabilities are not included in CISA's KEV catalog but require attention due to their high CVSS scores and accessibility to attackers.

Exploitation and Impact:

CVE-2026-3535: In the DSGVO Google Web Fonts GDPR plugin version 1.1 and below, a vulnerability exists in the "DSGVOGWPdownloadGoogleFonts()" function. An attacker can send a specially crafted request with a forged URL that the plugin mistakenly accepts as a CSS file. As a result, the attacker can upload an arbitrary file (e.g., a web shell) to the server. The vulnerability is only active when using specific themes, which may limit its spread but does not eliminate the risk.

CVE-2026-1830: An attacker uses the Quick Playground plugin's REST API to obtain a synchronization code and then upload a PHP file via path traversal. This allows bypassing protections and placing a web shell in a directory accessible through the web interface.

CVE-2026-0740: A vulnerability was discovered in the Ninja Forms – File Uploads plugin before version 3.3.27, within the function “NF_FU_AJAX_Controllers_Uploads::handle_upload”. The plugin fails to validate the type of uploaded files, enabling an attacker to upload a malicious PHP file to the server. The vulnerability was partially patched in version 3.3.25, but a complete fix was only introduced in 3.3.27. This means web applications updated to 3.3.25 remain vulnerable.

Recommendations:

  1. Update all vulnerable plugins to patched versions: DSGVO Google Web Fonts GDPR — to 1.2, Quick Playground — to 1.3.2, Ninja Forms - File Uploads — to 3.3.27.

  2. Review the list of active themes on the site to avoid using themes vulnerable to CVE-2026-3535 (twentyfifteen, twentyseventeen, etc.), and switch to alternatives if necessary.

  3. Incorporate WordPress security best practices by implementing file upload restrictions: configure the web server (Apache/Nginx) to block requests for .php files in directories not intended for web content, and use security plugins like Wordfence or iThemes Security.

🟣 Out-of-Bounds Memory Access in Google Chrome WebCodecs

CVE-2026-5282 / CVSS:4.0 — 7.2 HIGH

About the vulnerability:

The vulnerability involves an out-of-bounds memory access error (CWE-125) in the WebCodecs module of Google Chrome. The issue occurs when processing user-supplied data via a specially crafted HTML document that can trigger improper memory access. All Google Chrome versions prior to 146.0.7680.178 are affected.

The WebCodecs module, responsible for handling compressed video and media streams, fails to properly validate buffer boundaries during encoding/decoding operations. This allows an attacker to read memory contents beyond the allocated buffer. Since the vulnerability can be triggered through a web page, the risk of exploitation is high, especially in environments with significant interaction with external resources.

Exploitation and Consequences:

The attacker creates a malicious HTML document containing a specifically crafted request to the WebCodecs API. A user opening this document in a vulnerable version of Chrome triggers data processing, causing the browser to attempt to read memory outside the allocated buffer.

This allows the attacker to access internal data of the browser process, including potentially sensitive information such as session tokens, cached data, and other memory elements. In the worst case, the memory leak can be used to construct a side-channel analysis attack leading to the execution of arbitrary code in the user's context.

Recommendations:

  1. Update Google Chrome to a version where the vulnerability has been patched.

  2. Restrict the web browser from running in a sandbox or use isolated profiles for opening untrusted web applications.

  3. Enable browser policies that prohibit automatic script execution on unsigned or suspicious sites, and also enable security modules such as Chrome Enterprise or extensions that block malicious scripts.

🟣 Two Memory Security Vulnerabilities in Mozilla Firefox and Thunderbird

CVE-2026-5734 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-5735 / CVSS:4.0 — 9.3 CRITICAL

About the Vulnerabilities:

Mozilla has released updates for Firefox and Thunderbird fixing two critical vulnerabilities related to memory management errors. CVE-2026-5734 affects Firefox ESR 140.9.0, Firefox 149.0.1, and corresponding Thunderbird versions, while CVE-2026-5735 affects only Firefox 149.0.1 and Thunderbird 149.0.1.

Both vulnerabilities are classified as CWE-787 (out-of-bounds write) and, in the case of CVE-2026-5734, additionally as CWE-120 (buffer overflow). The issue involves bugs that can lead to memory leaks or corruption, theoretically allowing an attacker to execute arbitrary code within the web browser process context.

Both vulnerable components are the web browser core and its rendering engine, making them particularly significant in the context of user data security. Mozilla noted that although there were no confirmations of active exploitation, the potential possibility of executing arbitrary code determines the extreme danger of these vulnerabilities. Both CVEs were fixed in versions 149.0.2 and 140.9.1.

Exploitation and consequences:

CVE-2026-5734: An attacker has the ability to create a web page containing a specially crafted script that, when loaded into a vulnerable version of Firefox or Thunderbird, causes a memory leak or its corruption. Upon successful exploitation, the attacker gains the ability to execute arbitrary code in the user's context, which can lead to data theft, installation of malicious software, or complete system compromise.

CVE-2026-5735: Similarly, an attacker uses a malicious web page to initiate a memory access error. Since the vulnerability affects only versions 149.0.1, it can be used to gain privileges or persistent access to the system. The consequences are the same - from data leakage to complete compromise.

Recommendations:

  1. Update Firefox and Thunderbird to version 149.0.2 or higher, including ESR branch 140.9.1.

  2. Check all client workstations, especially those using web browsers in automated scenarios or as part of email clients.

  3. Enable automatic software update policies and configure monitoring of installed application versions in a centralized management system.

🟣 Vulnerabilities in Cisco Secure Firewall and related components

CVE-2026-20093 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-20160 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-20094 / CVSS:4.0 — 8.7 HIGH

About vulnerabilities:

Cisco has disclosed three serious vulnerabilities in its management systems and interfaces, including Cisco Integrated Management Controller (IMC) and Cisco Smart Software Manager On-Prem (SSM On-Prem). All three vulnerabilities allow attackers, acting remotely, to gain control over the system, including executing arbitrary commands with superuser privileges.

CVE-2026-20093 is a vulnerability in the IMC password change function, where due to improper handling of HTTP requests, an attacker can bypass the authentication procedure and change passwords of arbitrary users, including the administrator.

CVE-2026-20160 is related to the unintentional exposure of an internal service in SSM On-Prem, allowing the execution of arbitrary commands with root superuser privileges.

CVE-2026-20094 is a vulnerability in the IMC web interface, where insufficient validation of user input leads to command injection.

Exploitation and Impact:

CVE-2026-20093: An attacker sends a specially crafted HTTP request to the vulnerable IMC, which allows bypassing the authentication mechanism. After a successful attack, the malicious actor gains the ability to change the administrator's password and obtain full control over the system.

CVE-2026-20160: An attacker interacts with an internal API that was unintentionally exposed, manipulating the request. This allows the execution of arbitrary commands with root user privileges, which can lead to full compromise of the host.

CVE-2026-20094: A potential malicious actor with an account having read-only permissions sends commands with a malicious payload to the IMC web interface. After processing the request, the system executes arbitrary commands as root, opening the path to full device takeover.

Recommendations:

  1. Check and update Cisco IMC and Cisco Smart Software Manager On-Prem to versions where the vulnerabilities have been fixed.

  2. Enable strict filtering and monitoring of HTTP traffic incoming to management interfaces, especially for requests related to password changes and API calls.

  3. Restrict access to the IMC and SSM On-Prem web interfaces by implementing multi-factor authentication and applying the principle of least privilege for users.

🟣 Linux Kernel Vulnerabilities

CVE-2026-23410 / CVSS:4.0 — 8.5 HIGH
CVE-2026-23427 / CVSS:4.0 — 8.7 HIGH
CVE-2026-23428 / CVSS:4.0 — 8.5 HIGH

About vulnerabilities:

Three significant vulnerabilities related to thread race conditions and incorrect use of dynamic memory (use-after-free) have been fixed in the Linux kernel. All of them affect components related to AppArmor and the SMB subsystem of the kernel, and can lead to denial of service or potential execution of arbitrary code with kernel privileges.

CVE-2026-23410 is a thread race condition in AppArmor that occurs when rawdata files are opened and a profile is deleted simultaneously. Since rawdata does not support reference counters, there is a window in which the pointer can become "dangling," leading to use-after-free.

CVE-2026-23427 and CVE-2026-23428 concern the kernel's SMB server (ksmbd), where incorrect management of pointers to freed memory occurs during the processing of complex requests and disconnection operations.

All three vulnerabilities were discovered during an internal audit and fixed as part of regular security updates. They affect a wide range of kernel versions, including current 6.x branches. Since the Linux kernel is used in a large number of server, embedded, and desktop systems, the risk of exploitation is high.

Exploitation and consequences:

CVE-2026-23410: An attacker has the ability to initiate a race between opening a rawdata file and deleting an AppArmor profile, leading to incorrect use of dynamic memory in the "aa_loaddata" structure. Exploitation can cause the kernel to crash or, in rare cases, execute arbitrary code. The vulnerability requires privileged rights to delete a profile, but when combined with other vulnerabilities, it can be used to escalate privileges.

CVE-2026-23427: An attacker sends a specially crafted SMB request with the "REPLAY_OPERATION" flag, which causes the "fp->conn" pointer to be overwritten with an already freed structure. Upon subsequent call to the "__ksmbd_close_fd()" function, incorrect management of pointers to freed memory occurs, which can cause the kernel to crash or execute arbitrary code. The vulnerability can be exploited through a network interface if the SMB server is accessible from outside.

CVE-2026-23428: A potential attacker sends a composite SMB request where a connection resource (SMB tree connect) is first disconnected, followed by an operation that uses the already freed 'share_conf' pointer. This leads to a use-after-free condition and potential kernel memory compromise. The vulnerability could be exploited to cause a kernel panic or, if successfully stabilized, to execute arbitrary code.

Recommendations:

  1. Update the Linux kernel to a version where the vulnerabilities have been patched. Use distribution-provided patches if upgrading to a new version is not feasible.

  2. Disable the SMB server (ksmbd) on systems where it is not used to minimize the attack surface. This is particularly relevant for servers that do not provide SMB access.

  3. Enable KASAN (Kernel Address Sanitizer) in test and production environments for early detection of similar memory leaks. It is also recommended to configure kernel monitoring for anomalies related to crashes or memory leaks.

🟣 Critical Vulnerabilities in Samsung Exynos JavaScript Engine

CVE-2026-25205 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-25207 / CVSS:4.0 — 9.3 CRITICAL
CVE-2026-25208 / CVSS:4.0 — 9.3 CRITICAL

About the vulnerabilities:

Three vulnerabilities have been discovered in the Escargot JavaScript engine used in Samsung Exynos processors, disclosed on April 13, 2026. All are related to buffer and data type handling in the script interpreter.

CVE-2026-25205 and CVE-2026-25207 are out-of-bounds write memory leaks caused by insufficient boundary checks during array manipulations. CVE-2026-25208 is an integer overflow that can lead to incorrect memory allocation and, consequently, a buffer overflow vulnerability.

All three vulnerabilities affect the same fixed commit in the Escargot repository (hash 97e8115ab1110bc502b4b5e4a0c689a71520d335), indicating their co-implementation and likely similar context of occurrence. Since Escargot is used in Exynos-based mobile devices, these vulnerabilities pose a risk to both user data and Android operating system integrity.

Exploitation and Consequences:

CVE-2026-25205 allows a potential attacker to perform arbitrary memory writes, which can be used to tamper with pointers or adjust data structures necessary for arbitrary code execution. An attacker can deliver a malicious script via a webpage or application using a web rendering interface. Consequences include the potential for privilege escalation and kernel compromise.

CVE-2026-25207 is similarly vulnerable to out-of-bounds writes, but with a focus on structures related to string handling. Exploitation can lead to process crashes or, with precise control, to arbitrary code execution under the user's context.

CVE-2026-25208, in turn, uses an integer overflow to manipulate buffer size, creating an opportunity to overwrite adjacent memory areas. This can be used to bypass protective mechanisms like ASLR and further exploit the vulnerability to gain control over code execution.

Recommendations:

  1. Update firmware on Samsung Exynos-based devices to a version that includes fixes for commit 97e8115ab1110bc502b4b5e4a0c689a71520d335.

  2. Conduct an audit of all applications and web interfaces using the Escargot JavaScript engine for potential susceptibility to attacks via malicious scripts.

  3. Configure system monitoring for abnormal crashes of processes related to JavaScript execution, as well as activities involving unauthorized memory access.

🟣 Authentication Bypass in TP-Link Tapo C520WS Configuration Service

CVE-2026-34121 / CVSS:4.0 — 8.7 HIGH

About the vulnerability:

An authentication bypass vulnerability was discovered in the HTTP handling of the DS (Device Service) of the TP-Link Tapo C520WS web interface. The cause is inconsistent parsing and authorization logic for JSON requests during authentication checks. As a result, an unauthenticated attacker can add an action to a request that does not require authorization by default and combine it with a request performing privileged configuration actions.

The vulnerability affects Tapo C520WS firmware up to version 1.2.4. Devices in this series are widely used in home and office networks for video surveillance. Since the DS service is responsible for managing camera settings, its vulnerability opens the possibility of changing the configuration without the owner's control.

Exploitation and consequences:

An attacker sends an HTTP request with a JSON body containing two actions: one that does not require authentication, and another that performs privileged changes to the configuration. Due to an error in the processing logic, the DS service ignores authentication checks for the second action. As a result, the attacker can change camera settings, including network connection parameters, video stream access, or even disable recording. Consequences include:

  • Unauthorized modification of device settings, including traffic redirection to external servers.

  • Potential disabling of security features such as encryption or auditing.

  • Possibility of using the camera as an entry point for attacks on the internal network.

Recommendations:

  1. Update TP-Link Tapo C520WS firmware to version 1.2.4 or higher, where the vulnerability has been patched.

  2. Configure the firewall and restrict access to the camera's web interface to only trusted IP addresses or via the internal network.

  3. Regularly check device log files for suspicious activity, especially changes to connection and access settings.

🟣 Stack-based Buffer Overflow in Tenda AC10 Httpd

CVE-2026-5550 / CVSS:4.0 — 8.7 HIGH

About the vulnerability:

A stack-based buffer overflow vulnerability was discovered in the Httpd web server used in the Tenda AC10 router version 16.03.10.10_multi_TDE01. The vulnerability occurs in the «fromSysToolChangePwd» function, which handles password change requests via the web interface. Improper validation of input data length allows a potential attacker to send a specially crafted HTTP request containing excessive data, leading to overflow of the local buffer on the stack.

The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Since the function is called during web request processing, the attack can be initiated remotely without the need for authentication.

Exploitation and Consequences:

An attacker sends an HTTP request to the endpoint associated with password change, with an abnormally long value in the parameter expected by the "fromSysToolChangePwd" function. During request processing, the function copies data into a fixed-size buffer without properly checking the length, leading to a buffer overflow and overwriting adjacent stack structures, including the return pointer. An attacker can craft a payload to make the Httpd process execute arbitrary code. Consequences:

  • Obtaining remote access with the privileges of the user on whose behalf Httpd operates.

  • The ability to install hidden access (backdoor), change the router configuration, or redirect traffic.

  • Full control over the device, including disabling protection and hiding traces of the attack.

Recommendations:

  1. Update the firmware of the Tenda AC10 router to a version where the vulnerability is eliminated.

  2. Restrict access to the web interface of the router to only trusted IP addresses or via the local network.

  3. Regularly check the device's logging files for signs of unusual activity, especially in the section related to password changes.

🟣 SQL Code Injection in SAP Business Planning and Consolidation and SAP Business Warehouse

▶ CVE-2026-27681 / CVSS:4.0 — 9.4 CRITICAL

About the vulnerability:

The CVE-2026-27681 vulnerability is associated with insufficient authorization checks and improper handling of user input in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) modules. An authenticated attacker can create specially crafted SQL queries that will be executed in the context of the database used by these applications. The vulnerability affects all versions of SAP BPC and BW released before April 14, 2026.

Since SAP NetWeaver serves as the foundation for these modules, the vulnerability can be exploited in any environment where SAP NetWeaver is used as a platform. The danger is that an attacker can not only read confidential data but also modify or delete it, leading to a breach of the integrity, confidentiality, and availability of critical business data.

Exploitation and Consequences:

An attacker with legitimate access to the system sends a specially crafted request containing malicious SQL code through a vulnerable entry point in the SAP BPC or BW interface. The server accepts the request as valid because there is inadequate input validation and filtering. The SQL code executes in the database, allowing the attacker to extract data, alter existing records, or delete them. Consequences include:

  • Leakage of confidential information, including data from financial reports, personnel records, and customer databases.

  • Modification or falsification of data, which can disrupt corporate processes and lead to financial losses.

  • Denial of service if the attacker deletes key tables or compromises database integrity.

Recommendations:

  1. Update SAP Business Planning and Consolidation and SAP Business Warehouse to versions where this vulnerability has been patched.

  2. Configure minimal privileges for user accounts in the system to restrict access to critical functions and data.

  3. Implement additional server-side input validation layers, including parameterized SQL queries and special character filtering.

🟣 Buffer Overflow in OpenSSL When Processing OCTET STRING in X.509 Certificates

CVE-2026-31789 / CVSS:4.0 — 9.3 CRITICAL

About the vulnerability:

The vulnerability in OpenSSL is related to CWE-787 — improper management of buffer size. It occurs when excessively long OCTET STRING values are converted into a hexadecimal string, leading to a buffer overflow in dynamically allocated memory. The vulnerability affects 32-bit platforms and impacts several versions of OpenSSL: 3.0.0–3.0.20, 3.3.0–3.3.7, 3.4.0–3.4.5, 3.5.0–3.5.6, 3.6.0–3.6.2. The issue arises during the processing of X.509 certificate extensions, such as Subject Key Identifier (SKID) or Authority Key Identifier (AKID), if their values in OCTET STRING are too large.

When calculating the buffer size for the hexadecimal representation, the length of the input data is multiplied by 3, which on 32-bit systems can cause an overflow and result in a buffer smaller than required. This creates conditions for a heap-based buffer overflow. Exploitation is possible when outputting or logging the contents of an untrusted X.509 certificate, which is dangerous for services that handle trusted or untrusted certificates.

Exploitation and Consequences:

An attacker creates a specially crafted X.509 certificate with an excessively long OCTET STRING value in one of the extensions, for example, in SKID. When OpenSSL processes this certificate, it calculates the buffer size as the length of the input data multiplied by 3, which on a 32-bit platform can cause an overflow. As a result, a buffer smaller than required is allocated, and when attempting to write data into it, an overflow occurs. The consequences depend on the context of OpenSSL usage: in server applications, this could lead to a denial of service or compromise of the entire system.

Recommendations:

  1. Update OpenSSL to a version where the vulnerability is fixed, such as 3.0.21, 3.3.8, 3.4.6, 3.5.7, or 3.6.3, depending on the used branch.

  2. Avoid logging or outputting the contents of X.509 certificates obtained from untrusted sources. If such functionality is necessary, implement preliminary validation of certificate size and structure before processing.

  3. For 32-bit systems, where the vulnerability is most critical, it is recommended to migrate to 64-bit architectures, where overflow from multiplication by 3 will not lead to such consequences.

Comments

    Also read