Apr 7, 2026 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2026-27143 Arithmetic over induction variables in loops were not correctly checked for underflow or overflow.

  • CVSS 9.8

New critical Golang Go Memory Corruption (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2026-31789 Openssl Code Execution

  • CVSS 9.8
  • Remote code execution exposure

New critical Openssl Code Execution (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2026-3296 The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up t...

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2026-1346 CVSS 9.3

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Id...

CVE-2026-27143 CVSS 9.8

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow.

CVE-2026-31789 CVSS 9.8

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platf...

CVE-2026-3296 CVSS 9.8

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserializat...

CVE-2026-33439 CVSS 9.3

Open Access Management (OpenAM) is an access management solution.

CVE-2026-34078 CVSS 9.3

Flatpak is a Linux application sandboxing and distribution framework.

CVE-2026-39397 CVSS 9.4

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder.

SiYuan is a personal knowledge management system.

CVE-2026-39847 CVSS 9.1

Emmett is a full-stack Python web framework designed with simplicity.

View critical disclosures

cvelogic Threat Intelligence