Apr 14, 2026 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • Microsoft SharePoint Server: 2 CVEs added to CISA KEV today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical active threat

CVE-2009-0238 Microsoft Office Remote Code Execution

  • Actively exploited (CISA KEV)
  • Listed on CISA KEV
  • Remote code execution exposure

Microsoft Office RCE is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.

Critical exposure

CVE-2026-35031 Jellyfin is an open source self hosted media server.

  • CVSS 9.9

New critical Jellyfin Path Traversal (CVSS 9.9) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2026-33824 Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

  • CVSS 9.8

New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Microsoft SharePoint Server Improper Input Validation

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2026-27246 CVSS 9.3

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability.

CVE-2026-27303 CVSS 9.6

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in a...

CVE-2026-27304 CVSS 9.3

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary...

CVE-2026-33824 CVSS 9.8

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

CVE-2026-34457 CVSS 9.1

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers.

CVE-2026-34615 CVSS 9.3

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in a...

CVE-2026-35031 CVSS 9.9

Jellyfin is an open source self hosted media server.

CVE-2026-35033 CVSS 9.3

Jellyfin is an open source self hosted media server.

CVE-2026-39399 CVSS 9.6

NuGet Gallery is a package repository that powers nuget.org.

CVE-2026-5752 CVSS 9.3

Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype...

View critical disclosures

cvelogic Threat Intelligence