This briefing covers critical threat activity from March 13-14, 2026, highlighting active exploitation of zero-day vulnerabilities, widespread malware distribution campaigns, and critical supply chain risks. Google patched two Chrome zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) actively exploited in the wild, both added to CISA's Known Exploited Vulnerabilities catalog. These high-severity flaws in Skia and V8 components enable remote code execution through crafted HTML pages, representing immediate risk to Chrome users across all platforms.
The threat landscape shows significant activity from multiple malware families. The Mozi botnet continues aggressive IoT device targeting with 40+ active distribution URLs identified through abuse.ch telemetry. Social engineering attacks are evolving, with threat actors deploying the ClickFix technique in fake Temu cryptocurrency airdrops to deliver stealthy remote access trojans. Additionally, QuasarRAT and Amadey malware droppers remain actively distributed. A Starbucks data breach compromised employee accounts, indicating continued success of credential-based attacks against enterprise systems.
Several critical vulnerabilities demand immediate attention: four CVSS 9.8+ rated flaws affect widely-deployed systems including WordPress plugins, Python JWT libraries, telnetd in GNU inetutils, and the Locutus JavaScript library. WordPress ecosystem vulnerabilities are particularly concerning, with 15+ SQL injection and remote file inclusion flaws discovered across popular plugins. Organizations should prioritize patching Chrome immediately, review WordPress plugin inventories, and monitor for Mozi botnet activity targeting exposed IoT devices.
Two actively exploited Chrome zero-days patched by Google, both added to CISA KEV catalog
Out-of-bounds write vulnerability in Chrome's Skia component allowing remote code execution via crafted HTML. Affects Chrome, ChromeOS, Android, Flutter and other products. CVSS 8.8, actively exploited in the wild.
Memory buffer restriction vulnerability in Chromium V8 engine enabling arbitrary code execution in sandbox via crafted HTML. Impacts multiple Chromium-based browsers. CVSS 8.8, confirmed exploitation.
Emergency Chrome security updates released to address two high-severity vulnerabilities exploited as zero-days. Users should update immediately to version 146.0.7680.75 or later.
Four maximum-severity vulnerabilities requiring immediate patching across multiple platforms
Pix for WooCommerce plugin allows unauthenticated arbitrary file uploads due to missing capability checks and file type validation. CVSS 9.8 (Critical).
Telnetd in GNU inetutils through version 2.7 contains out-of-bounds write in LINEMODE SLC handler. Buffer fullness not validated. CVSS 9.8 (Critical).
Locutus library's create_function passes unsanitized parameters to Function constructor enabling arbitrary code execution. CVSS 9.8 (Critical).
Telemetry aggregation API accepts user-controlled parameters interpolated directly into ClickHouse SQL queries without sanitization. CVSS 9.9 (Critical).
Centrifugo messaging server vulnerable to SSRF when using dynamic JWKS endpoint URLs with template variables. Unauthenticated attackers can craft malicious JWTs. CVSS 9.3 (Critical).
15+ SQL injection and remote file inclusion vulnerabilities discovered across popular WordPress plugins
Blind SQL injection vulnerabilities identified in 10+ WordPress plugins including UpsellWP (CVE-2026-32459), WOLF bulk-editor (CVE-2026-32458), WP EasyCart (CVE-2026-32422), Media Library Assistant (CVE-2026-32399), Booking Calendar (CVE-2026-32358), and others. CVSS 7.6-8.5.
Local file inclusion vulnerabilities in Medilazar Core (CVE-2026-32426) and Boldman (CVE-2026-32400) plugins enable attackers to include arbitrary PHP files. CVSS 7.5.
Code injection vulnerability in Advanced Woo Labels plugin allows remote code inclusion. Affects versions up to 2.36. CVSS 7.2 (High).
Appointment Booking Calendar plugin exposes non-user-bound public_nonce to unauthenticated users enabling unauthorized access to sensitive data. CVSS 7.5.
Mozi botnet activity, ClickFix social engineering, and RAT distribution through multiple vectors
Extensive Mozi botnet infrastructure identified with 40+ malicious URLs distributing ELF binaries for MIPS and ARM architectures. Targets include routers, IoT devices, and embedded systems across multiple IP ranges.
Social engineering campaign impersonating Temu cryptocurrency airdrop leverages ClickFix technique to trick victims into executing malware. Installs stealthy remote access backdoor for persistent access.
ClearFake malware distribution campaign operating through compromised domains using Google verification themes. 10+ active URLs identified distributing payloads through social engineering.
Amadey malware dropper actively distributing QuasarRAT payloads. Two URLs identified serving .exe and .msi installers. QuasarRAT provides full remote control capabilities.
Starbucks employee data breach and credential-based attack trends
Starbucks disclosed data breach affecting hundreds of employees after threat actors gained unauthorized access to Starbucks Partner Central accounts. Indicates successful credential-based attack or account takeover.
Authentication bypass, hard-coded credentials, and denial of service vulnerabilities
Flaw in libarchive RAR5 decompression logic causes processing stall when handling crafted archives. Denial of service condition. CVSS 7.5 (High).
Use of hard-coded credentials in Avantra allows unauthorized access to functionality not properly constrained by ACLs. Affects versions prior to 25.3.0. CVSS 7.2.
PyJWT does not validate crit (Critical) Header Parameter per RFC 7515. Library accepts tokens with unrecognized extensions instead of rejecting them. CVSS 7.5.
Ella Core 5G panics when processing malformed integrity-protected NGAP/NAS messages under 7 bytes. Attacker can crash process causing service disruption for all connections. CVSS 7.5.
Markdown viewer component renders Mermaid diagrams with insecure configuration allowing interactive event bindings. Enables XSS via innerHTML injection. CVSS 7.6.
Browser WebSocket connections bypass origin validation when gateway.auth.mode is trusted-proxy. Pages from untrusted origins can connect through trusted reverse proxies. CVSS 8.1.
Model Context Protocol OAuth callback endpoint stores tokens without verifying browser session, enabling token theft during OAuth flow. CVSS 7.6.
CairoSVG vulnerable to exponential denial of service via recursive <use> element amplification causing CPU exhaustion from small input. CVSS 7.5.