Between March 20-21, 2026, the threat landscape was dominated by critical vulnerabilities across multiple platforms and sustained malware distribution campaigns. CISA added five new vulnerabilities to the Known Exploited Vulnerabilities catalog, including critical flaws in Apple products affecting memory corruption and kernel access, plus remote code execution vulnerabilities in Laravel Livewire and Craft CMS. The National Vulnerability Database disclosed 30 additional high and critical severity vulnerabilities, with three CRITICAL-rated flaws (CVSSv3 9.x) affecting gRPC-Go, WordPress plugins, and OCPP charging station infrastructure.
Malware distribution activity remained highly active with 50 malicious URLs identified by abuse.ch, primarily delivering Mozi botnet variants, Mirai malware, and ACRStealer/ClearFake campaigns. The Mozi botnet continues targeting IoT devices through various architectures (MIPS, ARM), while a sophisticated phishing campaign leveraging fake Google verification pages distributed ACRStealer across multiple infrastructure domains. Additionally, SmartLoader malware was distributed through compromised GitHub repositories, indicating supply chain risk expansion.
Organizations should prioritize patching Apple products immediately, implement strict input validation controls for web applications, monitor for IoT compromise indicators, and enhance GitHub repository security. The convergence of critical infrastructure vulnerabilities (OCPP charging stations) with active exploitation attempts signals elevated risk for critical infrastructure sectors.
Five CISA KEV entries and three critical NVD vulnerabilities demand urgent remediation across Apple ecosystems, web frameworks, and critical infrastructure
Buffer overflow vulnerability affecting Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS enables memory corruption through malicious web content. Widespread platform impact across Apple ecosystem requires immediate patching.
Classic buffer overflow in watchOS, iOS, iPadOS, macOS, visionOS, and tvOS allows malicious applications to terminate systems unexpectedly or write to kernel memory, enabling privilege escalation attacks.
Code injection vulnerability in Laravel Livewire enables unauthenticated attackers to achieve remote command execution in specific deployment scenarios. High risk for web applications using this framework.
Code injection vulnerability allows remote attackers to execute arbitrary code on Craft CMS installations without authentication requirements.
Critical authorization bypass in gRPC-Go versions prior to 1.79.3 due to improper validation of HTTP/2 :path pseudo-header. Lenient routing logic accepts requests omitting mandatory leading slash, enabling authentication bypass.
WebSocket endpoints lack authentication mechanisms, enabling unauthorized charging station impersonation and data manipulation. Attackers can connect using known station identifiers to issue fraudulent commands affecting critical infrastructure.
Critical RCE vulnerability in Kali Forms plugin versions up to 2.4.9 via form_process function. User-supplied keys mapped directly into internal placeholder storage combined with call_user_func usage enables arbitrary code execution.
Improper locking vulnerability in watchOS, iOS, iPadOS, macOS, visionOS, and tvOS allows malicious applications to cause unexpected memory changes between processes, potentially leading to data corruption or information disclosure.
Multiple high-severity vulnerabilities across web applications, development tools, and infrastructure components pose significant risk
Duplicate of CVE-2026-29796 affecting different OCPP implementation. WebSocket endpoints enable station impersonation and backend data manipulation without authentication.
NLTK downloader versions 3.9.3 and prior fail to validate subdir and id attributes when processing remote XML indexes, enabling directory traversal attacks and arbitrary file access.
REST datasource query preview endpoint in Budibase versions 3.30.6+ makes unvalidated server-side HTTP requests to attacker-supplied URLs, enabling SSRF attacks against internal resources.
Authenticated users with asset upload permissions can bypass SVG sanitization in Statamic versions prior to 5.73.14/6.7.0, injecting malicious JavaScript that executes when assets are viewed.
Allure 2 report generator prior to 2.38.0 vulnerable to arbitrary file read via path traversal when processing test results. Malicious result files can access sensitive server files.
Improper validation in barebox versions 2016.03.0-2025.09.3 and 2025.10.0-2026.03.1 allows attackers to bypass FIT image signature verification, potentially loading malicious bootloader code.
Incomplete fix for CVE-2026-32306 in OneUptime prior to 10.0.34. Column validation added to _aggregateBy method but not to three other query construction methods, enabling continued SQL injection attacks.
50 malicious URLs identified distributing Mozi botnet, Mirai variants, ACRStealer, and SmartLoader through compromised infrastructure and GitHub repositories
26 URLs identified distributing Mozi botnet malware targeting MIPS and ARM architectures. Infrastructure spans IP ranges in China, Taiwan, and Russia. Malware delivered via HTTP on non-standard ports (36861, 47528, 40554, etc.), typical of IoT exploitation campaigns.
20 URLs hosting fake Google verification pages distributing ACRStealer and ClearFake malware. Campaign uses sophisticated domain infrastructure across telemetryinterface.in.net, platformcontroller.in.net, diagnosticendpoint.in.net, managementresource.in.net, operationalgateway.in.net, and connectivitybuffer.in.net, indicating coordinated threat actor operation.
8 GitHub URLs distributing SmartLoader malware through ZIP archives hosted on arkaih.github.io, 69ir.github.io, VPS_BOT_X, starspring, OpenSem, and 2332245.github.io repositories. Supply chain attack vector targeting developers and automated build systems.
Multiple URLs (110.37.118.66, 110.37.114.50, 222.127.49.161, 222.142.93.65) distributing Mirai botnet variants alongside Mozi, targeting vulnerable routers and IoT devices with shell scripts and ELF binaries.
Single URL (158.94.208.7) distributing Windows executable dropped by Amadey malware framework, delivering GCleaner payload (fbf543 variant). Indicates active pay-per-install malware distribution network.
SQL injection, path traversal, SSRF, and authentication bypass vulnerabilities across web applications and development frameworks
SQL injection vulnerability in PbootCMS up to 3.2.12 via checkUsername function in Member Login component. Remote exploitation possible through Username parameter manipulation.
Unauthenticated file-serving endpoint /appearance/*filepath in SiYuan prior to 3.6.2 vulnerable to directory traversal due to improper path sanitization, enabling arbitrary file reads.
SiYuan kernel prior to 3.6.2 accepts unauthenticated WebSocket connections when auth keepalive query parameter present. Unchecked type assertions on attacker-controlled messages enable exploitation.
HAPI FHIR prior to 6.9.0 leaks HTTP headers to redirect targets during 30X responses, potentially exposing authentication tokens and sensitive data to unintended hosts.
NLTK WordNet Browser application in versions 3.9.3 and prior allows unauthenticated remote shutdown of local HTTP server, enabling denial of service attacks against research environments.
Unauthenticated DoS via JWE header tampering in SimpleJWT prior to 1.1.1 when PBES2 algorithms used. Applications calling JWE::decrypt() on attacker-controlled JWEs are affected.
Critical infrastructure and charging station systems lack fundamental authentication controls and rate limiting protections
WebSocket API lacks rate limiting on authentication requests, enabling brute-force attacks to gain unauthorized access and denial-of-service attacks suppressing legitimate charger telemetry.
WebSocket backend uses predictable charging station identifiers allowing multiple endpoints to connect with same session ID. Enables session hijacking or shadowing attacks where most recent connection takes control.
Multiple server-side template injection and code execution vulnerabilities identified across Python and PHP frameworks
Dynaconf prior to 3.2.13 vulnerable to SSTI via unsafe Jinja2 template evaluation in @Jinja resolver. When jinja2 package installed, configuration template expressions evaluated without sanitization.
Incomplete fix for previous vulnerability in eosphoros-ai db-gpt up to 0.7.5. SQL injection persists in /api/v1/editor/ endpoint despite earlier remediation attempts.
Buffer overflows, use-after-free, and DLL sideloading vulnerabilities enabling privilege escalation and arbitrary code execution
Use-after-free vulnerability in libfuse 3.18.0-3.18.2 io_uring subsystem allows local attackers to crash FUSE filesystem processes and potentially execute arbitrary code during io_uring thread creation failures.
ScreenToGif versions 2.42.1+ vulnerable to DLL sideloading via version.dll. When portable executable run from user-writable directory, loads malicious version.dll from application directory instead of System32.
Stack-based buffer overflow in GMT 6.6.0+ gmt_remote_dataset_id function (src/gmt_remote.c) triggered by specially crafted input during geographic data processing.
Effect TypeScript framework prior to 3.20.0 corrupts Node.js AsyncLocalStorage-dependent middleware when using RpcServer.toWebHandler in Next.js App Router, potentially leaking sensitive context data between requests.
Command injection and authentication bypass vulnerabilities in D-Link and Totolink consumer network devices
OS command injection vulnerability in D-Link DIR-820LW 2.03 ssdpcgi_main function (SSDP component). Remote exploitation possible with public exploit available.
OS command injection in Totolink WA300 5.2cu.7112_B20190227 via recvUpgradeNewFw function in /cgi-bin/cstecgi.cgi. Remote exploitation possible with publicly disclosed exploit.
Address bar spoofing, arbitrary file read, and XSS vulnerabilities requiring monitoring and remediation planning
Unauthenticated arbitrary file read in Feast Feature Server /read-document endpoint. Specially crafted HTTP POST requests bypass access restrictions to read sensitive server files.
Arc Search for Android prior to 1.12.7 can display different domain in address bar than actual content shown, enabling phishing attacks after user interaction with crafted web content.