The 24-hour period from March 27-28, 2026 shows significant vulnerability disclosure activity with 30 new CVEs identified, including three critical-severity flaws (CVSS 9+) requiring immediate attention. The most concerning vulnerabilities include remote code execution flaws in Notesnook (CVE-2026-33976), Handlebars (CVE-2026-33937), and Home Assistant (CVE-2026-34205), all rated critical with CVSS scores between 9.6-9.8. Additionally, F5 BIG-IP was added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Malware distribution infrastructure remains highly active with 49 malicious URLs identified, primarily delivering ACRStealer/ClearFake campaigns and Mozi botnet variants. The ACRStealer campaign shows sophistication with coordinated infrastructure across multiple domains using consistent naming patterns (svc*, ext*, cl*, dev* subdomains). Mozi botnet activity continues targeting IoT devices, particularly MIPS and ARM-based routers, with downloads from compromised Chinese IP addresses. Multiple Amadey dropper URLs were also identified delivering unspecified payloads.
Organizations should prioritize patching the three critical RCE vulnerabilities, particularly in desktop applications and web frameworks. Network defenders should block the identified malicious domains and monitor for similar subdomain patterns associated with the ACRStealer infrastructure. IoT device owners should ensure firmware is current and disable unnecessary external access given continued Mozi exploitation attempts.
Three critical-severity vulnerabilities enabling remote code execution were disclosed, affecting popular software applications and frameworks
Stored XSS vulnerability in Notesnook Web Clipper can escalate to remote code execution in desktop applications (versions before 3.3.11 Web/Desktop, 3.3.17 mobile). Attacker-controlled attributes from clipped web content are preserved, enabling RCE through Electron framework exploitation.
Handlebars.compile() accepts pre-parsed AST objects where NumberLiteral node values are emitted directly into generated JavaScript without sanitization (versions 4.0.0-4.7.8). Enables arbitrary code execution through crafted template compilation.
Home Assistant apps configured with host network mode expose unauthenticated endpoints bound to internal Docker bridge interface to local networks on Linux. Allows unauthorized access to internal services and potential privilege escalation.
F5 BIG-IP APM unspecified vulnerability enabling remote code execution now under active exploitation. CISA has added this to the Known Exploited Vulnerabilities catalog, requiring immediate patching for federal agencies and recommended for all organizations.
Multiple high-severity vulnerabilities disclosed affecting authentication flows, database security, and cryptographic implementations
Authentication flow hijacking vulnerability in Gematik Authenticator (before 4.16.0) allows attackers to authenticate as victim users through malicious deep links. Affects digital health application authentication in Germany.
KQL injection vulnerability in Azure Data Explorer MCP Server (versions up to 0.1.1) allows execution of arbitrary Kusto queries through AI assistant interfaces, potentially exposing sensitive database contents.
WeGIA charitable institution web manager vulnerable to SQL injection (before 3.6.7) due to unsafe use of extract($_REQUEST) and direct concatenation of unsanitized variables into SQL queries in deletar_tag.php.
WordPress Ultimate Member plugin (up to 2.11.2) exposes password reset links through {usermeta:password_reset_link} template tag processed in post content, enabling account takeover attacks.
Forge TLS implementation (before 1.4.0) fails to enforce RFC 5280 basicConstraints when intermediate certificates lack both basicConstraints and keyUsage extensions, enabling certificate chain validation bypass.
Large-scale ACRStealer and ClearFake malware distribution campaign identified with coordinated infrastructure across multiple domains using systematic subdomain patterns
39 malicious URLs identified distributing ACRStealer and ClearFake malware through Google verification-themed lures. Infrastructure spans multiple domains (pendantwhip.in.net, altruistchimes.in.net, duralmanganese.in.net, dressingsix.in.net, canisterget.in.net, pleasedprism.in.net, sororatspot.in.net) with systematic subdomain naming (svc1-4, ext1-4, cl1-4, dev1-4). Suggests coordinated threat actor operation with sophisticated infrastructure management.
Four malicious URLs on 166.1.89.46 hosting Amadey dropper payloads (fbf543 variant) across multiple directories (/vid/, /files/rdx/, /final/, /test/). Amadey is a modular malware loader commonly used to deliver additional payloads including stealers and ransomware.
Continued Mozi botnet activity targeting IoT devices, particularly MIPS and ARM-based routers with weak credentials
10 malicious URLs distributing Mozi botnet payloads targeting MIPS and ARM architectures. Compromised Chinese IP addresses (221.15.193.209, 110.37.43.128, 27.220.13.64, 222.142.210.224, 59.93.178.25, 60.18.62.126, 110.37.117.225, 219.157.58.236, 39.65.213.216, 118.232.137.101, 123.9.196.22, 36.84.113.27, 83.219.1.198) hosting bin.sh installer scripts and architecture-specific binaries. Mozi exploits weak Telnet credentials and known IoT vulnerabilities to propagate.
Older vulnerabilities in UniFi and Totolink devices disclosed, expanding attack surface for legacy infrastructure
Two vulnerabilities in legacy UniFi Network Controller versions: AES-CBC encryption weakness enabling device-to-controller MITM attacks (CVE-2019-25651) and improper SSL certificate verification during SMTP connections (CVE-2019-25652). Affects controllers before 5.10.22/5.11.18 and multiple UAP/USW/USG firmware versions.
Multiple buffer overflow vulnerabilities in Totolink routers: LR350 9.3.5u.6369_B20220309 setWiFiGuestCfg function (CVE-2026-4976), AC15 15.03.05.19 formSetCfm function (CVE-2026-4975), and AC7 15.03.06.44 fromSetSysTime function (CVE-2026-4974). All remotely exploitable through crafted POST requests.
Multiple cryptographic vulnerabilities identified in widely-used libraries enabling signature forgery and certificate validation bypass
Three signature forgery vulnerabilities in node-forge library (before 1.4.0): Ed25519 non-canonical signature acceptance (CVE-2026-33895), RSASSA PKCS#1 v1.5 low-exponent forgery for e=3 keys (CVE-2026-33894), and DoS via infinite loop in BigInteger.modInverse() (CVE-2026-33891). Widely deployed in Node.js TLS implementations.
Six vulnerabilities in Handlebars 4.0.0-4.7.8: CLI precompiler code injection (CVE-2026-33941), partial resolution bypass (CVE-2026-33940), unregistered decorator handling (CVE-2026-33939), @partial-block mutation (CVE-2026-33938), and NumberLiteral AST injection (CVE-2026-33937). Affects template processing and compilation security.