The threat landscape during March 31 - April 1, 2026 reveals a concerning pattern of widespread vulnerability exploitation and active malware distribution campaigns. Critical vulnerabilities were identified across multiple platforms including personal knowledge management systems (SciYuan), healthcare interoperability frameworks (HAPI FHIR), and IoT devices. Twenty-nine CVEs were disclosed with CVSS scores ranging from 7.3 to 9.8, including five critical-severity vulnerabilities that enable remote code execution. Notably, CVE-2026-1579 affects the MAVLink drone communication protocol, presenting serious risks to unmanned aerial vehicle operations when message signing is disabled. The malware distribution landscape is dominated by Mozi botnet activity targeting IoT devices and multiple ClearFake/ACRStealer campaigns leveraging social engineering tactics. Fifty malicious URLs were identified distributing various malware families including Mozi, Mirai variants, Phorpiex, and Amadey. Organizations should prioritize patching critical RCE vulnerabilities in SciYuan and HAPI FHIR, implement network segmentation for IoT devices, and deploy URL filtering to block identified malicious infrastructure.
Five critical-severity vulnerabilities require immediate attention, enabling unauthenticated remote code execution across multiple platforms
Malicious websites can achieve RCE on SciYuan desktop applications through permissive CORS policy (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true) enabling JavaScript injection. Affects versions prior to 3.6.2.
Stored XSS vulnerability in Attribute View mAsset field enables arbitrary HTML/JavaScript execution when victims view Gallery or Kanban views with Cover From Asset Field enabled. Version 3.6.2 remediates this issue.
Unauthenticated /loadIG endpoint in FHIR Validator HTTP service makes outbound requests to attacker-controlled URLs. Combined with startsWith() URL matching flaw, attackers can exfiltrate authentication credentials. Affects versions before 6.9.4.
MAVLink communication protocol lacks cryptographic authentication by default. When MAVLink 2.0 message signing is disabled, unauthenticated parties can send SERIAL_CONTROL messages providing interactive shell access to drone systems.
GitHub Actions workflow uses untrusted user input from issue_comment.body directly in shell commands, enabling command injection and arbitrary code execution in CI/CD pipeline. Affects versions 0.3.1 and prior.
File import process vulnerability in Cast to TV Screen Mirroring v2.2.77 allows attackers to overwrite critical internal files, leading to arbitrary code execution or information exposure.
Multiple high-severity vulnerabilities affecting enterprise web applications, NAS devices, and NVIDIA products
Vulnerability affects cgi_addgroup_get_gro function across 20+ D-Link NAS models (DNS/DNR series) up to firmware 20260205. CVSS 8.8 enables unauthorized access to network storage devices.
Crafted block attribute values bypass server-side escaping when HTML entities are mixed with raw special characters. Enables XSS through malicious .sy document packages in versions before 3.6.2.
Admin plugin configuration endpoint (admin/save.json.php) lacks CSRF token validation. Combined with explicit CORS policy allowing all origins, enables unauthorized configuration changes in version 26.0 and prior.
Docker image ships with AllowOverride None, causing Apache to ignore .htaccess protections on uploaded documents in adm_my_files directory. Affects Admidio versions 5.0.0 to 5.0.7.
Multiple deserialization of untrusted data vulnerabilities in NVIDIA BioNeMo enable code execution, DoS, information disclosure, and data tampering. CVSS scores 8.8 and 7.8 respectively.
Fix for CVE-2021-23337 incomplete - validation applied to variable option but not options.imports key names, both flow into Function() constructor. Enables RCE when applications pass untrusted user input.
Extensive Mozi botnet activity targeting IoT devices with 35+ malicious URLs distributing ELF binaries for multiple architectures
35 unique URLs hosting Mozi malware targeting ARM, MIPS, and mixed architecture IoT devices. Binaries delivered via HTTP on high ports (30000-60000 range) from compromised Chinese IP addresses. Delivery pattern indicates automated scanning and exploitation of vulnerable devices.
10 URLs on IP 92.112.124.72 hosting Mirai variants for multiple architectures (mips, mipsel, arm, arm5, arm7, i686, x86_64, sparc, sh4). User-agent based delivery (ua-wget) indicates automated bot infection chain.
Coordinated phishing campaign using fake Google verification pages across multiple domains
15 URLs across three domain clusters (neurobloom.in.net, cyberhaven.in.net, datacrest.in.net) hosting ClearFake/ACRStealer malware. Domains use legitimate-sounding subdomain patterns (thought-api, nerve-center, ghost-shell, secure-vault) with /verification.google endpoints to trick users into downloading malicious payloads.
Multiple malware droppers distributing secondary payloads via HTTP
Six URLs on IP 178.16.54.109 distributing Phorpiex malware (1.exe through 6.exe). Phorpiex is known for spreading via removable drives and distributing additional malware families including ransomware and cryptominers.
URL hosting wugQXVn.exe identified as payload dropped by Amadey botnet (fbf543). Amadey specializes in reconnaissance, credential theft, and deploying additional malware stages.
Server-Side Request Forgery vulnerabilities affecting InvoiceShelf PDF generation across multiple modules
Three SSRF vulnerabilities in InvoiceShelf versions before 2.2.0 affecting Invoice, Payment receipt, and Estimate PDF generation. User-supplied HTML in Notes fields processed without validation, enabling internal network reconnaissance and data exfiltration.
SQL injection, path traversal, and authorization bypass vulnerabilities across various platforms
SQL injection in /manage_user.php Parameter Handler (ID argument) in itsourcecode Payroll Management System 1.0. CVSS 7.3 enables unauthorized database access.
Two authorization bypass vulnerabilities in scitokens-cpp before 1.4.1. Path-based scope validation uses simple string-prefix comparison and fails to normalize paths after authorization, allowing ".." traversal to access restricted resources.
File inclusion vulnerability in SourceCodester Leave Application System 1.0 via page parameter manipulation. Remote exploitation possible with public exploit available.