During the period of April 14-20, 2026, the threat landscape demonstrated significant malicious activity across multiple vectors. The most critical concern is the widespread distribution of SmartLoader malware through compromised GitHub repositories, with over 30 malicious ZIP files hosted on legitimate infrastructure. CISA added three vulnerabilities to the Known Exploited Vulnerabilities catalog, including critical flaws in Apache ActiveMQ and Microsoft SharePoint Server that enable code injection and spoofing attacks.
The National Vulnerability Database published 29 new CVEs during this period, with seven rated CRITICAL severity. Notable vulnerabilities include multiple expression injection bypasses in Thymeleaf (CVE-2026-40477, CVE-2026-40478), NoSQL injection flaws in FastGPT authentication (CVE-2026-40351), and command injection in radare2 (CVE-2026-40527). The abuse.ch data reveals ongoing Mozi botnet activity targeting IoT devices, alongside a sophisticated ClearFake campaign using subdomain infrastructure for malware delivery.
Organizations should prioritize patching the KEV-listed vulnerabilities immediately, implement GitHub security scanning for malicious repository content, and enhance monitoring for SmartLoader indicators. The continued presence of legacy Microsoft Office vulnerabilities (CVE-2009-0238) in the KEV catalog underscores persistent exploitation of older attack vectors.
CISA KEV additions and critical-severity CVEs pose immediate exploitation risk
Apache ActiveMQ contains an improper input validation vulnerability enabling code injection. Now listed in CISA KEV catalog, indicating active exploitation.
Dual critical vulnerabilities in Thymeleaf template engine (versions ≤3.1.3) bypass expression injection protections, enabling arbitrary code execution in Java web applications.
Unauthenticated attackers can bypass FastGPT login by injecting MongoDB query operators in password field due to lack of runtime validation (CVSS 9.8).
Hot Chocolate GraphQL server lacks recursion depth limits, allowing attackers to crash services with deeply nested documents (CVSS 9.1).
Three critical vulnerabilities in SAIL library: TGA RLE decoder bounds check bypass (CVE-2026-40494), PSD buffer allocation mismatch (CVE-2026-40493), and XWD byte-swap confusion (CVE-2026-40492). All rated CVSS 9.8.
ChurchCRM backup restore extracts archive contents without file extension validation, enabling remote code execution via web-accessible PHP uploads (CVSS 9.1).
Improper input validation in Microsoft SharePoint Server allows unauthorized network-based spoofing attacks. Added to CISA KEV catalog.
17-year-old Microsoft Office Excel vulnerability still being actively exploited via malformed objects in crafted files. Persistence in KEV catalog indicates ongoing campaigns.
Massive SmartLoader malware distribution operation abusing GitHub infrastructure with 30+ malicious repositories
Over 30 malicious ZIP files identified on GitHub/raw.githubusercontent.com domains hosting SmartLoader malware. Attackers abuse legitimate GitHub infrastructure with themed repository names (Arduino Projects, Cursor IDE Setup, OpenAI SDK, Venus Blood, etc.) to evade detection.
Multiple ClearFake malware distribution domains identified using subdomain patterns (green-leaf1, flow-control6, signal-box5, deep-soil3, high-stem4, wild-root2, pure-seed5) on firs-tachycardia.in.net and artichf1atly.in.net infrastructure.
Active Mozi botnet infrastructure identified targeting IoT devices with multiple IP addresses serving ELF binaries for MIPS and ARM architectures. Indicators include Asian-Pacific IP ranges (China, Indonesia, South Africa).
Multiple IPs distributing Mirai botnet variants via HTTP, targeting ARM and MIPS IoT devices. Overlaps with Mozi infrastructure suggesting coordinated botnet operations.
High-severity vulnerabilities enabling privilege escalation, command injection, and authentication bypass
NovumOS contains two critical syscall vulnerabilities: Syscall 12 (JumpToUser) allows arbitrary kernel address execution, and Syscall 15 (MemoryMapRange) enables mapping of kernel memory regions without validation.
Crafted ELF binaries can embed malicious r2 commands in DWARF parameter names, executing when analyzed with radare2's afsv/afsvj commands. Enables local privilege escalation via reverse engineering tools.
Emissary workflow engine vulnerable to command injection via unsanitized temporary file paths interpolated into shell commands. Affects distributed processing workflows.
CMP Coming Soon plugin allows authenticated users with minimal privileges to upload arbitrary files and achieve RCE via cmp_theme_update_install AJAX action due to insufficient permission checks.
Several web applications affected by privilege escalation: Movary user management bypass (CVE-2026-40350), FastGPT password change NoSQL injection (CVE-2026-40352), wger gym config permission bypass (CVE-2026-40474), and Postiz file upload validation bypass (CVE-2026-40487).
New security research and tooling capabilities published for incident response operations
Comprehensive guide documenting standardized investigation steps for digital forensics and incident response operations, from initial alert triage through final reporting.
New API endpoint enabling automated mapping of domain exposure and attack surface enumeration through single API calls for security reconnaissance.
Cost-effective IOC enrichment solution for security teams providing multi-source threat intelligence aggregation at reduced pricing compared to commercial alternatives.
Technical implementation guide for building Splunk custom search commands integrating DFIR Platform API for real-time IOC enrichment within SPL queries. Includes Python code, packaging instructions, and example queries.
Secondary tier vulnerabilities requiring attention and remediation planning
ChurchCRM family record deletion via GET without CSRF protection (CVE-2026-40581), Gramps Web API Zip Slip vulnerability (CVE-2026-40258), KodExplorer path traversal (CVE-2026-6568), and Movary SSRF via Jellyfin endpoint (CVE-2026-40348).
SecureDrop Client vulnerable to code execution if server is compromised due to improper filename sanitization. Affects journalist workstation security model.
DNN CMS allows authenticated users to upload malicious SVG files containing scripts, affecting both authenticated and unauthenticated users when accessed.
Multiple H3C Magic router models (B1, B0) affected by remote buffer overflow vulnerabilities in SetAPWifiorLedInfoById and Edit_BasicSSID functions (CVE-2026-6563, CVE-2026-6560). CVSS 8.8.
Multiple applications affected: SQL injection in muucmf search function (CVE-2026-6562), hard-coded credentials in LightPicture API (CVE-2026-6574), and improper authentication in KodExplorer fileGet endpoint (CVE-2026-6569).
Easy Appointments plugin exposes sensitive appointment data via unauthenticated REST API endpoint due to misconfigured permission callback (CVSS 7.5).