Weekly Threat Roundup: 10 Critical CVEs & Two Major Breaches (Apr 20-26)

This Week at a Glance

This week saw 10 critical-severity vulnerabilities disclosed, including unauthenticated RCE in Paperclip and Microsoft Bing. CISA added 12 exploited flaws to its KEV catalog with federal deadlines through May 2026. Carnival and Udemy reported major data breaches, while the Qilin ransomware group claimed three new victims.

Top Vulnerabilities

• CVE-2026-41679 (CVSS 10.0): Unauthenticated remote code execution in Paperclip, a Node.js AI agent orchestration platform. Full advisory
• CVE-2026-33819 (CVSS 10.0): Unauthenticated RCE via deserialization in Microsoft Bing. Full advisory
• CVE-2026-35431 (CVSS 10.0): SSRF in Microsoft Entra ID Entitlement Management enabling spoofing. Full advisory
• CVE-2026-40911 (CVSS 10.0): Unauthenticated XSS in WWBN AVideo’s WebSocket server allowing takeover. Full advisory
• CVE-2026-40906 (CVSS 9.9): SQL injection in ElectricSQL’s /v1/shape API that can destroy databases. Full advisory
• CVE-2026-21515 (CVSS 9.9): Sensitive information exposure in Azure IoT Central enabling privilege escalation. Full advisory
• CVE-2026-40470 (CVSS 9.9): XSS in hackage-server and hackage.haskell.org hijacking user sessions. Full advisory
• CVE-2026-32613 (CVSS 9.9): RCE via unrestricted Java classes in Spinnaker Echo. Full advisory
• CVE-2026-41228 (CVSS 9.9): RCE via path traversal in Froxlor API. Full advisory
• CVE-2026-6911 (CVSS 9.8): Missing JWT signature validation in AWS Ops Wheel allowing admin access. Full advisory

Data Breaches

• Carnival: 7.5 million loyalty program accounts exposed. Full report
• Udemy: 1.4 million records leaked, including emails and payout data. Full report

Threat Intelligence

• CISA KEV: Added 12 exploited flaws with deadlines in April and May 2026 for federal agencies. Details and additional flaws
• Vercel Breach: OAuth supply chain attack through Context.ai tool. Full report
• FIRESTARTER Malware: Targets Cisco ASA/Firepower devices; survived patching on a federal device. Report and survival detail
• Qilin Ransomware: Claimed attacks on Travel Expert, Chelten House, and Buckley Powder (undisclosed records). Travel Expert, Chelten House, Buckley Powder

Key Takeaway

The FIRESTARTER malware surviving a security patch on a federal Cisco Firepower device signals that attackers are increasingly targeting firmware-level persistence. Security teams should verify patching effectiveness with independent scanning tools rather than relying solely on vendor updates for network appliances.