Vulnerability Report - April 2026
Introduction
This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.
It highlights the most frequently mentioned vulnerabilities for April 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.
The Month at a Glance
April 2026 was dominated by a Linux kernel crypto subsystem flaw, CVE-2026-31431 (“Copy Fail”), an algif_aead in-place operation regression that drew 279 sightings – by far the highest activity of the month. Local privilege escalation against shared multi-user Linux hosts and container infrastructure (including Microsoft WSL) was confirmed in the wild, and CISA added the entry to its KEV catalog on May 1.
Edge-security appliances and developer tooling shaped the rest of the top ranking. Fortinet FortiClient EMS (improper access control, CVSS 9.1) was added to both the CISA and CIRCL KEV catalogs on April 6, and a related FortiClient EMS SQLi – CVE-2026-21643 – was KEV-listed on April 13. Adobe Acrobat Reader prototype-pollution CVE-2026-34621 and GitHub Enterprise Server git-push option injection CVE-2026-3854 both crossed 140 sightings, while Apache ActiveMQ CVE-2026-34197 (Jolokia/Spring code injection) followed closely.
A burst of “AI-stack” exposure also marked the month: marimo (pre-auth RCE via an unauthenticated terminal WebSocket) was added to KEV on April 23, and Meta React Server Components CVE-2025-55182 (KEV since December 2025, known ransomware use) continued to rack up sightings as scanning persisted.
The end of the month brought a critical hosting-stack incident: WebPros cPanel & WHM CVE-2026-41940, an authentication bypass in the login flow (CVSS 9.8), was disclosed on April 28-29 and added to CISA KEV on April 30 with a 3-day remediation deadline.
The CISA Known Exploited Vulnerabilities catalog added 30 entries during April. Highlights:
- CVE-2026-41940: WebPros cPanel & WHM authentication bypass
- CVE-2026-39987: marimo pre-auth RCE
- CVE-2026-34197: Apache ActiveMQ code injection via Jolokia
- CVE-2026-35616: Fortinet FortiClient EMS improper access control
- CVE-2026-34621: Adobe Acrobat & Reader prototype pollution
- CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) RCE
- CVE-2026-32201: Microsoft SharePoint Server spoofing
- CVE-2026-3502: TrueConf Client update integrity bypass
- CVE-2026-5281: Google Chrome / Dawn use-after-free
CISA also re-anchored attention on long-standing exploited issues – ConnectWise ScreenConnect (CVE-2024-1708), SimpleHelp (CVE-2024-57726, CVE-2024-57728), Samsung MagicINFO (CVE-2024-7399), JetBrains TeamCity (CVE-2024-27199), PaperCut NG (CVE-2023-27351), Microsoft Exchange (CVE-2023-21529) and even legacy Microsoft Office issues from 2009/2012 (CVE-2009-0238, CVE-2012-1854).
The CIRCL Known Exploited Vulnerabilities catalog added one entry: CVE-2026-35616 (Fortinet FortiClient EMS), confirmed via incident-response evidence. The ENISA EUVD KEV catalog had no new entries in April.
Contributor activity in April focused on operational mitigations for the Linux kernel “Copy Fail” issue, with practical SELinux, systemd RestrictAddressFamilies, and initcall_blacklist recipes shared by community members.
Top 10 vulnerabilities of the Month
| Vulnerability | Sighting Count | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-31431 | 279 | Linux | Kernel (algif_aead) | High (confidence: 0.9482) |
| CVE-2026-34621 | 147 | Adobe | Acrobat Reader | High (confidence: 0.997) |
| CVE-2026-35616 | 142 | Fortinet | FortiClient EMS | Critical (confidence: 0.9572) |
| CVE-2026-3854 | 142 | GitHub | Enterprise Server | Critical (confidence: 0.8704) |
| CVE-2026-34197 | 138 | Apache | ActiveMQ | Critical (confidence: 0.6661) |
| CVE-2025-55182 | 111 | Meta | React Server Components | Critical (confidence: 0.9934) |
| CVE-2026-5281 | 104 | Chrome (Dawn) | High (confidence: 0.9874) | |
| CVE-2026-39987 | 96 | marimo-team | marimo | Critical (confidence: 0.9856) |
| CVE-2026-41940 | 92 | WebPros | cPanel & WHM | Critical (confidence: 0.8211) |
| CVE-2026-32201 | 91 | Microsoft | SharePoint Server | High (confidence: 0.5863) |
Known Exploited Vulnerabilities
New entries have been added to major Known Exploited Vulnerabilities catalogs.
CISA
More KEV entries from the CISA Catalog.
CIRCL
| Vulnerability ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-35616 | 2026-04-06 | Fortinet | FortiClient EMS | Critical (confidence: 0.9572) |
More KEV entries from the CIRCL Catalog.
ENISA (EUVD)
No new entry in April.
More KEV entries from the ENISA Catalog.
Insights from Contributors
Community members focused on operational mitigations for the Linux kernel “Copy Fail” issue, sharing concrete defensive recipes:
- Quick remediation for CVE-2026-31431 (algif_aead “Copy Fail”) – unloading the
algif_aeadkernel module, blacklisting viamodprobe.d, andinitcall_blacklist=algif_aead_initfor kernels with the module compiled in. - Microsoft WSL is also vulnerable to CVE-2026-31431 – pointer to the Microsoft WSL issue tracker confirming impact on Windows hosts running WSL.
- Deny alg_socket to Containers with SELinux to Mitigate CVE-2026-31431 – end-to-end SELinux deny-rule walk-through plus
systemd-run -p RestrictAddressFamilies=~AF_ALGandSystemCallArchitectures=nativemitigations for non-container services.
The recurring theme across these contributions: AF_ALG / algif_aead is rarely needed by user workloads, so disabling it at the kernel, container-runtime, or systemd-unit boundary is a pragmatic mitigation while distributions roll out the corrected kernel patches.
Thank you
Thank you to all the contributors and our diverse sources!
If you want to contribute to the next report, you can create your account.
Feedback and Support
If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Funding
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.