⚠️ CISA added 6 flaws to its KEV list after active exploitation.

A Fortinet bug (9.1) allows unauthenticated remote code execution, while an Exchange flaw is being used to deploy Medusa ransomware.

Federal agencies must patch by April 27.

🔗 Read → https://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.html

🚨 A ShowDoc flaw (CVSS 9.4) is now under active exploitation.

CVE-2025-0520 lets attackers upload web shells via unauthenticated file upload → full server control. First attacks seen via a U.S. honeypot; ~2,000 instances remain exposed, mostly in China.

🔗 Details → https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html

🛑 108 Chrome extensions with 20,000 installs were tied to one backend stealing user data.

They captured Google accounts, hijacked Telegram sessions, and injected scripts into every page—while posing as games and utilities.

🔗Read → https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html

Android trojan Mirax is spreading via Meta ads, hitting 220K+ accounts with fake streaming apps.

It gives attackers full device control and turns phones into proxy nodes to mask fraud using real IPs.

🔗 How RAT + proxy is reshaping mobile attacks → https://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.html

MFA protects login. Not the session.

As Alicia Townsend explains, session cookies become the real credential after authentication. If stolen, attackers get access with no password, no MFA, no alerts.

🔗 How session hijacking bypasses MFA → https://thehackernews.com/expert-insights/2026/04/session-cookie-theft-you-showed-your-id.html

Effective DDoS testing requires more than generating traffic.

It requires:
🔶 Precise attack modeling
🔶 Deep understanding of mitigation layers
🔶 Controlled execution against production-like environments

Otherwise, you’re measuring system behavior—not resilience to real world attacks.

Here’s how the main DDoS testing approaches stack up in 2026: https://thn.news/ddos-automation-testing

Security alerts rose 52%, but critical risk jumped ~400%.

OX Security shows AI-driven development is scaling high-impact flaws faster than teams can fix them, while business context now outweighs CVSS in real risk.

🔗 Read → https://thehackernews.com/2026/04/analysis-of-216m-security-findings.html

🔥 Google put Rust in Pixel 10’s modem DNS parser, cutting off a major class of memory bugs.

DNS powers core cellular functions, and unsafe parsing has enabled exploits like buffer overflows. This move reduces attack surface at one of the most exposed layers.

🔗 Read → https://thehackernews.com/2026/04/google-adds-rust-based-dns-parser-into.html

2026 Gartner® Magic Quadrant™ for Third-Party Risk Management Tools for Assurance Leaders

As organizations grow increasingly reliant on third parties and their technologies, the range of associated risks expands as well. Third-party risk is a slippery slope, which is why it’s even more important to have a trusted solution that best supports your team.

✨ Optro has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Third-Party Risk Management for Assurance Leaders!

Download your complimentary copy for unbiased recommendations and in-depth analyses of TPRM software: https://thn.news/2026-tprm-magic-quadrant

⚡ U.K. moves to jail tech execs over failure to remove non-consensual intimate images.

New bill amendments also criminalize incest porn and adults roleplaying as children, expanding platform liability.

🔗 What the law changes for platforms and execs → https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html#:~:text=U.K.%20Government%20Threatens%20Tech%20Execs%20with%20Jail%20Time

A new ad fraud campaign used AI-written news to enter Google Discover and trick users.

Pushpaganda drove 240M ad requests in a week by forcing notification opt-ins, then pushing scam alerts and redirecting to ad sites.

🔗 Read → https://thehackernews.com/2026/04/ai-driven-pushpaganda-scam-exploits.html

⚠️ ALERT - Composer disclosed two command injection flaws (CVE-2026-40176 and CVE-2026-40261) with up to CVSS 8.8 severity.

Malicious composer.json or crafted source refs can execute arbitrary commands—even without Perforce installed. Affects multiple 2.x versions; patches released and metadata disabled as a precaution.

🔗 Read → https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html

🔥 OpenAI launched GPT-5.4-Cyber, a model built for security teams to find and fix bugs faster.

3,000+ vulnerabilities already fixed using its Codex Security tools, with access expanding to thousands of defenders.

But the same AI can be misused to find exploits.

🔗 Read → https://thehackernews.com/2026/04/openai-launches-gpt-54-cyber-with.html

⚡ Microsoft patched 169 vulnerabilities, including an actively exploited SharePoint zero-day.

It lets attackers spoof trusted content. 93 flaws are privilege escalation, and a critical IKEv2 bug (CVSS 9.8) enables remote code execution with no user action.

🔗 Full Patch Tuesday risks and fixes → https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html