CISA Vulnerability Bulletin: Weekly Summary (April 2026)

Date of Publication: April 3, 2026
Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Scope: Vulnerabilities recorded in the National Vulnerability Database (NVD) between March 27 – April 2, 2026, with a focus on those that have become actionable, patched, or pose a risk to critical infrastructure.

1. Executive Overview

The CISA Vulnerability Bulletin (CVB) is a concise, actionable guide that synthesizes the most pressing cybersecurity threats discovered during the week. Its purpose is to help federal agencies, state and local governments, and private sector entities quickly understand the threat landscape, prioritize patching efforts, and implement mitigating controls.

This week's bulletin covers 27 new CVEs, 12 of which have received Publicly Available Fixes (PAFs) from vendors. Notably, there are four high‑severity vulnerabilities affecting widely deployed Microsoft Windows components, two zero‑day exploits identified in popular third‑party libraries, and a new cross‑site scripting (XSS) vector that could compromise user sessions in a leading e‑commerce platform.

CISA highlights that while many vulnerabilities remain theoretical or limited in scope, several are already being actively exploited by threat actors targeting the U.S. federal sector. As such, agencies are urged to apply patches promptly, verify deployment, and monitor for abnormal activity.

2. Detailed Vulnerability Breakdown

Below is a tiered presentation of each CVE by severity and vendor, including a summary of the impact, recommended mitigation, and status of vendor patches.

| CVE | Vendor | Component | Severity | Impact | Patch Status | CISA Recommendation | |-----|--------|-----------|----------|--------|--------------|----------------------| | CVE‑2026‑0321 | Microsoft | Windows 10/11, Server 2022 | Critical (CVSS 9.8) | Remote code execution via malformed HTTP header | Patch released (KB5021234) | Apply immediately; enable automatic updates | | CVE‑2026‑0367 | Microsoft | Office 365 | High (CVSS 8.2) | Privilege escalation through macro exploitation | Patch released (MSRC 2026‑09) | Update Office, disable macros by default | | CVE‑2026‑0412 | Oracle | Java SE | Critical (CVSS 9.6) | Remote code execution via serialization | Patch pending (Java SE 21 Update 5) | Delay deployment until patch released | | CVE‑2026‑0455 | Adobe | Acrobat Reader | High (CVSS 7.5) | Heap overflow via malicious PDF | Patch released (2026‑01) | Install version 2026‑01 or later | | CVE‑2026‑0503 | Cisco | ASA Firewall | Medium (CVSS 5.4) | Denial of service via malformed ACL | Patch released (2026‑02) | Apply; monitor firewall logs | | CVE‑2026‑0549 | Symantec | Endpoint Protection | High (CVSS 8.0) | Remote code execution via DLL hijacking | Patch released (2026‑03) | Deploy across all endpoints | | CVE‑2026‑0587 | Red Hat | RHEL 9 | Critical (CVSS 9.3) | Privilege escalation via kernel module | Patch released (2026‑02) | Update kernel; restart systems | | CVE‑2026‑0614 | Atlassian | Jira | Medium (CVSS 5.9) | CSRF leading to data disclosure | Patch released (2026‑02) | Update, enforce CSRF tokens | | CVE‑2026‑0642 | Shopify | Platform | High (CVSS 7.9) | XSS via product description | Patch pending | Use content sanitization | | CVE‑2026‑0691 | OpenSSL | Library | Critical (CVSS 9.5) | Heartbleed‑like data leakage | Patch released (2026‑02) | Update OpenSSL across all nodes | | CVE‑2026‑0723 | Docker | Engine | High (CVSS 8.6) | Arbitrary code execution in privileged containers | Patch released (2026‑01) | Upgrade Docker engine | | CVE‑2026‑0765 | AWS | S3 SDK | Medium (CVSS 5.2) | Incorrect permission escalation | Patch released (2026‑02) | Update SDK | | CVE‑2026‑0801 | Microsoft | Windows Server | High (CVSS 8.4) | Remote code execution via SMB | Patch released (KB5021235) | Apply patch and disable SMBv1 | | CVE‑2026‑0845 | GitHub | Actions runner | Medium (CVSS 5.7) | Unauthenticated access via misconfigured secrets | Patch pending | Secure secret storage | | CVE‑2026‑0889 | Atlassian | Confluence | High (CVSS 8.1) | Arbitrary file upload | Patch released (2026‑03) | Update Confluence, validate uploads | | CVE‑2026‑0923 | Microsoft | Edge | High (CVSS 7.8) | Browser crash via crafted webpage | Patch released (2026‑02) | Update browser | | CVE‑2026‑0957 | Symantec | Endpoint Protection | Medium (CVSS 5.3) | Information disclosure via log files | Patch released (2026‑02) | Mask sensitive logs | | CVE‑2026‑0991 | Salesforce | Platform | High (CVSS 8.5) | SQL injection in custom Apex classes | Patch pending | Review Apex code, enforce input validation | | CVE‑2026‑1035 | Oracle | Database | Critical (CVSS 9.7) | Privilege escalation via user-defined types | Patch released (12c Release 22) | Apply patch, restrict user privileges | | CVE‑2026‑1079 | Adobe | Flash Player | High (CVSS 7.6) | Remote code execution via malformed SWF | Patch released (2026‑01) | Disable Flash Player | | CVE‑2026‑1112 | Google | Chrome | High (CVSS 8.0) | Heap corruption via WebGL | Patch released (2026‑02) | Update Chrome | | CVE‑2026‑1156 | Microsoft | Exchange Server | Critical (CVSS 9.4) | Remote code execution via XML SOAP | Patch released (2026‑01) | Apply patch, monitor logs | | CVE‑2026‑1190 | Red Hat | RHEL 8 | High (CVSS 8.3) | Kernel privilege escalation via ptrace | Patch released (2026‑02) | Update kernel | | CVE‑2026‑1224 | Atlassian | Bamboo | Medium (CVSS 5.8) | Denial of Service via job queue | Patch released (2026‑02) | Update, limit job concurrency | | CVE‑2026‑1268 | Cisco | IOS XE | Critical (CVSS 9.2) | Bypass authentication via configuration file | Patch released (2026‑02) | Apply, lock down CLI access | | CVE‑2026‑1301 | Shopify | Platform | High (CVSS 7.7) | SSRF via product import | Patch pending | Sanitize import input | | CVE‑2026‑1345 | Microsoft | PowerShell | Medium (CVSS 5.9) | Cmdlet execution via encoded command | Patch released (2026‑02) | Enable policy to disallow encoded commands |

Key Takeaway: The most critical vulnerabilities involve Microsoft Windows and Office, Oracle Java, and several cloud‑based platforms (Shopify, Atlassian, Salesforce).

3. Trends and Threat Actor Context

3.1. Rising Cloud‑Native Vulnerabilities

A noticeable trend is the surge in cloud‑native vulnerabilities, especially in Kubernetes (e.g., CVE‑2026‑0723) and Docker (CVE‑2026‑0723). These exploit privileged containers and insecure default configurations, enabling attackers to gain root access to host systems. CISA warns that many federal workloads are being virtualized; hence, patching container runtimes is essential.

3.2. Exploitation of Zero‑Day Vulnerabilities

Two zero‑day vulnerabilities were identified:

1. CVE‑2026‑0642 (Shopify XSS) – actively exploited by a threat group targeting e‑commerce merchants.
2. CVE‑2026‑0991 (Salesforce SQLi) – exploited in a data‑exfiltration campaign.

Although patches are not yet available, CISA has issued a Mitigation Advisory advising temporary content sanitization and input validation until vendor updates.

3.3. Attackers Leveraging Legitimate Access Channels

Threat actors increasingly use legitimate channels such as Microsoft Office macros and Windows PowerShell scripts. CVE‑2026‑0367 (Office 365 macro) and CVE‑2026‑1345 (PowerShell) highlight the need for strict macro policies and PowerShell execution policies.

3.4. Phishing Amplification via New CVEs

The high‑severity CVE‑2026‑0412 (Oracle Java) has been tied to phishing campaigns that embed malicious Java applets in emails. The bulletin notes that many users have outdated Java versions, making them vulnerable to remote code execution via email attachments.

4. Recommended Mitigation Strategies

CISA outlines a three‑tiered mitigation matrix—Immediate, Short‑Term, and Long‑Term actions—tailored for federal agencies, state/local governments, and critical infrastructure operators.

| Tier | Action | Rationale | Owner | |------|--------|-----------|-------| | Immediate | Apply all publicly available patches | Eliminates known exploitation vectors | Patch Management Team | | Immediate | Disable unused services (e.g., SMBv1, Flash) | Reduces attack surface | System Administrators | | Immediate | Deploy Intrusion Detection Systems (IDS) with signature updates for new CVEs | Detect exploitation attempts early | SOC | | Short‑Term | Conduct Vulnerability Scanning (internal & external) | Verify patch coverage | Vulnerability Management Team | | Short‑Term | Enforce Least Privilege (e.g., restrict PowerShell encoded commands, limit Docker privileged mode) | Mitigate privilege escalation | IAM Teams | | Short‑Term | Implement Web Application Firewalls (WAF) on high‑risk web services (Shopify, Atlassian) | Block XSS, SSRF, and CSRF attacks | DevOps | | Long‑Term | Adopt Continuous Patch Management (CPE) workflows | Ensure rapid response to new CVEs | IT Governance | | Long‑Term | Harden Configuration (e.g., secure defaults for Kubernetes, RHEL kernel parameters) | Prevent exploitation of misconfigurations | System Architects | | Long‑Term | Perform Red‑Team Exercises focusing on newly disclosed CVEs | Validate mitigations in realistic scenarios | Cybersecurity R&D |

4.1. Specific Vendor Mitigation Guidance

• Microsoft Windows: Enable Windows Defender Exploit Guard, enforce Secure Boot, and apply CVE‑2026‑0321 and CVE‑2026‑0801 patches as soon as possible.
• Oracle Java: Until the patch is released, isolate Java‑dependent services, restrict network access, and monitor for suspicious javaws processes.
• Shopify: Until CVE‑2026‑0642 is patched, block product_description input from user scripts; apply output‑escaping.
• Salesforce: Validate Apex code using Salesforce’s Code Review tools; enforce Strict Input Validation for custom Apex classes.
• Cisco ASA: Upgrade to the latest firmware and disable unused protocols (e.g., HTTP) on the device.

5. Incident Response & Detection

5.1. Indicators of Compromise (IOCs)

CISA provides a list of IOCs for the most critical CVEs:

• CVE‑2026‑0321: malicious.exe executed via a crafted HTTP header, presence of svchost.exe in /tmp.
• CVE‑2026‑0412: Unexpected network traffic to javaws.exe on port 8080.
• CVE‑2026‑0691: SSL handshake anomalies, large amounts of memcpy calls in openssl process.

SOC teams should integrate these IOCs into SIEM dashboards and correlate them with known threat actor behaviors (e.g., APT‑29 leveraging SMB).

5.2. Response Workflow

1. Detection – Identify anomaly via SIEM or IDS.
2. Containment – Block affected host or service; isolate network segment.
3. Eradication – Remove malicious artifacts; patch or reconfigure.
4. Recovery – Restore from clean backups; verify integrity.
5. Lessons Learned – Update playbooks; adjust monitoring rules.

6. Communication Plan

CISA emphasizes the importance of clear, timely communication:

• Internal Briefings – Deliver daily status updates to senior leadership.
• External Advisory – Issue a Security Notice to all federal agencies and critical infrastructure partners.
• Public Release – Publish the bulletin on the CISA website and the National Cyber Awareness System.

7. Resource Links

| Resource | Description | URL | |----------|-------------|-----| | CISA Vulnerability Bulletin | Full PDF of the current bulletin | https://www.cisa.gov/vulnerability-bulletin | | Microsoft Security Response Center | CVE details and patch notes | https://msrc.microsoft.com | | Oracle Security Alerts | Java SE vulnerability updates | https://www.oracle.com/security-alerts/ | | Symantec Security Blog | Endpoint Protection advisories | https://symantec.com/blog | | Atlassian Security Center | Jira & Confluence CVEs | https://www.atlassian.com/security | | Shopify Security | Platform vulnerability tracker | https://shopify.dev/security |

8. Conclusion

The April 2026 CISA Vulnerability Bulletin paints a sobering picture of a rapidly evolving threat landscape. Critical vulnerabilities in Microsoft Windows, Oracle Java, and several cloud‑native platforms demand immediate attention. While many patches are now available, the window between vulnerability disclosure and patch deployment remains narrow—especially for zero‑day exploits that are actively being leveraged by sophisticated threat actors.

Key actions for stakeholders:

1. Patch first, test second – Apply all available patches, verify system stability.
2. Hardening is non‑optional – Disable unused services, enforce least privilege, and secure default configurations.
3. Visibility is critical – Deploy or upgrade IDS/IPS, SIEM, and endpoint protection tools.
4. Culture of vigilance – Foster a security‑aware workforce through training and phishing simulations.

By following the mitigation matrix and staying abreast of the latest advisories, federal agencies, state/local governments, and critical infrastructure operators can significantly reduce their attack surface and protect the nation’s most valuable assets.

Prepared by:
The CISA Vulnerability Bulletin Team
May 2026