Late April was packed for security teams.
Between April 20 and April 25, 2026, we saw critical vulnerabilities hit cloud platforms, browsers, infrastructure tools, backend frameworks, sandbox environments, and operating systems. Some required immediate patching. Others were hosted-service issues where customers needed to review exposure and permissions rather than install updates.
What stood out wasn't a single headline-grabbing zero-day. It was how many different layers of modern infrastructure were affected at once.
From backup tools to browsers to cloud platforms, here's what mattered most.
1. Rclone: unauthenticated remote code execution risks
Two critical vulnerabilities were disclosed in Rclone's Remote Control interface. Rclone is widely used for backups, cloud migrations, automation workflows, NAS systems, media servers, and self-hosted infrastructure, making these especially important to act on quickly.
This affects versions 1.45.0 through 1.73.4. The vulnerable options/set endpoint allows runtime configuration changes. Attackers could disable authorization protections for administrative functions by setting rc.NoAuth=true, potentially exposing sensitive operational controls.
This affects versions 1.48.0 through 1.73.4. The vulnerable operations/fsinfo endpoint accepts attacker-controlled input. Because Rclone supports inline backend definitions, attackers can create malicious backends. For WebDAV backends, bearer_token_command may execute local commands during initialization, making this the more dangerous of the two issues with a direct path to remote code execution.
Fix: Upgrade to Rclone 1.73.5 or later. The biggest risk is exposed RC deployments without proper authentication.
2. ASP.NET Core cryptographic signature flaw
Microsoft disclosed a critical issue in ASP.NET Core involving improper verification of cryptographic signatures. This could allow an attacker to elevate privileges over a network. Microsoft rated it 9.1 critical.
Affected versions: Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6. Fixed in version 10.0.7. This is particularly important for applications using authentication workflows, session protection, or token validation.
3. Terrarium sandbox escape
Terrarium disclosed a critical sandbox escape vulnerability. The flaw allows arbitrary code execution with root privileges through JavaScript prototype chain traversal. CISA rated it 9.3 critical.
This is especially dangerous for environments that rely on sandboxing to safely execute untrusted JavaScript. Once that boundary breaks, attackers may gain direct access to the host.
4. Google Chrome fixes 19 vulnerabilities
Google Chrome released major updates across platforms:
- 147.0.7727.116/117 for Windows and macOS
- 147.0.7727.116 for Linux
- 147.0.7727.111 for Android
- 148.0.7778.47 for iOS
Google fixed 19 vulnerabilities in total. Publicly disclosed issues included:
- CVE-2026-6919 - Use-after-free vulnerability in DevTools
- CVE-2026-6920 - Memory access issue in GPU components
- CVE-2026-6921 - Medium severity GPU vulnerability
Google said none were actively exploited, but browser patching should still move quickly.
5. Mozilla Firefox and Thunderbird updates
Mozilla released multiple advisories on April 21 covering Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. See Mozilla's security advisories for full details.
Browsers and email clients remain one of the easiest entry points for attackers because they sit directly in front of users.
6. Microsoft Purview SSRF issue
Microsoft Purview was impacted by a server-side request forgery vulnerability. The issue could allow an unauthorized attacker to elevate privileges over a network. This appears to be a hosted-service issue, meaning Microsoft handles remediation on the backend. Organizations should still review permissions and monitor logs.
7. Microsoft Partner Center privilege escalation
Microsoft Partner Center was affected by improper access control. Microsoft rated this issue 9.6 critical. The flaw could allow an authorized attacker to elevate privileges over a network. This also appears to be service-side, so customers should focus on access reviews and account monitoring.
8. Oracle April Critical Patch Update
Oracle released its April 2026 Critical Patch Update, patching hundreds of vulnerabilities across MySQL, Fusion Middleware, Oracle Communications, E-Business Suite, and other enterprise platforms. Oracle systems are often deeply tied to business-critical infrastructure, which makes delayed patching risky.
We published a detailed breakdown of where risk is concentrated in this release, what to prioritize, and how to sequence patching across Oracle's product families: Oracle Critical Patch Update Advisory, April 2026: What Security Teams Should Actually Prioritize.
9. Operating system updates
Apple pushed updates across iOS, iPadOS, macOS, and watchOS addressing security vulnerabilities affecting both consumer and enterprise devices.
Microsoft Windows continued rolling out fixes tied to recent vulnerabilities and platform hardening. Organizations should ensure endpoints remain fully updated.
Linux - Enterprise Linux teams should also review vendor advisories from Red Hat, Canonical, and SUSE. Kernel updates and package fixes often arrive quietly but can still address serious vulnerabilities.
What stood out this period
A few patterns kept appearing across these disclosures.
Infrastructure tools are becoming bigger targets. Rclone looks harmless until attackers find exposed management interfaces. Tools designed for convenience often lack the security hardening that production-grade systems receive.
Trust failures remain dangerous. Terrarium and ASP.NET Core both highlight what happens when trust boundaries fail - whether that is a sandbox that cannot contain code execution or a cryptographic verification step that can be bypassed.
Endpoints still matter. Chrome, Firefox, Thunderbird, and operating systems remain frequent targets because they sit directly in front of users. Browser patches should not sit in a backlog.
Cloud security remains a shared responsibility. Purview and Partner Center show that even when vendors patch their own infrastructure, customers still need visibility into access patterns and privilege use.
What security teams should prioritize first
Focus effort in this order:
- Internet-facing Rclone deployments - patch or disable RC without authentication immediately
- ASP.NET Core applications using affected DataProtection packages
- Terrarium environments running untrusted JavaScript
- Browser patch rollouts (Chrome and Firefox/Thunderbird)
- Operating system updates across endpoints and servers
- Oracle systems - see our full Oracle CPU breakdown for prioritization guidance
- Cloud admin reviews for Purview and Partner Center access patterns
Sources: - CVE-2026-41176 - CVE-2026-41179 - CVE-2026-40372 - CVE-2026-5752 - CVE-2026-6919 - CVE-2026-6920 - CVE-2026-6921 - Mozilla Security Advisories - CVE-2026-26150 - CVE-2026-24303