April 2026 CVE Landscape Reveals 37 High‑Impact Vulnerabilities Across 23 Vendors, 31 Actively Exploited
What Happened – Recorded Future’s Insikt Group identified 37 high‑impact CVEs in April 2026, 31 of which appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Microsoft accounts for ~22 % of the exposure; the remainder spans security, collaboration, server, and remote‑support products.
Why It Matters for TPRM –
- A surge of actively‑exploited flaws raises the risk profile of third‑party software used across enterprises.
- Many of the vulnerable products are core to business operations (e.g., Microsoft Exchange, Windows Server, remote‑support tools).
- Failure to remediate these CVEs can lead to credential theft, ransomware, or data exfiltration via supply‑chain pathways.
Who Is Affected – Enterprises relying on Microsoft Office/Exchange/Windows Server, Adobe Acrobat, remote‑support platforms (ConnectWise, SimpleHelp), CI/CD tools (JetBrains TeamCity), network appliances (D‑Link, Samsung), and other SaaS/managed‑service vendors.
Recommended Actions –
- Prioritize patching of the 31 KEV‑listed CVEs within 48 hours where feasible.
- Validate that vendors have applied mitigations or provided compensating controls.
- Leverage Recorded Future’s Nuclei templates for the newly disclosed Nginx UI and Marimo authentication bugs.
- Update third‑party risk registers to reflect elevated exposure scores.
Technical Notes – The vulnerabilities include remote code execution (RCE), authentication bypass, and privilege‑escalation flaws. Several have public PoCs; six are only observable via honeypot data. No CVE‑specific CVSS scores are listed, but all received a “Very Critical” Recorded Future Risk Score (≥ 99). Source: Recorded Future – April 2026 CVE Landscape