Archive snapshot

Sat, Apr 11 · 06:00 PM CDT

Archived briefing content rendered inside the ACSP site experience.

Back to archive

Archived briefing

Snapshot overview

Generated Sat, Apr 11 · 06:00 PM CDTWindow last 6 hours

Top line

Coverage now updates on a rolling 6-hour window, while NVD entries come from the live API using a last-24-hours modified window and are sorted by severity.

Fast take

News stays on the current 6-hour slice, videos now use the last 24 hours, and NVD uses the API instead of the traditional feed to better match the live site behavior.

Top stories

8

Worth skimming

0

Tracked videos

0

NVD vulnerabilities

25

Top stories

Sat, Apr 11 · 03:00 PM CDT

How We Broke Top AI Agent Benchmarks: And What Comes Next

8.1/10 · Worth your time

Hacker Newsai

Summary
Surfaced from Hacker News front page during collection run. Freshness on HN: 3 hours ago.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

Google Chrome Rolls Out Protection Against Infostealers Targeting Session Cookies

8.0/10 · Worth your time

Infosecurity Magazinemalwareai

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

Google API Keys Quietly Gain Access to Gemini on Android Devices

8.0/10 · Worth your time

Infosecurity Magazineai

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month

7.8/10 · Worth your time

Infosecurity Magazinemalware

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

Governance Gaps Emerge as AI Agents Drive 76% Increase in NHIs

7.8/10 · Worth your time

Infosecurity Magazineai

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities

7.7/10 · Worth your time

Infosecurity Magazineai

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group

7.7/10 · Worth your time

Infosecurity Magazinegeneral

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Sat, Apr 11 · 06:00 PM CDT

US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers

7.7/10 · Worth your time

Infosecurity Magazinegeneral

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Worth skimming

Nothing surfaced yet.

Videos worth watching

Nothing surfaced yet.

NVD vulnerabilities

Thu, Apr 02 · 03:16 PM CDT

CVE-2026-32871

10.0/10 · Must read/watch

NVDvuln

Summary
FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_

CVECVE-2026-32871

SeverityCRITICAL

TypeUPDATED

PublishedThu, Apr 02 · 03:16 PM CDT

ModifiedFri, Apr 10 · 03:58 PM CDT

Open article ↗

Tue, Apr 07 · 06:16 PM CDT

CVE-2026-39337

10.0/10 · Must read/watch

NVDvuln

Summary
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword

CVECVE-2026-39337

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 06:16 PM CDT

ModifiedFri, Apr 10 · 08:57 PM CDT

Open article ↗

Tue, Apr 07 · 07:16 PM CDT

CVE-2026-39355

9.9/10 · Must read/watch

NVDvuln

Summary
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted acces

CVECVE-2026-39355

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 07:16 PM CDT

ModifiedFri, Apr 10 · 07:03 PM CDT

Open article ↗

Tue, Apr 07 · 03:17 PM CDT

CVE-2026-20889

9.8/10 · Must read/watch

NVDvuln

Summary
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVECVE-2026-20889

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 03:17 PM CDT

ModifiedFri, Apr 10 · 08:51 PM CDT

Open article ↗

Tue, Apr 07 · 03:17 PM CDT

CVE-2026-20911

9.8/10 · Must read/watch

NVDvuln

Summary
A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVECVE-2026-20911

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 03:17 PM CDT

ModifiedFri, Apr 10 · 08:50 PM CDT

Open article ↗

Tue, Apr 07 · 03:17 PM CDT

CVE-2026-21413

9.8/10 · Must read/watch

NVDvuln

Summary
A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVECVE-2026-21413

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 03:17 PM CDT

ModifiedFri, Apr 10 · 08:51 PM CDT

Open article ↗

Mon, Apr 06 · 03:17 PM CDT

CVE-2026-31151

9.8/10 · Must read/watch

NVDvuln

Summary
An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.

CVECVE-2026-31151

SeverityCRITICAL

TypeUPDATED

PublishedMon, Apr 06 · 03:17 PM CDT

ModifiedFri, Apr 10 · 06:02 PM CDT

Open article ↗

Mon, Apr 06 · 06:16 PM CDT

CVE-2026-35047

9.8/10 · Must read/watch

NVDvuln

Summary
Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vulnerability in the CKEditor endpoint allows attackers to upload arbitrary files, including executable scripts. This may lead to Remote Code Execution (RCE) on the server, potentially resulting in full system compromise, data exfiltration, or

CVECVE-2026-35047

SeverityCRITICAL

TypeUPDATED

PublishedMon, Apr 06 · 06:16 PM CDT

ModifiedFri, Apr 10 · 06:30 PM CDT

Open article ↗

Tue, Apr 07 · 05:16 PM CDT

CVE-2026-4631

9.8/10 · Must read/watch

NVDvuln

Summary
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands,

CVECVE-2026-4631

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 05:16 PM CDT

ModifiedFri, Apr 10 · 09:16 PM CDT

Open article ↗

Wed, Oct 04 · 12:15 PM CDT

CVE-2023-44208

9.1/10 · Must read/watch

NVDvuln

Summary
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713, Acronis True Image OEM (Windows) before build 42575.

CVECVE-2023-44208

SeverityCRITICAL

TypeUPDATED

PublishedWed, Oct 04 · 12:15 PM CDT

ModifiedFri, Apr 10 · 02:16 PM CDT

Open article ↗

Tue, Sep 09 · 02:15 PM CDT

CVE-2025-54236

9.1/10 · Must read/watch

NVDvuln

Summary
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue doe

CVECVE-2025-54236

SeverityCRITICAL

TypeUPDATED

PublishedTue, Sep 09 · 02:15 PM CDT

ModifiedThu, Apr 09 · 01:00 AM CDT

Open article ↗

Tue, Apr 07 · 10:16 PM CDT

CVE-2026-28386

9.1/10 · Must read/watch

NVDvuln

Summary
Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the

CVECVE-2026-28386

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 10:16 PM CDT

ModifiedFri, Apr 10 · 09:16 PM CDT

Open article ↗

Fri, Mar 20 · 11:16 PM CDT

CVE-2026-33186

9.1/10 · Must read/watch

NVDvuln

Summary
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g.,

CVECVE-2026-33186

SeverityCRITICAL

TypeUPDATED

PublishedFri, Mar 20 · 11:16 PM CDT

ModifiedFri, Apr 10 · 08:49 PM CDT

Open article ↗

Tue, Apr 07 · 06:16 PM CDT

CVE-2026-35573

9.1/10 · Must read/watch

NVDvuln

Summary
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists i

CVECVE-2026-35573

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 06:16 PM CDT

ModifiedFri, Apr 10 · 08:59 PM CDT

Open article ↗

Tue, Apr 07 · 06:16 PM CDT

CVE-2026-39339

9.1/10 · Must read/watch

NVDvuln

Summary
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL,

CVECVE-2026-39339

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 06:16 PM CDT

ModifiedFri, Apr 10 · 08:59 PM CDT

Open article ↗

Tue, Apr 07 · 07:16 PM CDT

CVE-2026-39351

9.1/10 · Must read/watch

NVDvuln

Summary
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.

CVECVE-2026-39351

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 07 · 07:16 PM CDT

ModifiedFri, Apr 10 · 07:30 PM CDT

Open article ↗

Tue, Apr 07 · 06:16 PM CDT

CVE-2026-39328

8.9/10 · Worth your time

NVDvuln

Summary
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due

CVECVE-2026-39328

SeverityHIGH

TypeUPDATED

PublishedTue, Apr 07 · 06:16 PM CDT

ModifiedFri, Apr 10 · 08:56 PM CDT

Open article ↗

Thu, Dec 18 · 04:15 PM CST

CVE-2025-68278

8.8/10 · Worth your time

NVDvuln

Summary
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @t

CVECVE-2025-68278

SeverityHIGH

TypeUPDATED

PublishedThu, Dec 18 · 04:15 PM CST

ModifiedFri, Apr 10 · 05:34 PM CDT

Open article ↗

Tue, Sep 30 · 03:15 PM CDT

CVE-2025-7779

8.8/10 · Worth your time

NVDvuln

Summary
Local privilege escalation due to insecure XPC service configuration. The following products are affected: Acronis True Image (macOS) before build 42389, Acronis True Image for SanDisk (macOS) before build 42198, Acronis True Image for Western Digital (macOS) before build 42197, Acronis True Image OEM (macOS) before bu

CVECVE-2025-7779

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 30 · 03:15 PM CDT

ModifiedFri, Apr 10 · 02:16 PM CDT

Open article ↗

Tue, Apr 07 · 04:17 AM CDT

CVE-2026-20433

8.8/10 · Worth your time

NVDvuln

Summary
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY0108868

CVECVE-2026-20433

SeverityHIGH

TypeUPDATED

PublishedTue, Apr 07 · 04:17 AM CDT

ModifiedFri, Apr 10 · 07:56 PM CDT

Open article ↗

Tue, Feb 03 · 07:16 AM CST

CVE-2026-22550

8.8/10 · Worth your time

NVDvuln

Summary
OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution.

CVECVE-2026-22550

SeverityHIGH

TypeUPDATED

PublishedTue, Feb 03 · 07:16 AM CST

ModifiedFri, Apr 10 · 02:35 PM CDT

Open article ↗

Tue, Mar 31 · 10:16 PM CDT

CVE-2026-34406

8.8/10 · Worth your time

NVDvuln

Summary
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/ ) allows Any user who can reach that endpoint and submit crafted permission t

CVECVE-2026-34406

SeverityHIGH

TypeUPDATED

PublishedTue, Mar 31 · 10:16 PM CDT

ModifiedFri, Apr 10 · 03:43 PM CDT

Open article ↗

Mon, Apr 06 · 06:16 PM CDT

CVE-2026-35044

8.8/10 · Worth your time

NVDvuln

Summary
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-pr

CVECVE-2026-35044

SeverityHIGH

TypeUPDATED

PublishedMon, Apr 06 · 06:16 PM CDT

ModifiedFri, Apr 10 · 06:31 PM CDT

Open article ↗

Tue, Apr 07 · 06:16 PM CDT

CVE-2026-39319

8.8/10 · Worth your time

NVDvuln

Summary
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PH

CVECVE-2026-39319

SeverityHIGH

TypeUPDATED

PublishedTue, Apr 07 · 06:16 PM CDT

ModifiedFri, Apr 10 · 08:57 PM CDT

Open article ↗

Tue, Apr 07 · 06:16 PM CDT

CVE-2026-39326

8.8/10 · Worth your time

NVDvuln

Summary
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and

CVECVE-2026-39326

SeverityHIGH

TypeUPDATED

PublishedTue, Apr 07 · 06:16 PM CDT

ModifiedFri, Apr 10 · 08:58 PM CDT

Open article ↗

Ignore today

Generic low-detail roundups without primary reporting.
HN items that are interesting but not clearly security or AI relevant.
Creator videos that look more like promotion, podcast chatter, or evergreen content than time-sensitive signal outside the rolling window.