📰 DAILY THREAT BRIEFING
Tuesday, April 28, 2026
12 News Items
HN · BleepingComputer · Krebs · Dark Reading · SANS · THN Intel · Unit 42 · Security.com

📰 Cybersecurity News Headlines

Top stories from leading cybersecurity publications as of April 28, 2026.

  1. Robinhood account creation flaw abused to send phishing emails
    — Bleeping Computer

    Online trading platform Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emai…
  2. GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions
    — Bleeping Computer

    A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update. [.…
  3. UNC6692 Combines Social Engineering, Malware, Cloud Abuse
    — Dark Reading

    A newly discovered threat actor is using Microsoft Teams, AWS S3 buckets, and custom "Snow" malware in a multipronged campaign.
  4. Canada arrests three for operating “SMS blaster” device in Toronto
    — Bleeping Computer

    Canadian authorities have arrested three men for operating an "SMS blaster" device that pretends to be a cellular tower to send phishing tex…
  5. Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation
    — Dark Reading

    A researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) me…
  6. Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack
    — The Hacker News

    Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group pu…
  7. TeamPCP Supply Chain Campaign: Update 008 – 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)
    — SANS ISC

    This update succeeds TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left …
  8. ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
    — The Hacker News

    Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains …
  9. 20-Year-Old Malware Rewrites History of Cyber Sabotage
    — Dark Reading

    Researchers have uncovered a malware framework dubbed "fast16" that predates Stuxnet by five years.
  10. Mythos Changed the Math on Vulnerability Discovery. Most Teams Aren't Ready for the Remediation Side
    — The Hacker News

    Anthropic’s Claude Mythos Preview has dominated security discussions since its April 7 announcement. Early reporting describes a powerful …
  11. The npm Threat Landscape: Attack Surface and Mitigations
    — Unit 42

    Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The…
  12. TGR-STA-1030: New Activity in Central and South America
    — Unit 42

    Unit 42 research reports that TGR-STA-1030 remains an active threat, particularly in Central and South America. The post TGR-STA-1030: New A…

🪲 NVD — Last 20 Scored Vulnerabilities

Latest scored CVEs from the National Vulnerability Database (5812 in last 30 days).
Critical: 1 · High: 5 · Medium: 14 · Low: 0. View full dashboard →

  1. CVE-2026-7200
    — CVSS 4.3 (MEDIUM)

    A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lea…
  2. CVE-2026-7199
    — CVSS 7.3 (HIGH)

    A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_product. Performing a manipulation of…
  3. CVE-2026-7196
    — CVSS 6.3 (MEDIUM)

    A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument deleteid leads to sql injection. The attack may b…
  4. CVE-2026-41372
    — CVSS 5.8 (MEDIUM)

    OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to…
  5. CVE-2026-41371
    — CVSS 8.5 (HIGH)

    OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive …
  6. CVE-2026-41370
    — CVSS 6.5 (MEDIUM)

    OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote attackers can bypass attachment-cac…
  7. CVE-2026-41369
    — CVSS 6.5 (MEDIUM)

    OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by …
  8. CVE-2026-41368
    — CVSS 6.5 (MEDIUM)

    OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs t…
  9. CVE-2026-41367
    — CVSS 5.0 (MEDIUM)

    OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contex…
  10. CVE-2026-41366
    — CVSS 5.5 (MEDIUM)

    OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory …
  11. CVE-2026-41365
    — CVSS 5.4 (MEDIUM)

    OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing …
  12. CVE-2026-41364
    — CVSS 8.1 (HIGH)

    OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlin…
  13. CVE-2026-41363
    — CVSS 5.3 (MEDIUM)

    OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path …
  14. CVE-2026-41362
    — CVSS 4.3 (MEDIUM)

    OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one au…
  15. CVE-2026-40977
    — CVSS 4.7 (MEDIUM)

    When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.

    Affected: Spring …

  16. CVE-2026-40976
    — CVSS 9.1 (CRITICAL)

    In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring …
  17. CVE-2026-40975
    — CVSS 4.8 (MEDIUM)

    Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable rang…
  18. CVE-2026-40974
    — CVSS 5.0 (MEDIUM)

    Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.

    Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3…

  19. CVE-2026-40973
    — CVSS 7.0 (HIGH)

    A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across applic…
  20. CVE-2026-40972
    — CVSS 7.5 (HIGH)

    An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the…

Source: NVD CVE API 2.0

Generated by CryptXNet.ai Threat Intelligence Platform · April 28, 2026 · Sources: The Hacker News, Bleeping Computer, Krebs on Security, Dark Reading, SANS ISC, THN Threat Intel, Unit 42, Security.com