Security news.
Today's security news is dominated by Microsoft's April Patch Tuesday, addressing a significant number of vulnerabilities including actively exploited zero-days. Several data breaches have also been reported, impacting major companies and their customers, alongside warnings about the increasing sophistication of AI-driven threats and malicious applications.
Microsoft Patches Exploited SharePoint Zero-Day and 160+ Vulnerabilities
Microsoft's April Patch Tuesday is one of its largest ever, fixing 167 flaws, including two zero-days actively exploited in the wild (CVE-2026-32201 in SharePoint and another undisclosed).
CISA Adds Two Known Exploited Vulnerabilities to KEV Catalog
CISA has added CVE-2009-0238 (Microsoft Office RCE) and CVE-2026-32201 (Microsoft SharePoint Server Improper Input Validation) to its Known Exploited Vulnerabilities Catalog, urging immediate patching.
Adobe Patches 55 Vulnerabilities Across 11 Products
Adobe has released security updates for 11 products, addressing 55 vulnerabilities, with critical ColdFusion flaws identified as high-risk for exploitation.
McGraw-Hill Confirms Data Breach Following Extortion Threat
Education company McGraw-Hill confirmed a data breach due to a Salesforce misconfiguration, leading to unauthorized access to internal data.
Fake Ledger Live App on Apple’s App Store Stole $9.5M in Crypto
A malicious Ledger Live app for macOS, distributed via Apple's App Store, has reportedly stolen approximately $9.5 million in cryptocurrency from 50 victims.
New PHP Composer Flaws Enable Arbitrary Command Execution
Two high-severity command injection vulnerabilities (CVE-2026-40176, CVE-2026-40177) have been disclosed in Composer, the PHP package manager, allowing arbitrary command execution.
Europe’s Largest Gym Chain Basic-Fit Says Data Breach Impacts 1 Million Members
Basic-Fit, a major European gym chain, reported a data breach impacting 1 million members, with stolen data including names, dates of birth, and bank account details.
AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware
A new ad fraud scheme leverages AI-generated content and SEO poisoning to push deceptive news stories into Google Discover, tricking users into enabling notifications for scareware and scams.