// CVE Tracker

A critical authentication bypass vulnerability in Progress ShareFile Storage Zones Controller (SZC) arises from improper handling of execution-after-redirect behaviour in the /ConfigService/Admin.aspx administrative endpoint. An unauthenticated remote attacker can exploit the redirect logic to gain access to restricted administrative functions without supplying valid credentials. When chained with CVE-2026-2701 (arbitrary file upload), this vulnerability enables fully unauthenticated remote code execution. Progress released a fix in SZC version 5.12.4 on 10 March 2026; watchTowr Labs published full technical details on 2 April, significantly lowering the exploitation barrier. Approximately 30,000 SZC instances are internet-exposed.

A critical improper access control vulnerability (CWE-284) in Fortinet FortiClient Endpoint Management Server allows an unauthenticated remote attacker to bypass API authentication and execute arbitrary code or commands on the server via crafted HTTP requests. Carrying a CVSS score of 9.1, this flaw affects the management plane responsible for deploying and enforcing endpoint security policy, ZTNA, and VPN access controls across managed fleets. Active exploitation was confirmed by multiple researchers beginning 31 March 2026, and CISA added CVE-2026-35616 to its KEV catalogue on 6 April with a federal remediation deadline of 9 April — one of the shortest timelines CISA issues.

An arbitrary file upload vulnerability in Progress ShareFile Storage Zones Controller allows an attacker with administrative session access to upload and extract archive content into the IIS web root, enabling placement of malicious ASPX webshells that execute with the web server's privileges. When chained with the authentication bypass in CVE-2026-2699, this vulnerability can be exploited without any authentication, yielding full remote code execution on the server. The full attack chain was publicly documented by watchTowr Labs on 2 April 2026 following coordinated disclosure, and Progress has issued a fix in version 5.12.4.

A high-severity use-after-free vulnerability in Dawn, Chromium's open-source WebGPU implementation, allows a remote attacker who has already compromised the renderer process to escalate to arbitrary code execution via a crafted HTML page. Google confirmed active exploitation in the wild. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities catalogue on 1 April 2026, requiring federal agencies to patch by 15 April. This is the fifth Chrome zero-day exploited in attacks in 2026, following a sustained research focus on Chrome's graphics stack.