[{"data":1,"prerenderedAt":187},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-16":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-16","Microsoft Patches Actively Exploited SharePoint Zero-Day in Massive Update, as Critical Flaws in Nginx-UI and Axios Emerge","This cybersecurity brief for April 16, 2026, covers a massive Microsoft Patch Tuesday that addressed 165 flaws, including an actively exploited SharePoint zero-day (CVE-2026-32201). Concurrently, NIST announced a major overhaul of its NVD program, no longer enriching all CVEs due to overwhelming volume. Critical, actively exploited vulnerabilities were also disclosed in the popular Nginx-UI tool (CVE-2026-33032) and the Axios JavaScript library (CVE-2026-40175), posing significant risks of server takeover and cloud compromise. Ransomware and data breach activity remains high, with incidents reported at Autovista, Bank3, and Booking.com, alongside new threat campaigns targeting finance professionals via the Obsidian app.","2026-04-16",11,[10,33,53,76,95,109,125,140,151,162,172],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":23,"createdAt":27,"updatedAt":28,"readingTime":29,"isUpdate":30,"updateSummary":31,"updateContent":32},"3cd01b25-763c-4751-9e03-c09468631770","booking-com-notifies-customers-of-reservation-data-breach","Booking.com Warns Customers of Data Breach Exposing Reservation Details and Personal Info","Booking.com Notifies Customers of Data Breach Affecting Reservation Details","medium","Online travel giant Booking.com has confirmed a data breach, notifying an undisclosed number of customers that their personal and reservation data were accessed by unauthorized parties. The compromised information includes names, contact details, addresses, and specific booking details, including any notes shared with accommodation providers. The company has stated that financial data and customer accounts were not compromised. In response, Booking.com has reset the PINs for all affected reservations. While the company claims the issue is 'fully contained,' this incident exposes customers to a significant risk of highly convincing and targeted phishing attacks, as criminals can use the detailed booking information to craft credible scams.",[18,19,20,21,22],"phishing","travel industry","supply chain","PII","Booking.com",[24,25,26],"Data Breach","Phishing","Supply Chain Attack","2026-04-13T15:00:00.000Z","2026-04-16T12:00:00.000Z",5,true,"New details emerge on Booking.com breach, revealing 'ClickFix' phishing and malware used to compromise hotel partners and access customer data.","Further investigation into the Booking.com data breach reveals that attackers leveraged a sophisticated phishing technique known as 'ClickFix'. This method involved tricking hotel employees into installing malicious software, disguised as a legitimate tool, onto their systems. Once installed, the malware allowed threat actors to harvest credentials for the hotel's management systems, including the Booking.com partner portal. This enabled the unauthorized access and scraping of customer reservation data, confirming a supply chain attack vector where smaller partners were targeted to breach the larger platform's data.",{"id":34,"slug":35,"headline":36,"title":37,"severity":38,"excerpt":39,"tags":40,"categories":46,"createdAt":27,"updatedAt":50,"readingTime":29,"isUpdate":30,"updateSummary":51,"updateContent":52},"a8930b97-ec58-4968-be2b-bcbf8da0be8e","three-ransomware-gangs-behind-40-percent-of-march-attacks","Ransomware Market Consolidation: Qilin, Akira, and DragonForce Dominate March 2026 Attacks","Check Point Report: Three Ransomware Gangs Account for 40% of All Attacks in March 2026","informational","The ransomware ecosystem is showing significant consolidation, with a new report from Check Point revealing that just three groups—Qilin, Akira, and DragonForce—were responsible for 40% of all publicly claimed attacks in March 2026. Qilin led the pack, accounting for 20% of incidents, followed by Akira at 12% and DragonForce at 8%. This concentration of power in a few highly active Ransomware-as-a-Service (RaaS) and 'cartel' operations highlights a trend towards more organized and impactful threat groups, even as the total number of active gangs remains high. The report underscores the continued focus on high-value sectors like business services and manufacturing.",[41,42,43,44,45],"RaaS","ransomware trends","market consolidation","threat report","Check Point",[47,48,49],"Ransomware","Threat Intelligence","Threat Actor","2026-04-16T00:00:00.000Z","Q1 2026 ransomware activity stabilized at high levels, establishing a 'new normal'. 'The Gentlemen' surged as a top threat, and construction sector attacks increased significantly.","A new report from GuidePoint Security covering Q1 2026 indicates ransomware activity has stabilized at the high levels of 2025, establishing an 'elevated new normal'. While Qilin's activity dipped by 25% from Q4 2025, a new group, 'The Gentlemen', surged to become the second most prolific with 182 victims. Akira's activity also declined. The construction sector saw a 44% year-over-year increase in attacks, highlighting evolving targeting trends and the persistent, high-volume threat.",{"id":54,"slug":55,"headline":56,"title":57,"severity":58,"excerpt":59,"tags":60,"categories":68,"createdAt":70,"updatedAt":28,"readingTime":71,"cves":72,"cvssScore":73,"isUpdate":30,"updateSummary":74,"updateContent":75},"786211ee-9f9e-4398-8ddc-1e50f0196008","critical-nginx-ui-auth-bypass-cve-2026-33032-under-active-exploit","Critical Auth Bypass in nginx-ui (CVE-2026-33032) Actively Exploited for Full Nginx Takeover","Critical Authentication Bypass Vulnerability (CVE-2026-33032) in nginx-ui Under Active Exploit","critical","A critical authentication bypass vulnerability (CVSS 9.8), tracked as CVE-2026-33032, in the open-source nginx-ui management tool is being actively exploited in the wild. The flaw, codenamed 'MCPwn,' allows an unauthenticated attacker to gain complete control of the underlying Nginx service by sending requests to an improperly secured API endpoint. Successful exploitation enables attackers to modify Nginx configurations, intercept traffic, and achieve remote code execution. Users are urged to update to version 2.3.4 or later immediately.",[61,62,63,64,65,66,67],"Vulnerability","nginx","nginx-ui","CVE-2026-33032","Authentication Bypass","RCE","Zero-Day",[61,69],"Cyberattack","2026-04-15T15:00:00.000Z",4,[64],9.8,"New details confirm active exploitation by Recorded Future, with over 2,600 exposed instances globally. An additional mitigation strategy has also been identified.","The vulnerability, CVE-2026-33032, is confirmed to be actively exploited by threat intelligence firm Recorded Future. Scans reveal over 2,600 publicly accessible and potentially vulnerable nginx-ui instances, primarily in China, the US, Indonesia, Germany, and Hong Kong. An additional interim mitigation involves disabling the MCP functionality within nginx-ui if not in use, which removes the vulnerable endpoint. Security teams should also monitor for specific cyber observables, including requests to '/mcp_message' and unauthorized changes to Nginx configuration files.",{"id":77,"slug":78,"headline":79,"title":80,"severity":38,"excerpt":81,"tags":82,"categories":90,"createdAt":93,"updatedAt":93,"readingTime":71,"isUpdate":94},"658c4890-f861-4cf2-a7c4-5c71923c5404","nist-overhauls-nvd-program-citing-overwhelming-vulnerability-volume","NIST Overhauls NVD, Will No Longer Enrich All CVEs Amidst 'Unsustainable' Surge in Reports","NIST Announces Major Shift in NVD Program, Prioritizing CVE Enrichment for Critical and Exploited Vulnerabilities","The U.S. National Institute of Standards and Technology (NIST) has announced a significant policy change for its National Vulnerability Database (NVD). Citing an unsustainable surge in vulnerability submissions, NIST will no longer provide detailed analysis for every CVE. Instead, it will prioritize enriching vulnerabilities listed in CISA's KEV catalog and those affecting U.S. federal government software. This move will create a large backlog of 'Not Scheduled' CVEs without CVSS scores or product information, forcing security teams to re-evaluate their vulnerability management programs.",[83,84,85,86,87,88,89],"NIST","NVD","CVE","Vulnerability Management","Risk Assessment","CISA KEV","Policy",[91,61,92],"Policy and Compliance","Security Operations","2026-04-16T15:00:00.000Z",false,{"id":96,"slug":97,"headline":98,"title":99,"severity":100,"excerpt":101,"tags":102,"categories":107,"createdAt":93,"updatedAt":93,"readingTime":108,"isUpdate":94},"43d4fd3a-7bf2-44eb-8f6a-ec5c4c39a804","automotive-data-firm-autovista-hit-by-ransomware-disrupting-services","Autovista Ransomware Attack Disrupts Automotive Data Services Across Europe and Australia","Automotive Data Firm Autovista Confirms Ransomware Attack Causing Service Disruptions","high","Autovista, a leading automotive data and analytics firm owned by J.D. Power, has confirmed it was hit by a ransomware attack. The incident, announced on April 15, 2026, has caused significant disruption to its client-facing applications across Europe and Australia. The company has engaged external cybersecurity experts to investigate the breach and restore services, but has not yet provided a timeline for recovery or identified the threat actor responsible.",[47,103,104,69,105,106],"Autovista","Automotive","Service Disruption","JD Power",[47,69,24],3,{"id":110,"slug":111,"headline":112,"title":113,"severity":100,"excerpt":114,"tags":115,"categories":124,"createdAt":93,"updatedAt":93,"readingTime":29,"isUpdate":94},"60d8cd91-252c-467e-9805-758cf2b1856b","obsidian-plugin-abused-in-campaign-to-deploy-phantom-pulse-rat","Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT","Novel Campaign Abuses Obsidian Note-Taking App to Target Finance and Crypto Professionals with PHANTOMPULSE RAT","A sophisticated social engineering campaign, dubbed REF6598, is targeting finance and cryptocurrency professionals by abusing the popular note-taking app, Obsidian. Attackers lure victims into a shared cloud vault and trick them into enabling a malicious community plugin. This action executes a payload that deploys a new, cross-platform Remote Access Trojan (RAT) called PHANTOMPULSE. The malware uses the Ethereum blockchain for a resilient C2 infrastructure, highlighting a novel evolution in threat actor TTPs.",[116,117,118,119,120,121,122,123],"Malware","RAT","PHANTOMPULSE","Obsidian","Social Engineering","Cryptocurrency","Finance","REF6598",[116,49,25],{"id":126,"slug":127,"headline":128,"title":129,"severity":58,"excerpt":130,"tags":131,"categories":137,"createdAt":93,"updatedAt":93,"readingTime":71,"cves":138,"cvssScore":139,"isUpdate":94},"94a05075-6b04-425f-a5a4-5395d0592fd7","critical-axios-library-vulnerability-cve-2026-40175-allows-rce","Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE","Critical SSRF Vulnerability in Axios Library (CVE-2026-40175) Allows for Remote Code Execution","A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-40175, has been discovered in Axios, one of the most popular JavaScript libraries for making HTTP requests. The flaw, rated CVSS 10.0, can be exploited by an unauthenticated remote attacker to achieve remote code execution (RCE) and potentially compromise entire cloud environments. A public proof-of-concept is available, making this a critical supply chain risk that requires immediate attention from developers.",[132,133,66,61,26,134,135,136],"Axios","SSRF","Cloud Security","CVE-2026-40175","JavaScript",[61,26,134],[135],10,{"id":141,"slug":142,"headline":143,"title":144,"severity":100,"excerpt":145,"tags":146,"categories":150,"createdAt":93,"updatedAt":93,"readingTime":71,"isUpdate":94},"890a0b41-44d5-4364-ae08-0ed134b45cfe","bank3-discloses-data-breach-after-qilin-ransomware-claim","Bank3 Discloses Data Breach, Exposing Customer SSNs and Financial Data","Bank3 Notifies Customers of Data Breach After Qilin Ransomware Group's Claims","Bank3, a Tennessee-based community bank, has started notifying customers of a data breach that exposed highly sensitive personal and financial information, including Social Security numbers and financial account details. The notification follows claims made in late 2025 by the Qilin ransomware group, which alleged it had stolen 149 GB of data, representing the bank's 'entire data set.' The breach occurred between July and August 2025.",[24,47,147,148,122,149],"Qilin","Bank3","SSN",[24,47,49],{"id":152,"slug":153,"headline":154,"title":155,"severity":100,"excerpt":156,"tags":157,"categories":161,"createdAt":93,"updatedAt":93,"readingTime":71,"isUpdate":94},"af8f885b-5f2b-488c-900f-2c919b1d15fd","shinyhunters-hacking-group-claims-amtrak-breach-threatens-leak","ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records","ShinyHunters Hacking Group Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records","The notorious hacking group ShinyHunters has claimed responsibility for a major data breach at Amtrak, the U.S. national railroad operator. The group posted the claim on its dark web forum, alleging the theft of 9.4 million records containing both customer PII and internal corporate data. ShinyHunters asserts the breach was achieved by compromising Amtrak's Salesforce systems, consistent with the group's recent tactics of targeting third-party service employees.",[158,24,159,160,26,49],"ShinyHunters","Amtrak","Salesforce",[24,49,26],{"id":163,"slug":164,"headline":165,"title":166,"severity":15,"excerpt":167,"tags":168,"categories":171,"createdAt":93,"updatedAt":93,"readingTime":108,"isUpdate":94},"51317af1-1d94-4d1a-a236-3b58996c7128","rci-hospitality-discloses-data-breach-exposing-contractor-information","RCI Hospitality Data Breach Exposes Sensitive Information of Contractors","RCI Hospitality Discloses Data Breach Resulting from IDOR Vulnerability","RCI Hospitality Holdings, a major operator of nightclubs and sports bars, has reported a data breach that exposed the personal information of its independent contractors. The breach was caused by an Insecure Direct Object Reference (IDOR) vulnerability on one of its web servers. The exposed data includes names, Social Security numbers, and driver's license numbers. The company has since secured the server and is notifying affected individuals.",[24,169,61,21,149,170],"IDOR","RCI Hospitality",[24,61],{"id":173,"slug":174,"headline":175,"title":176,"severity":58,"excerpt":177,"tags":178,"categories":183,"createdAt":93,"updatedAt":93,"readingTime":71,"cves":185,"cvssScore":186,"isUpdate":94},"18bfca1b-348d-4280-b9ac-225bbe0ad91e","fortinet-patches-critical-vulnerabilities-in-fortisandbox","Fortinet Patches Critical Authentication Bypass and RCE Flaws in FortiSandbox","Fortinet Addresses Critical Vulnerabilities (CVE-2026-39813, CVE-2026-39808) in FortiSandbox","Fortinet has released patches for two critical vulnerabilities in its FortiSandbox product, a key component for advanced threat detection. The flaws, CVE-2026-39813 (auth bypass) and CVE-2026-39808 (command injection), are both rated CVSS 9.1 and can be exploited by an unauthenticated remote attacker. A compromised FortiSandbox could allow malicious files to be marked as safe or act as a pivot point into the network, making immediate patching essential.",[179,180,61,66,65,181,182],"Fortinet","FortiSandbox","CVE-2026-39813","CVE-2026-39808",[61,184],"Patch Management",[181,182],9.1,1776358297981]