Security News Bulletin - April 2026

Banner Background

Insecure Deserialization in TYPO3 extension “Mailqueue”

CVE-2026-1323

Published: 2026-03-17 
Updated: 2026-03-17

Vendor: TYPO3
Product: Extension "Mailqueue"

Attack Tags: Insecure Deserialization, Remote Code Execution, Arbitrary Code Execution, Object Injection, TYPO3 CMS Vulnerability

Severity: Medium (CVSS 5.2)

What Is CVE-2026-1323?
 

CVE-2026-1323 is an insecure deserialization vulnerability affecting a TYPO3 extension. The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at $GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_filepath'].

This deserialization flaw poses a Remote Code Execution (RCE) risk, requiring urgent patching within the TYPO3.

Affected Versions

  • affected from 0 before 0.4.5
  • affected from 0.5.0 before 0.5.2

Observed Attack Activity

There is currently no observed active exploitation.

The Indicators of Compromise:

  • Unexpected PHP serialized files appearing in the mail spool directory (transport_spool_filepath)
  • Serialized data containing suspicious class names or gadget chain indicators
  • Unusual process spawning from PHP/web server processes
  • Web server errors related to deserialization failures or unexpected object types

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-1323
  2. SentinelOne 
    https://www.sentinelone.com/vulnerability-database/cve-2026-1323/
  3. TYPO3 Security Advisories 
    https://typo3.org/security/advisory/typo3-ext-sa-2026-005

Payment Bypass Vulnerability in WordPress Plugin

CVE-2026-4987

Published: 2026-03-28 
Updated: 2026-03-28

Product: SureForms – Contact Form, Payment Form & Other Custom Form Builder

Attack Tags: Improper Input Validation, Payment Manipulation, Unauthenticated Remote Exploit

Severity: High (CVSS 7.5)

What Is CVE-2026-4987?

This vulnerability is a payment amount bypass issue caused by improper input validation.

The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.

Affected Versions

  • affected through 2.5.2

Observed Attack Activity 

There is currently no confirmed large-scale exploitation or active attack activity reported.

The Indicators of Compromise:

  • Public disclosure with full technical details
  • Simple exploitation method (parameter tampering)
  • Low attack complexity & no authentication required
  • Direct financial impact (payment bypass)

Additional Resources
 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-4987
  2. WordPress Security Bulletin 
    https://freshysites.com/resources/wordpress-security-bulletin-sureforms-contact-form-payment-form-other-custom-form-builder-cve-2026-4987
  3. Wordfence.com 
    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sureforms/sureforms-252-unauthenticated-payment-amount-validation-bypass-via-form-id

TYPO3 MFA Authentication Bypass Vulnerability

CVE-2026-4208 

Released: March 17, 2026 
Last Updated: March 24, 2026 

Vendor: TYPO3

Attack Tags: Authentication Bypass, MFA Bypass, TYPO3 Extension, Access Control 

Severity: High (CVSS ~7.7)

What Is CVE-2026-4208?
 

CVE-2026-4208 is a high-severity authentication bypass vulnerability in a TYPO3 CMS extension called “E-Mail MFA Provider.”

The issue occurs because the extension fails to properly reset or invalidate the MFA (Multi-Factor Authentication) code after a successful login.

As a result, during subsequent login attempts, an attacker may bypass MFA by simply submitting an empty value instead of a valid MFA code, effectively skipping the second layer of authentication.

Affected Versions
 

  • TYPO3 installations using the “E-Mail MFA Provider” (mfa_email) extension
  • Versions ≤ 1.0.5 and 2.0.0 are affected

Organizations using this extension for authentication are at risk until patched.

Observed Attack Activity

At the time of disclosure, there are no confirmed large-scale active exploits in the wild.

However, this vulnerability is still critical because:

  • It can be exploited by attackers with low-level access (valid credentials)
  • No user interaction is required once access is obtained
  • It enables bypass of MFA — a key security control

This makes it particularly dangerous in scenarios involving:

  • Credential compromise
  • Insider threats
  • Weak password environments

Additional Resources

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-4208
  2. NVD — National Vulnerability Database 
    https://nvd.nist.gov/vuln/detail/CVE-2026-4208
  3. TYPO3 Security Advisory 
    https://typo3.org/security/advisory/typo3-ext-sa-2026-007
  4. GitHub Advisory (Technical Details) 
    https://github.com/advisories/GHSA-29r8-gvx4-r9w3

Angular i18n vulnerable to Cross-Site Scripting (XSS)

CVE-2026-27970

Published: 2026-02-26 
Updated: 2026-02-26

Vendor: Angular 
Product: Angular

Attack Tags: Cross-Site Scripting, Supply Chain Attack, JavaScript Injection, Session Hijacking or Credential Theft Vector.

Severity: High (CVSS 7.6)

What Is CVE-2026-27970?

CVE-2026-27970 is a high-severity Cross-Site Scripting (XSS) vulnerability affecting the Angular framework’s internationalization (i18n) pipeline, specifically in ICU (International Components for Unicode) message processing. The vulnerability arises because HTML embedded within translated ICU messages is not properly sanitized, allowing malicious content to be rendered directly in the browser.

If an attacker can compromise translation files (such as .xliff or .xtb), they can inject malicious JavaScript into the application. When these translations are loaded, the injected code executes in the context of the user’s session.

Affected Versions

  • affected at >= 21.2.0-next.0, < 21.2.0
  • affected at >= 21.0.0-next.0, < 21.1.6
  • affected at >= 20.0.0-next.0, < 20.3.17
  • affected at >= 19.0.0-next.0, < 19.2.19
  • affected at <= 18.2.14
     

Observed Attack Activity

There is currently no observed active exploitation.

Successful exploitation may lead to:

  • Execution of arbitrary JavaScript in the application context
  • Credential theft and session hijacking
  • Data exfiltration or UI manipulation (defacement/phishing)
     

The Indicators of Compromise

Look for:

  • Unexpected changes in translation files (. xliff/. xtb)
  • Outbound traffic from browser sessions to unknown domains
  • Suspicious JavaScript execution tied to localized content
  • Integrity issues in CI/CD pipelines or localization workflows
  • CSP violations or blocked script execution alerts
     

Additional Resources

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-27970
  2. HeroDevs Technical Analysis 
    https://www.herodevs.com/blog-posts/cve-2026-27970-cross-site-scripting-xss-in-angular-i18n-icu-messages?
  3. Synk Vulnerability Report 
    https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-15353393?

Active Support ReDoS Flaw in Ruby on Rails

CVE-2026-33169

Published: 2026-03-23 
Updated: 2026-03-23

Vendor: Rails 
Product: Activesupport

Attack Tags: ReDoS (Regular Expression Denial of Service), Denial of Service (DoS), Resource Exhaustion, Input Validation Weakness.

Severity: Medium (CVSS 6.9)

What Is CVE-2026-33169?

CVE-2026-33169 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the ActiveSupport component of the Ruby on Rails framework. Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

The issue exists in the NumberToDelimitedConverter function, which uses a lookahead-based regular expression combined with gsub! for formatting numbers. Due to inefficient regex design, processing long numeric strings can result in quadratic time complexity, leading to excessive CPU usage.

Affected Versions

  • affected at >= 8.1.0.beta1, < 8.1.2.1
  • affected at >= 8.0.0.beta1, < 8.0.4.1
  • affected at < 7.2.3.1

Observed Attack Activity

No widespread active exploitation campaigns reported yet, but the attack is trivial to reproduce.

Successful exploitation may lead to:

  • Attackers sending crafted requests with excessively long numeric inputs to endpoints that perform number formatting
  • Excessive regex backtracking, resulting in high CPU consumption and degraded application performance
  • Denial of Service (DoS) conditions due to resource exhaustion
  • Exploitation that requires no authentication or user interaction, making it easy to trigger remotely

Additional Resources

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-33169
  2. National Vulnerability Database - NVD 
    https://nvd.nist.gov/vuln/detail/CVE-2026-33169
  3. Ruby On Rails 
    https://discuss.rubyonrails.org/t/cve-2026-33169-possible-redos-vulnerability-in-number-to-delimited-in-active-support/90911

Cisco Firewall Remote Code Execution Vulnerability

CVE-2026-20131

Released: 2026-03-04 
Last Updated: 2026-03-25 

Vendor: Cisco Systems

Attack Tags: Remote Code Execution, Insecure Deserialization, Network Infrastructure, Firewall Management 

Severity: Critical (CVSS 10.0)

What Is CVE-2026-20131?

CVE-2026-20131 is a critical remote code execution (RCE) vulnerability affecting Cisco Systems Secure Firewall Management Center (FMC).

The issue is caused by insecure deserialization of user-supplied Java data in the web-based management interface. An attacker can send a specially crafted serialized object to the interface, which the system processes without proper validation.

If exploited successfully, this allows an unauthenticated remote attacker to execute arbitrary Java code as root, giving full control over the affected system.

Affected Products

The vulnerability impacts:

  • Cisco Secure Firewall Management Center (FMC) Software
  • Cisco Security Cloud Control (SCC) Firewall Management

These platforms are used to centrally manage firewall policies, traffic inspection, and security controls across enterprise networks

Observed Attack Activity

This vulnerability is actively exploited in the wild and has been used in real-world attacks:

  • A ransomware group known as Interlock exploited this vulnerability as a zero-day even before public disclosure.
  • Attackers used crafted HTTP requests to trigger the vulnerability and execute payloads on targeted systems.
  • Post-exploitation activities included downloading malicious binaries, establishing persistence, and performing reconnaissance within compromised networks.

Because this affects firewall management systems, attackers can potentially gain control over network traffic, security policies, and connected infrastructure.

Additional Resources

  1. Official CVE Record — CVE.org
    https://www.cve.org/CVERecord?id=CVE-2026-20131
  2. Cisco Security Advisory 
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
  3. NVD — National Vulnerability Database 
    https://nvd.nist.gov/vuln/detail/CVE-2026-20131
  4. Threat Intelligence Report (Active Exploitation) 
    https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/

Back to Newsletter Home