New CISA flaw alerts

The federal government’s top exploited-bug list grew again on April 13, when the Cybersecurity and Infrastructure Security Agency added seven vulnerabilities tied to Adobe, Fortinet and Microsoft products. (cisa.gov 1) (cisa.gov 2) The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is the government’s running list of software flaws attackers are already using in real intrusions, not just bugs that look dangerous on paper. The agency says organizations should use that catalog to prioritize patching, and federal civilian agencies get binding deadlines under Binding Operational Directive 22-01. (cisa.gov 1) (cisa.gov 2) In the April 13 update, the catalog added Adobe Acrobat and Reader flaw CVE-2026-34621, Fortinet FortiClient Enterprise Management Server flaw CVE-2026-21643, Adobe Acrobat flaw CVE-2020-9715, and Microsoft Windows flaw CVE-2023-36424. The catalog entry for CVE-2026-34621 set an April 27, 2026 deadline for federal agencies, while the Fortinet entry set an April 16, 2026 deadline. (cisa.gov) The same Cybersecurity and Infrastructure Security Agency advisories page shows a second alert on April 14 adding two more exploited vulnerabilities, extending a week in which the catalog changed repeatedly. The catalog listed 1,566 entries when it was viewed on April 15. (cisa.gov 1) (cisa.gov 2) The volume behind those alerts is much larger than the handful of flaws that make the exploited list. The Cybersecurity and Infrastructure Security Agency’s bulletin for the week of April 6, 2026 says it summarized newly recorded vulnerabilities from that week and identified 129 high-severity entries in the bulletin’s high-risk section alone. (cisa.gov) That is why additions to the Known Exploited Vulnerabilities catalog get unusual weight inside security teams: the list is narrower than the weekly flood of disclosures and is built around evidence of active abuse. The agency describes its alerts as notices for recent, ongoing or high-impact threats that need rapid response. (cisa.gov) (cisa.gov) One of the week’s other closely watched flaws hit Flowise, an open-source tool for building artificial-intelligence workflows with a drag-and-drop interface. The National Vulnerability Database says CVE-2025-59528 lets user-supplied configuration data get executed as JavaScript code with full Node.js privileges, which can let an attacker run commands on the server. (nvd.nist.gov) The National Vulnerability Database lists CVE-2025-59528 as affecting Flowise version 3.0.5 and says the issue was patched in version 3.0.6. Its record carries a critical 10.0 severity score from GitHub, the vulnerability numbering authority for that entry. (nvd.nist.gov) For defenders, the immediate task is less about reading every new bug report than checking whether any software they run has landed on the exploited list and whether a patch deadline is already ticking. That is the practical signal in this week’s Cybersecurity and Infrastructure Security Agency alerts. (cisa.gov) (cisa.gov)