Originally published on ThreatChain.
3 new CISA Known Exploited Vulnerabilities added this week. What defenders need to know.
State of the week
A Google Chrome use-after-free vulnerability landed on CISA's Known Exploited Vulnerabilities catalog this week — meaning attackers are already using it in the wild, and you need to patch now. WordPress plugin vulnerabilities dominated the critical CVE landscape again, with two separate plugins offering attackers a straight path to remote code execution. Meanwhile, ThreatChain sensors picked up over 4.4 million new threats across malware, phishing, and crypto scams, keeping pace with what's been a relentless Q1.
By the numbers
|
| Metric
| This week (Mar 29 – Apr 5)
| New malware samples
| 1,450,538
| New phishing domains
| 2,954,289
| New scam crypto wallets
| 2,530
| Total new threats
| 4,407,616
| New CVEs published
| 1,263
| New critical CVEs (CVSS ≥ 9.0)
| 142
| New CISA KEV additions
| 3
Nearly 3 million new phishing domains in a single week. That number continues to climb quarter over quarter, driven largely by automated domain generation and cheap bulk registration through privacy-friendly registrars. If you run email infrastructure, your blocklists are already stale.
CVEs that matter this week
We tracked 1,263 new CVEs this week, 142 of them critical. Here are the five you actually need to care about, ranked by real-world risk.
🔴 CVE-2026-5281 — Chrome Use-After-Free (Dawn) — ACTIVELY EXPLOITED
|
| Detail
| Value
| CVSS
| 8.8 (High)
| EPSS
| 0.03034 (~3% chance of exploitation in next 30 days)
| KEV
| ✅ Yes — already being actively exploited
What it is: A use-after-free bug in Dawn, Chrome's WebGPU implementation. If an attacker has already compromised Chrome's renderer process (via another bug or a malicious page), they can chain this vulnerability to escape the sandbox and run arbitrary code on your machine.
Why it matters: This is on CISA's KEV list, which means it's not theoretical — attackers are using it right now. The EPSS score looks modest at ~3%, but that's because EPSS models population-wide probability. The KEV designation overrides that signal: this is confirmed in-the-wild exploitation. Update Chrome to 146.0.7680.178 or later immediately. Chromium-based browsers (Edge, Brave, Opera, Vivaldi) are also affected — check for updates across the board.
🔴 CVE-2026-34156 — NocoBase Workflow Script Node RCE
|
| Detail
| Value
| CVSS
| 9.9 (Critical)
| EPSS
| 0.05188 (~5.2% chance of exploitation in next 30 days)
| KEV
| No
What it is: NocoBase is a popular AI-powered no-code/low-code platform used to build internal business apps. Its Workflow Script Node executes user-supplied JavaScript without proper sandboxing. Prior to version 2.0.28, an attacker can inject arbitrary code and get full remote code execution on the server.
Why it matters: A CVSS of 9.9 is about as bad as it gets. If your org uses NocoBase for internal tooling — and many startups and mid-size companies do — an authenticated user (or anyone who can reach the workflow editor) can own the entire server. Update to 2.0.28+ now. If you can't patch immediately, disable or restrict access to workflow script nodes.
🔴 CVE-2026-4257 — Contact Form by Supsystic (WordPress) — SSTI to RCE
|
| Detail
| Value
| CVSS
| 9.8 (Critical)
| EPSS
| 0.1583 (~15.8% chance of exploitation in next 30 days)
| KEV
| No
What it is: The Contact Form by Supsystic plugin for WordPress (all versions through 1.7.36) is vulnerable to Server-Side Template Injection. An attacker can craft input through the contact form that the server-side template engine evaluates as code, leading directly to remote code execution.
Why it matters: This has the highest EPSS score of the week at ~15.8% — meaning the model gives it roughly a 1-in-6 chance of being exploited in the wild within 30 days. That's high. WordPress plugins are low-hanging fruit for automated scanners, and contact form plugins are internet-facing by design. If you're running Supsystic's contact form, update past 1.7.36 or remove the plugin entirely. There are dozens of alternatives.
🟡 CVE-2026-4020 — Gravity SMTP (WordPress) — Sensitive Information Exposure
|
| Detail
| Value
| CVSS
| 7.5 (High)
| EPSS
| 0.04486 (~4.5% chance of exploitation in next 30 days)
| KEV
| No
What it is: The Gravity SMTP plugin for WordPress (through version 2.1.4) exposes a REST API endpoint at /wp-json/gravitysmtp/... that leaks sensitive information — likely SMTP credentials, API keys, or email configuration data — to unauthenticated users.
Why it matters: Leaked SMTP credentials mean attackers can send email as you. That's phishing campaigns from your domain, password reset interception, or lateral movement into other systems that share credentials. Update to the latest version and rotate your SMTP credentials even after patching — assume they've been exposed.
🟡 CVE-2026-5176 — Totolink A3300R Router Command Injection
|
| Detail
| Value
| CVSS
| 6.9 (Medium)
| EPSS
| 0.02958 (~3% chance of exploitation in next 30 days)
| KEV
| No
What it is: The Totolink A3300R router (firmware 17.0.0cu.557_b20221024) has a command injection vulnerability in its setSyslogCfg function, accessible through the CGI interface.
Why it matters: Consumer and SOHO router bugs like this are botnet fuel. This week's ThreatChain research on the Boatnet/Mirai/LZRD botnet (more below) shows exactly how quickly these IoT flaws get weaponized. If you have Totolink gear, check for firmware updates. If none are available, put the management interface behind a firewall or VPN — never expose it to the internet.
What to patch this week
Here's your action list. Print it, share it in Slack, tape it to someone's monitor:
[ ] Google Chrome / Chromium browsers → Update to 146.0.7680.178+ (CVE-2026-5281, actively exploited)
[ ] NocoBase → Update to 2.0.28+ (CVE-2026-34156, CVSS 9.9)
[ ] WordPress: Contact Form by Supsystic → Update past 1.7.36 or remove (CVE-2026-4257, CVSS 9.8, EPSS ~16%)
[ ] WordPress: Gravity SMTP → Update past 2.1.4, then rotate SMTP credentials (CVE-2026-4020)
[ ] Totolink A3300R → Apply firmware update or restrict management interface access (CVE-2026-5176)
[ ] CISA KEV review → 3 new KEV additions this week. If you maintain a KEV-driven patching program, sync your list.
Crypto scam trends
We flagged 2,530 new scam wallets this week. The pace is steady but not spiking — which is itself notable given the recent market volatility. Our research team published an updated analysis of the biggest crypto hacks of 2026 so far, cataloging the techniques and on-chain patterns behind the year's major incidents. Worth a read if you're running treasury operations or DeFi protocols. The common thread: most breaches still start with compromised credentials or social engineering, not smart contract exploits.
Malware spotlight: Offloader slips past 95% of AV engines
Our research team published a deep dive this week on Offloader, a GCleaner-dropped payload that's evading detection by 95% of antivirus engines at the time of analysis. GCleaner has been a persistent initial access broker, distributing payloads through fake software crack sites and SEO-poisoned downloads. Offloader's evasion techniques include heavy obfuscation, environment-aware execution (it won't detonate in sandboxes), and living-off-the-land binary usage. The full technical breakdown — including IOCs and YARA rules — is on the ThreatChain blog.
We also published new research on the Boatnet/Mirai/LZRD botnet variant making the rounds in 2026, which ties directly into why IoT CVEs like the Totolink bug above matter. These botnets are getting faster at integrating new exploits — sometimes within days of public disclosure.
ThreatChain platform updates
A few things we shipped and published this week:
New research: "Inside Offloader" — Full analysis of the GCleaner-dropped payload evading 95% of AV engines, with IOCs and detection rules you can deploy today.
New research: "Boatnet/Mirai/LZRD Botnet 2026" — Updated tracking of IoT botnet evolution and the exploit chains driving recruitment.
New research: "Biggest Crypto Hacks 2026" — A running analysis of the year's most significant crypto incidents, patterns, and lessons.
Threat feed updates — All 1,450,538 new malware hashes and 2,954,289 phishing domains from this week are available in the ThreatChain feed for integration into your SIEM, firewall, and email security stack.
Stay patched, stay skeptical of contact forms, and update Chrome before you do anything else today.
— The ThreatChain Threat Intelligence Team
Search Any Threat Hash, CVE, or Wallet — Free
3.5M+ indicators and 342K+ CVEs updated hourly.
Top comments (0)