U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog
April 14, 2026 
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability
- CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
- CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
- CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
- CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
- CVE-2025-60710 Microsoft Windows Link Following Vulnerability
- CVE-2026-21643 Fortinet SQL Injection Vulnerability
Last week, Adobe released emergency updates to address a critical vulnerability, tracked as CVE-2026-34621 (CVSS score of 8.6), in Adobe Acrobat Reader, which is being actively exploited. The flaw could allow attackers to execute malicious code on affected systems, making prompt patching essential to reduce the risk of compromise.
The vulnerability is an improperly controlled modification of object prototype attributes (‘Prototype Pollution’) that can lead to arbitrary code execution.
CISA also added to the KeV catalog the vulnerability CVE-2012-1854, which is an untrusted search path / DLL hijacking flaw affecting components of Microsoft Office VBA, specifically VBE6.dll used in Office and Visual Basic for Applications.
The third issue added to the catalog is the flaw CVE-2020-9715, which is a use-after-free issue that can lead to arbitrary code execution.
The US agency also added CVE-2026-21643 flaw to the catalog. In February, Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).
The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by April 27, 2026, except CVE-2026-21643, which must be addressed by April 16, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)
