(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – April 16, 2026
Created: Thursday, April 16, 2026 - 13:12
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Fortinet SQL Injection Vulnerability
CVSS v3.1: 9.1
CVE: CVE-2026-21643
Description: An improper neutralization of special elements used in an sql command (‘sql injection’) vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. CISA added this vulnerability to its KEV catalog.
Source: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
Microsoft SharePoint Server Improper Input Validation Vulnerability (Zero Day)
CVSS v3.1: 6.5
CVE: CVE-2026-32201
Description: See WaterISAC’s analysis of this actively exploited zero day vulnerability. Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. CISA added this vulnerability to its KEV catalog.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201
Additional Reading:
Microsoft Office Remote Code Execution Vulnerability
CVSS v3.1: 8.8
CVE: CVE-2009-0238
Description: Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC. CISA added this vulnerability to its KEV catalog.
Source: https://www.microsoft.com/technet/security/advisory/968272.mspx
Adobe Acrobat Reader Improperly Controlled Modification of Object Prototype Attributes
CVSS 3.1: 8.6
CVEs: CVE-2026-34621
Description: Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. CISA has added these vulnerabilities to its KEV catalog.
Original Source: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
Additional Reading