NVD disclosure day

Published threat advisories for April 9, 2026

CVE advisoryCRITICAL

CVE-2026-40089

Sonicverse Radio Streaming: Server-Side Request Forgery.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

Sonicverse Radio Audio Streaming Stack installations using the provided script are affected by a vulnerability in the dashboard's API client. An authenticated operator can exploit this flaw to make unauthorized HTTP requests from the dashboard backend, potentially exposing internal or external systems and increasing bu

NVD published:

CVE advisoryKnown Exploit

CVE-2026-39987

Marimo could allow an external attacker to take full control of the server.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

An external attacker can exploit Marimo to bypass security controls and gain full control of the server. This allows them to run unauthorized commands, access sensitive data, and potentially compromise the broader company network.

NVD published: • CISA KEV
CVE advisoryHIGH

CVE-2026-4878

Libcap Vulnerability Allows Privilege Escalation

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A local unprivileged user can exploit a race condition in libcap, potentially leading to privilege escalation. Attackers with write access to a parent directory can manipulate file capabilities on unintended executables. This impacts affected systems by allowing unauthorized privilege elevation.

NVD published: