PATCH Tuesday, 14 April 2026, saw Microsoft push updates fixing 167 security vulnerabilities across Windows and related software, including a SharePoint Server zero-day and a BlueHammer flaw in Windows Defender. According to BleepingComputer, the SharePoint zero-day CVE-2026-32201 can be used to spoof trusted content, with researchers noting active exploitation and raising organisational risk.
The update cycle also addresses a SQL Server remote code execution vulnerability, CVE-2026-33120, and a separate browser-heavy tally that contributed to what experts described as a new record April patch total, driven in part by Chrome’s fourth zero-day of 2026 and nearly 60 browser vulnerabilities overall.
Microsoft Edge’s Chromium base and the presence of exploit code for BlueHammer prompted commentary from security professionals, while Adobe issued an emergency update for CVE-2026-34621 that has seen active exploitation since late 2025. Industry voices, including Satnam Narang and Adam Barnett, flagged the volume as significant and linked it to broader trends in vulnerability reporting and AI-assisted discovery, with patching urged as a routine practice.