U .S. Cybersecurity and Infrastructure Security Agency (CISA) has added a set of flaws from Adobe, Fortinet, Microsoft Exchange Server and Microsoft Windows to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organisations to patch.
The catalog now includes CVE-2026-34621 (Adobe Acrobat and Reader Prototype Pollution), CVE-2012-1854 (Microsoft VBA Insecure Library Loading), CVE-2020-9715 (Adobe Acrobat Use-After-Free), CVE-2023-21529 (Microsoft Exchange Server Deserialization of Untrusted Data), CVE-2023-36424 (Microsoft Windows Out-of-Bounds Read), CVE-2025-60710 (Microsoft Windows Link Following) and CVE-2026-21643 (Fortinet SQL Injection).
The report notes that Fortinet issued an urgent advisory to address CVE-2026-21643 in FortiClientEMS, a vulnerability that could enable an unauthenticated attacker to trigger code execution via crafted HTTP requests. The piece also highlights that Adobe recently released emergency updates to fix CVE-2026-34621, which is described as actively exploited and rated with a CVSS score of 8.6.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, agencies and private organisations are urged to address these flaws by specified due dates. 14 April 2026.