blog

Focus Friday: TPRM Insights on Critical Vulnerabilities in ActiveMQ, Zimbra, Exchange Server, SharePoint, MSSQL, Lodash, and Dolibarr

Published

Apr 24, 2026

Introduction

Welcome to another edition of Focus Friday. As threat actors rapidly weaponize new exploits, securing your third-party ecosystem requires immediate and precise intelligence. A single unpatched messaging broker or an overlooked dependency deep within a vendor's environment can quickly become a critical entry point for adversaries. This week, we analyze a diverse and highly severe set of incidents that demand immediate action from Third-Party Risk Management (TPRM) professionals.

We will examine the active, in-the-wild exploitation of Zimbra and Microsoft Exchange Server, remote code execution (RCE) flaws in Apache ActiveMQ and Dolibarr ERP, dangerous spoofing vulnerabilities in SharePoint, privilege escalation risks in Microsoft SQL Server, and a severe supply chain code injection flaw in the widespread Lodash JavaScript library. In this blog, we break down the technical realities of these threats and provide the actionable insights you need to secure your extended vendor network against them.

Filtered view of companies with ActiveMQ - Apr2026 FocusTag® on the Black Kite platform.

ActiveMQ - Apr2026 (CVE-2026-34197)

What is the Apache ActiveMQ RCE Vulnerability?

CVE-2026-34197 is a high-severity Improper Input Validation and Code Injection vulnerability impacting Apache ActiveMQ Broker and Apache ActiveMQ Classic. Carrying a CVSS score of 8.8 and an EPSS score of 62.52%, this flaw was officially published on April 7, 2026.

The vulnerability exists because the ActiveMQ Classic web console exposes the Jolokia JMX-HTTP bridge at /api/jolokia/. By default, the Jolokia access policy allows exec operations on all ActiveMQ MBeans. An authenticated attacker can exploit this by sending a specially crafted discovery URI, which prompts the VM transport's brokerConfig parameter to load a remote Spring XML application context. Because Spring instantiates all singleton beans before the configuration is validated, an attacker can execute arbitrary OS commands on the broker's JVM via methods like Runtime.exec().

Public Proof-of-Concept (PoC) exploits are available, and the vulnerability has been actively exploited in the wild. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-34197 to its Known Exploited Vulnerabilities (KEV) Catalog on April 16, 2026, mandating federal patching by April 30, 2026.

Why should TPRM Professionals care about the ActiveMQ vulnerability?

Apache ActiveMQ is a critical piece of enterprise middleware, functioning as a message broker that facilitates asynchronous communication and decouples complex system components. Organizations rely on it to reliably route millions of internal messages, financial transactions, and system logs across distributed environments.

For Third-Party Risk Management professionals, a vendor running a compromised ActiveMQ instance represents a direct threat to data confidentiality and network integrity. Because this vulnerability grants an attacker Remote Code Execution (RCE) capabilities on the underlying operating system, the broker can be transformed into a pivot point for lateral movement deep within the vendor’s infrastructure. Threat actors can use this access to silently intercept or manipulate the data streams flowing through the message queues, extract sensitive information, or deploy ransomware that could ultimately disrupt services your organization depends on.

What questions should TPRM professionals ask vendors about the ActiveMQ vulnerability?

To accurately evaluate how your third-party partners are defending their messaging infrastructure against this active threat, consider asking the following technical questions:

Have you upgraded all instances of Apache ActiveMQ Broker and Apache ActiveMQ to version 5.19.4 or 6.2.3 to mitigate the risk of CVE-2026-34197?
Have you implemented strict access controls for authenticated users of ActiveMQ and restricted access to the `/api/jolokia/` endpoint on the ActiveMQ web console to trusted IP addresses or internal networks only?
Are you actively monitoring ActiveMQ logs and network traffic for any unusual activity, especially attempts to interact with the Jolokia JMX-HTTP bridge or load remote configurations?
Can you confirm if you have taken measures to prevent the invocation of ‘BrokerService.addNetworkConnector(String)’ and ‘BrokerService.addConnector(String)’ operations with a crafted discovery URI that triggers the VM transport's ‘brokerConfig’ parameter to load a remote Spring XML application context using `ResourceXmlApplicationContext`?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing vulnerable versions of Apache ActiveMQ must take immediate, targeted action to eliminate this remote code execution risk:

Upgrade Immediately: The primary remediation is to apply the official patches by upgrading Apache ActiveMQ Broker and Apache ActiveMQ (activemq-all) to version 5.19.4, 6.2.3, or later.
Restrict Jolokia Endpoint Access: If an immediate software update is unfeasible, use firewall rules or reverse proxy configurations to lock down access to the /api/jolokia/ endpoint. Ensure only highly trusted, internal network segments can reach the JMX-HTTP bridge.
Implement Strict Access Controls: Audit all authenticated user accounts within the ActiveMQ environment. Enforce the principle of least privilege to ensure users only have the exact permissions necessary to perform their roles, reducing the potential impact of a compromised account.
Continuously Monitor Logs: Actively hunt for suspicious activity within ActiveMQ logs and network traffic. Security teams should specifically flag any unusual interactions with the Jolokia API or unauthorized attempts to load remote configurations via the VM transport.

Black Kite’s ActiveMQ - Apr2026 FocusTag® details critical insights on the event for TPRM professionals

Zimbra - Apr2026 (CVE-2025-48700)

What is the Zimbra XSS Vulnerability?

CVE-2025-48700 is a Critical-severity Cross-Site Scripting (XSS) vulnerability affecting multiple versions of the Zimbra Collaboration Suite (ZCS). Carrying a CVSS score of 6.1 and a notably high EPSS score of 22.41%, this flaw was initially published on June 23, 2025. The vulnerability stems from inadequate sanitization of user-controlled HTML content before it is rendered in the Zimbra Classic UI.

The vulnerability is actively being exploited in the wild. An attacker can trigger the exploit by embedding malicious JavaScript within a specially crafted email, calendar invite, or shared document. When a victim interacts with the object, the script executes within their authenticated session context. This allows the attacker to silently hijack the session ID (sid), scrape sensitive mailbox data, or modify account settings. The discovery of active exploitation indicates that automated toolsets are actively scanning for and compromising unpatched instances globally. In response to this active threat, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert and added CVE-2025-48700 to its Known Exploited Vulnerabilities (KEV) Catalog on April 20, 2026. The vulnerability is also tracked in the European Union's Vulnerability Database under EUVD-2025-18891, and public Proof-of-Concept (PoC) exploits are currently unavailable.

Why should TPRM Professionals care about the Zimbra vulnerability?

Email servers operate as the central nervous system of corporate communication, continuously processing a vendor's most sensitive data, including intellectual property, financial records, and strategic plans. Because this vulnerability allows for session hijacking and direct access to mailbox contents, a compromised Zimbra instance poses an immediate risk to your shared, confidential information.

For Third-Party Risk Management professionals, an exploited email server within the supply chain introduces severe secondary risks. Threat actors can abuse the hijacked session to create hidden forwarding rules, ensuring persistent and undetected access to future communications. Furthermore, attackers can leverage the vendor's trusted domain to launch highly convincing, authenticated spear-phishing attacks against your organization, or to authorize fraudulent financial requests. Securing this communication channel is critical to preventing unauthorized data exposure and protecting your internal network from trusted-partner exploitation.

What questions should TPRM professionals ask vendors about the Zimbra vulnerability?

To properly assess how your third-party partners are securing their email infrastructure against this active XSS threat, consider asking the following technical questions:

Have you updated all instances of Zimbra Collaboration Suite to the latest patched versions (10.1.4, 10.0.12, 9.0.0 P43, or 8.8.15 P47) to mitigate the risk of CVE-2025-48700?
Have you audited all user accounts for unauthorized mail forwarding or "Filter" rules that may have been created by a script during an active session hijack, as recommended in the advisory?
Have you implemented a Content Security Policy (CSP) on your Zimbra web server to prevent the execution of unauthorized inline scripts and restrict script loading to trusted domains only, as a measure against the XSS vulnerability?
Have you conducted a thorough search of server logs for unusual access patterns or requests targeting sensitive endpoints (e.g., /service/soap or /service/admin) from unrecognized IP addresses, as part of the Indicators of Compromise (IoC) audit?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing vulnerable versions of Zimbra Collaboration Suite must take immediate action to neutralize this critical XSS vector:

Immediate Patch Application: Upgrade the Zimbra instance to the latest patched releases (10.1.4, 10.0.12, 9.0.0 P43, or 8.8.15 P47). These updates implement the necessary input validation to block malicious script execution.
Review Mail Forwarding Rules: Conduct a thorough audit of all user accounts to identify and remove any unauthorized mail forwarding or filter rules that attackers may have established during a hijacked session.
Audit for Indicators of Compromise (IoC): Analyze server logs for suspicious activity, focusing on unexpected requests to sensitive endpoints (/service/soap or /service/admin) that originate from unknown IP addresses.
Implement Content Security Policy (CSP): Harden the Zimbra web server by configuring strong CSP headers. This restricts script loading to trusted domains and prevents unauthorized inline scripts from executing.
Educate Users: Instruct personnel to avoid interacting with unexpected or suspicious attachments and calendar invites, as these are the primary delivery mechanisms for the exploit.

Black Kite's Zimbra - Apr2026 FocusTag® details critical insights on the event for TPRM professionals.

Exchange Server - Apr2026 (CVE-2023-21529)

What is the Microsoft Exchange Server RCE Vulnerability?

CVE-2023-21529 is a Critical-severity Remote Code Execution (RCE) flaw rooted in insecure deserialization within specific Microsoft Exchange Server components. It features a CVSS v3.1 score of 8.8 alongside an EPSS score of 26.46%. While Microsoft originally disclosed this vulnerability in February 2023, it has recently seen a resurgence in active exploitation by threat actors leveraging compromised credentials to execute arbitrary code.

The vulnerability triggers when an authenticated attacker sends a maliciously crafted serialized payload to an Exchange endpoint. Because the application processes this data without adequate validation, the deserialization engine interprets the payload as legitimate instructions. This allows the adversary to bypass security boundaries and execute unauthorized commands under the context of the Exchange Server service account, frequently spawning child processes like cmd[.]exe or powershell[.]exe from w3wp[.]exe. Due to verified active exploitation in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-21529 to its Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2026, accompanied by an alert mandating federal agencies to secure their environments. Public Proof-of-Concept (PoC) exploits currently remain unavailable, but the network-based, low-complexity nature of the attack makes it an ideal vector for adversaries.

Why should TPRM Professionals care about the Exchange Server vulnerability?

Microsoft Exchange serves as the authoritative communication hub for many enterprises, storing highly confidential internal correspondence, financial data, and strategic documents. A vulnerability of this magnitude at the email server layer presents a catastrophic risk to data confidentiality and network integrity across your supply chain.

From a third-party risk perspective, if a vendor's Exchange environment is compromised via this RCE flaw, attackers gain full system control. They can silently exfiltrate years of sensitive emails shared between your organization and the vendor. Furthermore, adversaries can weaponize the compromised server to launch highly authenticated, targeted phishing campaigns against your employees. Since these malicious emails originate from a trusted partner's legitimate domain, they easily bypass standard email security gateways, creating a direct pathway for threat actors to infiltrate your own corporate network.

What questions should TPRM professionals ask vendors about the Exchange Server vulnerability?

To thoroughly evaluate how your third parties are defending their communication infrastructure against this critical deserialization flaw, consider asking the following technical questions:

Have you applied the official Microsoft security updates for your specific Exchange version to mitigate the risk of CVE-2023-21529, which addresses the insecure deserialization vulnerability in Exchange Server components?
Can you confirm if you have discontinued the use of the affected Exchange Server versions (2013: Cumulative Update 23, 2016: Cumulative Update 23, 2019: Cumulative Updates 11 and 12) to mitigate the risk of CVE-2023-21529?
Are you monitoring for unusual network connections or file system changes originating from Exchange service accounts, which could indicate an active post-exploitation phase of CVE-2023-21529?
Have you enforced Multi-Factor Authentication (MFA) across all user accounts to reduce the risk of an attacker obtaining the credentials necessary to launch the exploit related to CVE-2023-21529?

Remediation Recommendations for Vendors subject to this risk

Vendors running vulnerable versions of Microsoft Exchange Server must prioritize the following technical interventions to eliminate this code execution threat:

Immediate Patch Deployment: Install the official Microsoft security updates corresponding to your specific Exchange version. These patches introduce the robust input validation required to block malicious serialized objects.
Enforce Multi-Factor Authentication (MFA): Because this exploit relies on authenticated access, implementing MFA across the board drastically limits an attacker's ability to utilize compromised credentials as a launchpad.
Monitor for Indicators of Compromise (IoC): Configure endpoint detection and response (EDR) tools to continuously monitor for unauthorized child processes originating from Exchange services (e.g., w3wp.exe launching powershell.exe).
Implement Network Segmentation: Isolate critical Exchange management interfaces. Ensure that endpoints like ECP and PowerShell are only accessible from highly trusted administrative network segments.
Audit Service Account Activity: Routinely inspect the behavior of Exchange service accounts for abnormal file system modifications or unexpected outbound network connections that could signal a post-exploitation breach.

Black Kite's Exchange Server - Apr2026 FocusTag® details critical insights on the event for TPRM professionals.

SharePoint - Apr2026 (CVE-2026-32201, CVE-2026-20945)

What are the Microsoft SharePoint Spoofing Vulnerabilities?

Microsoft SharePoint Server is currently impacted by two Medium-severity security flaws, tracked as CVE-2026-32201 and CVE-2026-20945, which were addressed in the mid-April 2026 patch cycle.

The most pressing of the two, CVE-2026-32201, is an Improper Input Validation vulnerability holding a CVSS score of 6.5 and an EPSS score of 7.94%. This flaw permits an unauthenticated attacker to execute network-level spoofing. By manipulating communications, the attacker can deceive internal systems or users, leading to unauthorized access and the potential alteration of sensitive information. Because it is confirmed to be actively exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32201 to its Known Exploited Vulnerabilities (KEV) Catalog on April 14, 2026.

The second flaw, CVE-2026-20945 (CVSS 4.6, EPSS 0.04%), is a Cross-Site Scripting (XSS) spoofing vulnerability rooted in the improper neutralization of input during web page generation. An authenticated attacker with low privileges can upload malicious payloads to the server. If they successfully trick another user into interacting with the crafted content, the payload executes within the trusted context of the SharePoint application, enabling deceptive content delivery or unauthorized session actions.

Why should TPRM Professionals care about the SharePoint vulnerabilities?

SharePoint operates as the primary collaboration hub and document repository for countless organizations. It houses vast amounts of proprietary intellectual property, human resources records, financial spreadsheets, and shared client data.

For Third-Party Risk Management professionals, these vulnerabilities introduce a significant threat to data integrity and user trust within your vendor ecosystem. The active exploitation of CVE-2026-32201 means that adversaries are currently weaponizing these flaws to intercept or alter network traffic. Furthermore, the ability for an attacker to inject malicious content into a trusted internal platform (via CVE-2026-20945) creates a highly effective phishing environment. Vendor employees may unknowingly interact with compromised files or links, believing them to be legitimate internal documents. This can result in credential theft, malware deployment, and the ultimate exposure of the sensitive data your organization has entrusted to that third party.

What questions should TPRM professionals ask vendors about the SharePoint vulnerabilities?

To thoroughly gauge your third parties' response to these spoofing threats, consider asking the following targeted questions:

Have you updated all instances of SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and SharePoint Enterprise Server 2016 to the patched versions (16.0.19725.20210, 16.0.10417.20114, and 16.0.5548.1003 respectively) to mitigate the risk of CVE-2026-32201 and CVE-2026-20945?
Can you confirm if you have installed the relevant Microsoft Knowledge Base (KB) updates (5002853, 5002854, 5002856, 5002861, 5002862) across all SharePoint environments to address the vulnerabilities CVE-2026-32201 and CVE-2026-20945?
Have you implemented measures to educate users on phishing and deceptive content, considering that CVE-2026-20945 requires user interaction to successfully trigger the XSS payload?
How are you monitoring and detecting unauthorized changes to disclosed information and spoofing over the network, specifically related to the exploitation of the improper input validation issue documented as CVE-2026-32201?

Remediation Recommendations for Vendors subject to this risk

Vendors hosting vulnerable SharePoint environments should immediately implement the following technical measures to secure their collaboration platforms:

Deploy Security Updates: Prioritize the immediate installation of the relevant Microsoft KB updates (5002853, 5002854, 5002856, 5002861, 5002862) across all environments to patch the input validation and web page generation flaws.
Verify Build Numbers: Confirm the success of the patching process by checking the SharePoint build numbers. Ensure they reflect the updated versions: 16.0.19725.20210 (Subscription Edition), 16.0.10417.20114 (2019), or 16.0.5548.1003 (2016).
Educate Users on Deceptive Content: Since CVE-2026-20945 requires human interaction, instruct users to carefully evaluate uploaded content and links within the platform, reinforcing that malicious files can sometimes bypass initial internal perimeters.
Monitor Network Traffic: Proactively scan for indicators of network spoofing or unauthorized data access, as CVE-2026-32201 is known to be leveraged by active threat actors.

Black Kite's SharePoint - Apr2026 FocusTag® details critical insights on the event for TPRM professionals.

MSSQL - Apr2026 (CVE-2026-32167, CVE-2026-32176, CVE-2026-33120)

What are the Microsoft SQL Server Privilege Escalation and RCE Vulnerabilities?

Microsoft SQL Server is currently affected by a trio of security flaws—two Medium-severity and one High-severity—that were officially disclosed and patched by Microsoft on April 14, 2026.

The two Medium-severity flaws, CVE-2026-32167 and CVE-2026-32176 (both holding a CVSS score of 6.7 and an EPSS score of 0.07%), are Improper Neutralization vulnerabilities resulting in SQL Injection. An authorized attacker with high privileges can exploit these flaws to elevate their permissions locally, effectively achieving SQL sysadmin status.

The most critical of the group is CVE-2026-33120, a High-severity Untrusted Pointer Dereference vulnerability carrying a CVSS score of 8.8 and an EPSS score of 0.07%. Unlike the injection flaws, this vulnerability allows a network-based Remote Code Execution (RCE). An authorized attacker with only low-level privileges can leverage this weakness to execute arbitrary code over the network. At this time, there are no reported instances of active exploitation in the wild, nor are there known public Proof-of-Concept (PoC) exploits. Consequently, these vulnerabilities have not been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, though they are tracked within the European Union's Vulnerability Database.

Why should TPRM Professionals care about the Microsoft SQL Server vulnerabilities?

Relational databases like Microsoft SQL Server are the foundational vaults for an organization's most critical assets. They house everything from sensitive Personally Identifiable Information (PII) and protected health records to proprietary intellectual property and core financial data.

From a Third-Party Risk Management perspective, these vulnerabilities introduce a severe internal threat dynamic. Because the flaws require the attacker to be authorized—ranging from low to high privileges—the primary risk comes from compromised vendor credentials or malicious insiders. If an adversary manages to hijack a low-level vendor account, they can use the RCE vulnerability (CVE-2026-33120) to execute code and take over the underlying database host. Alternatively, leveraging the SQL injection flaws allows them to escalate to a sysadmin role, granting them total, unrestricted access to manipulate, destroy, or silently exfiltrate your shared data. Ensuring your vendors have secured their database layer is paramount to preventing a catastrophic supply chain data breach.

What questions should TPRM professionals ask vendors about the MSSQL vulnerabilities?

To thoroughly assess your third-party ecosystem's defense against these database vulnerabilities, consider asking the following technical questions:

Have you applied the General Distribution Release (GDR) and Cumulative Update (CU) patches provided by Microsoft for the affected versions of SQL Server (2025 RTM and CU3, 2022 RTM and CU24, 2019 RTM and CU32, 2017 RTM and CU31, 2016 SP3 and Azure Connect Feature Pack) to mitigate the risk of CVE-2026-32167, CVE-2026-32176, and CVE-2026-33120?
Can you confirm if you have implemented monitoring for unusual or unauthorized activity within SQL Server environments, specifically concerning privilege changes, unexpected SQL command executions, or abnormal network traffic hitting the SQL instances, which could indicate exploitation attempts of the SQL Injection and Remote Code Execution vulnerabilities?
Have you reviewed and restricted user privileges in your SQL Server environments to enforce the principle of least privilege, as recommended in the advisory, to mitigate the risk of Privilege Escalation vulnerabilities CVE-2026-32167 and CVE-2026-32176?
Have you conducted a thorough scan and inventory of your network to identify all running instances of Microsoft SQL Server and their exact build numbers, as recommended in the advisory, to ensure that all instances are patched and secure against the vulnerabilities CVE-2026-32167, CVE-2026-32176, and CVE-2026-33120?

Remediation Recommendations for Vendors subject to this risk

Vendors maintaining vulnerable Microsoft SQL Server infrastructure should immediately deploy the following technical safeguards:

Apply the Official Security Updates Immediately: Utilize Microsoft Knowledge Base Article 321185 to identify the precise build numbers in your environment and deploy the corresponding GDR or CU patches to remediate the vulnerabilities.
Identify and Inventory All SQL Server Instances: Execute a thorough scan of the network environment to map all running SQL Server instances, verifying that no unmanaged databases are left exposed.
Review and Restrict User Privileges: Audit the access controls for all SQL Server users. Enforce strict least privilege policies, ensuring that application and user accounts only possess the minimum permissions necessary for their functions.
Monitor for Suspicious Activity: Implement Database Activity Monitoring (DAM) and robust logging to rapidly detect unauthorized privilege escalations, unexpected network connections, or unusual query executions indicative of an exploitation attempt.

Black Kite's MSSQL - Apr2026 FocusTag® details critical insights on the event for TPRM professionals

Lodash (CVE-2026-4800)

What is the Lodash Code Injection Vulnerability?

CVE-2026-4800 is a High-severity Code Injection vulnerability (CWE-94) discovered within the widely used JavaScript utility library, Lodash. It holds a CVSS score of 8.1 and an EPSS score of 0.05%, and was published in early April 2026.The vulnerability resides specifically within the _.template utility function.

The core issue is that Lodash fails to adequately validate the key names supplied within the options.imports object. These keys are ultimately passed into a Function() constructor sink—a known dangerous JavaScript mechanism that compiles strings directly into executable code. An attacker can exploit this by injecting a key name containing a default-parameter expression (e.g., arg = console.log(process.env)), which executes immediately upon template compilation. This risk is compounded by Lodash's use of the assignInWith function to merge the imports object. Because assignInWith utilizes a for..inloop, it enumerates inherited properties from the Object.prototype. If an attacker has successfully achieved Prototype Pollution elsewhere in the application, those polluted properties are automatically merged into the imports object and delivered to the Function() constructor, leading to unauthorized code execution. Currently, there are no public Proof-of-Concept (PoC) exploits, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. It is tracked in the European Union's Vulnerability Database under EUVD-2026-17610.

Why should TPRM Professionals care about the Lodash vulnerability?

Lodash is one of the most heavily downloaded npm packages in the world, embedded deep within the dependency trees of countless modern web applications, server-side Node.js environments, and third-party SaaS platforms.

For Third-Party Risk Management professionals, a vulnerability in such a ubiquitous library presents a massive, hidden supply chain risk. Because this flaw allows for arbitrary code execution, an attacker who successfully exploits an exposed vendor application can effectively hijack the underlying server. They could exfiltrate sensitive environment variables (such as database credentials or API keys), manipulate application logic, or gain a foothold for lateral movement. The fact that this vulnerability can be triggered indirectly by chaining it with Prototype Pollution makes it particularly dangerous,as traditional security scanners may miss the complex attack path, leaving shared data exposed on vendor systems.

What questions should TPRM professionals ask vendors about the Lodash vulnerability?

To assess how your third parties are managing this pervasive dependency risk, consider asking the following technical questions:

Have you updated all instances of Lodash to version 4.18.0 or later to mitigate the risk of CVE-2026-4800?
Can you confirm if you have audited all locations in your codebase where _.template is called and ensured that options.imports keys are strictly developer-controlled and static?
Have you implemented a strict allow-list for any dynamic keys used in template options to prevent unauthorized code execution via the options.imports parameter?
Have you used security tools like npm audit or Snyk to identify and patch any other vulnerabilities in your dependency tree that could lead to Prototype Pollution, which can be chained with this Lodash flaw?

Remediation Recommendations for Vendors subject to this risk

Vendors must immediately address this code injection risk by updating their dependencies and hardening their template logic:

Immediate Library Upgrade: Update Lodash to version 4.18.0 or newer. This release implements crucial validation for options.imports keys and modifies internal merging logic to prevent the enumeration of inherited properties.
Audit Template Usage: Thoroughly review the codebase to locate all calls to _.template. Verify that all keys within the options.imports object are developer-controlled, static strings.
Sanitize Input: If an immediate upgrade is delayed, enforce a strict allow-list for any dynamic keys used in template options. User-provided data must never be used as a key name in the imports object.
Harden Against Prototype Pollution: Run tools like npm audit or Snyk to identify and patch vulnerabilities that could enable Prototype Pollution, preventing adversaries from chaining attacks.
Use Object.create(null): When defining objects for configuration or merging, instantiate them using Object.create(null) to ensure they do not inherit from the global Object.prototype.

Black Kite's Lodash FocusTag® details critical insights on the event for TPRM professionals.

Dolibarr (CVE-2026-23500)

What is the Dolibarr OS Command Injection Vulnerability?

CVE-2026-23500 is a Critical-severity OS Command Injection and Remote Code Execution (RCE) vulnerability affecting Dolibarr ERP & CRM. Bearing a CVSS v4 score of 9.4 and an EPSS score of 0.15%, this flaw was published in mid-April 2026.

The vulnerability resides within the application's document conversion utility (htdocs/includes/odtphp/odf.php). When generating PDFs from ODT files (like invoices or commercial proposals), Dolibarr retrieves the MAIN_ODT_AS_PDFconfiguration constant from the database to determine the conversion tool's file path. While the application sanitizes the input and output filenames, it completely fails to validate or escape the configuration constant itself before passing it to the PHP exec() function. An authenticated attacker with administrative privileges can exploit this by injecting command separators (such as ; or |) into the constant, allowing them to execute arbitrary operating system commands with the privileges of the web server user.

Public Proof-of-Concept (PoC) exploits are available for this vulnerability. As of late April 2026, it has not been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, though it is documented in the European Union's Vulnerability Database under the identifier EUVD-2026-23502.

Why should TPRM Professionals care about the Dolibarr vulnerability?

Dolibarr functions as a comprehensive Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) system. By design, this platform aggregates a vendor's most sensitive operational data, including financial transactions, proprietary pricing models, customer contact information, and internal employee records.

For Third-Party Risk Management professionals, an unpatched Dolibarr instance represents a critical point of failure in the supply chain. Because CVE-2026-23500 enables arbitrary OS command execution, a compromised administrative account grants an attacker full control over the underlying web server. Threat actors can pivot from this foothold to extract the database credentials, exfiltrating the entire ERP dataset. Furthermore, they could silently manipulate invoice templates or payment routing information, leading to direct financial fraud against your organization or other downstream clients.Securing this central hub is essential to preventing wide-scale data breaches and financial supply chain compromise.

What questions should TPRM professionals ask vendors about the Dolibarr vulnerability?

To thoroughly evaluate how your third parties are securing their ERP infrastructure against this critical injection flaw,consider asking the following technical questions:

Have you updated all instances of Dolibarr ERP & CRM to version 23.0 or later to mitigate the risk of CVE-2026-23500?
Can you confirm that you have implemented strict validation and escape configuration constants before they reach the exec() function as recommended in the patch for CVE-2026-23500?
Have you implemented Multi-Factor Authentication (MFA) for all administrative accounts in Dolibarr to prevent attackers from gaining the credentials needed to modify global constants as suggested in the remediation measures?
Have you audited the llx_const table in your Dolibarr database for any unusual values in the MAIN_ODT_AS_PDF entry to ensure it points strictly to a legitimate binary path with no additional shell characters?

Remediation Recommendations for Vendors subject to this risk

Vendors operating vulnerable versions of Dolibarr must implement these immediate technical measures to neutralize the OS command injection risk:

Immediate Software Upgrade: Update Dolibarr ERP & CRM to version 23.0 or newer. This patched release introduces strict validation and escaping for configuration constants before they are processed by the exec() function.
Audit Configuration Constants: Manually review the llx_const table within the Dolibarr database. Verify that the MAIN_ODT_AS_PDF value points exclusively to a legitimate binary path without any appended shell operators.
Restrict Administrative Access: Deploy Multi-Factor Authentication (MFA) for all administrative accounts to protect against credential stuffing and unauthorized configuration modifications.
Harden Database Access: Ensure the web application operates using a database user with the principle of least privilege, tightly controlling which accounts possess the authority to alter core configuration tables.
Monitor Web Server Activity: Configure endpoint detection tools or system logging to flag unusual child processes spawned by the web service (apache2, nginx, etc.), which serves as a strong indicator of active exploitation attempts.

Black Kite's Dolibarr FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite provides a streamlined approach to identifying and managing the diverse set of vulnerabilities discussed in this week’s blog. To ensure immediate supply chain visibility, the platform published the Lodash tag on April 3, 2026, followed by the SharePoint - Apr2026 tag on April 15, and the ActiveMQ - Apr2026 tag on April 17, 2026. As the threat landscape rapidly evolved, Black Kite released the Exchange Server - Apr2026 tag on April 20, 2026, and immediately followed up with the Zimbra - Apr2026, MSSQL - Apr2026, and Dolibarr tags on April 21, 2026. These tags allow TPRM teams to instantly filter their entire vendor ecosystem to isolate companies running vulnerable versions of these products without the need for manual scanning or waiting weeks for vendors to complete generic questionnaires.

The primary differentiator of the Black Kite platform is the provision of precise asset intelligence. Rather than simply indicating that a vendor "might" be using a vulnerable application, Black Kite identifies the exact IP addresses and subdomains where the risk is detected. By providing these granular technical details, TPRM professionals can move beyond broad assessments and instead present vendors with actionable evidence of their exposure. This empowers organizations to demand verified, targeted remediation for critical assets—whether it is an unpatched Exchange Server, a vulnerable Dolibarr ERP instance, or a compromised ActiveMQ message broker—ensuring that critical supply chain nodes are secured before threat actors can successfully exploit them.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

In an environment where attackers quickly exploit vulnerabilities in core enterprise systems—from Microsoft Exchange and SharePoint to critical software dependencies like Lodash—traditional, static risk assessments fall short. Black Kite’s FocusTags® revolutionize Third-Party Risk Management by turning an overwhelming influx of vulnerability data into a clear, prioritized action plan.

When managing the complexities of recent zero-days and critical disclosures, Black Kite’s FocusTags® empower your team through:

Immediate Threat Visibility: Instantly isolate which vendors are running vulnerable infrastructure, such as unpatched Dolibarr ERPs or exposed ActiveMQ brokers, enabling rapid and decisive intervention.
Contextual Risk Triage: Evaluate the intersection of a vendor's criticality to your business and the severity of the specific flaw. This ensures your team directs its resources toward patching actively exploited threats—like the Zimbra XSS or Exchange Server RCE—before addressing lower-priority issues.
Evidence-Based Vendor Collaboration: Move past generic, time-consuming questionnaires. Equip your risk teams with the exact IP addresses and subdomains affected by the MSSQL or SharePoint vulnerabilities to facilitate highly targeted and productive remediation discussions.
Resilient Supply Chain Defense: Gain a comprehensive, continuous view of your extended attack surface, allowing your organization to proactively adapt its security posture as complex, multi-layered threats emerge.

By transforming raw cyber threat data into precise, actionable intelligence, Black Kite’s FocusTags® provide TPRM professionals with the exact tools needed to efficiently and effectively secure the digital supply chain against today's most sophisticated attacks.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

ActiveMQ - Apr2026 : CVE-2026-34197, High-Severity Code Injection Vulnerability allowing arbitrary code execution via the Jolokia JMX-HTTP bridge.
Zimbra - Apr2026 : CVE-2025-48700, Critical Cross-Site Scripting (XSS) Vulnerability actively exploited in the wild allowing for session hijacking and sensitive information disclosure.
Exchange Server - Apr2026 : CVE-2023-21529, Critical Remote Code Execution Vulnerability due to insecure deserialization allowing full system compromise.
SharePoint - Apr2026 : CVE-2026-32201, CVE-2026-20945, Medium-Severity Improper Input Validation and Spoofing Vulnerabilities allowing network spoofing and deceptive content delivery.
MSSQL - Apr2026 : CVE-2026-32167, CVE-2026-32176, CVE-2026-33120, High-Severity Untrusted Pointer Dereference and SQL Injection vulnerabilities allowing privilege escalation and Remote Code Execution.
Lodash : CVE-2026-4800, High-Severity Code Injection Vulnerability in the _.template function allowing arbitrary code execution.
Dolibarr : CVE-2026-23500, Critical OS Command Injection and Remote Code Execution Vulnerability due to improper validation of document conversion paths.
F5 BIG-IP - Mar2026 : CVE-2025-53521, Critical Unauthenticated Remote Code Execution (RCE) vulnerability in the BIG-IP APM actively exploited in the wild.
TrueChaos : CVE-2026-3502, High-Severity Insufficient Firmware Update Validation allowing compromised on-premises servers to distribute malware (Zero-Day Exploited).
Cisco IMC : CVE-2026-20093, Critical Authentication Bypass Vulnerability allowing unauthenticated, remote attackers to alter passwords and gain full Admin access.
Perl : CVE-2026-4176, CVE-2026-3381, CVE-2026-27171, Critical Supply Chain Vulnerability leading to Remote Code Execution and Denial of Service.
Grafana - Mar2026 : CVE-2026-27876, CVE-2026-27880, Critical Remote Code Execution, Arbitrary File Write, SQL Injection, and Denial of Service Vulnerabilities.
Squid Proxy - Mar2026 : CVE-2026-33526, CVE-2026-32748, CVE-2026-33515, Critical Use-After-Free and Denial of Service Vulnerabilities in the Internet Cache Protocol (ICP) causing remote service crashes and information disclosure.
n8n - Mar2026 : CVE-2026-33660, Critical Remote Code Execution Vulnerability in the Merge node due to insufficient sandboxing.
Harbor : CVE-2026-4404, Critical Use of Default Credentials allowing full administrative access and potential supply chain attacks.
MariaDB : CVE-2026-32710, High-Severity JSON Schema Validation Buffer Overflow Vulnerability.
Jenkins - Mar2026 : CVE-2026-33001, CVE-2026-33002, CVE-2026-33003, CVE-2026-33004, Critical File Creation, DNS Rebinding, and Sensitive API Key Exposure in Jenkins Core and LoadNinja Plugin.
Roundcube - Mar2026 : Pre-Auth Arbitrary File Write, Critical Session Handler Vulnerability allowing Remote Code Execution and Account Takeover.