CRITICAL 3 min read 9 Apr 2026

Movable Type & PraisonAI — Critical Remote Code Execution Vulnerabilities

A critical Perl code injection vulnerability (CVE-2026-25776) has been identified in Movable Type, whilst PraisonAI faces a critical sandbox escape (CVE-2026-39888) enabling unauthenticated RCE. These vulnerabilities represent immediate threats to web infrastructure and AI development environments.

Key findings
01
Critical Perl Code Injection in Movable Type (CVE-2026-25776)
CRITICAL
[High] Confidence: High A critical vulnerability has been discovered in the Movable Type publishing platform. Designated as CVE-2026-25776 with a CVSS score of 9.8, this flaw allows for arbitrary Perl code injection.
CVE-2026-25776
02
PraisonAI Sandbox Escape Enables Unauthenticated RCE (CVE-2026-39888)
CRITICAL
[High] Confidence: High PraisonAI, an emerging AI orchestration framework, is affected by a critical sandbox escape vulnerability (CVE-2026-39888) carrying a CVSS score of 9.9.
CVE-2026-39888
03
Nix Package Manager: Local Root Privilege Escalation (CVE-2026-39860)
CRITICAL
[High] Confidence: High The Nix package manager is susceptible to a local root privilege escalation vulnerability (CVE-2026-39860). With a CVSS score of 9.8, this flaw allows a local user with minimal privileges to gain full administrative (root) access to the system.
CVE-2026-39860
04
IBM Security Verify Access: Local Root Escalation (CVE-2026-1346)
CRITICAL
[High] Confidence: High IBM Security Verify Access contains a local privilege escalation vulnerability (CVE-2026-1346) with a CVSS score of 9.3. A local attacker could exploit this flaw to elevate their privileges to root on the affected appliance.
CVE-2026-1346
05
Docker Engine: AuthZ Bypass Regression (CVE-2026-34040)
HIGH
[High] Confidence: High A regression in Docker Engine has introduced an authorisation bypass vulnerability (CVE-2026-34040), rated CVSS 8.8. This flaw allows attackers to bypass configured authorisation plugins under specific conditions, potentially leading to unauthorised container management and privilege escalation within the Docker daemon's scope.
CVE-2026-34040
06
Update: Ivanti EPMM (CVE-2026-1340) Added to CISA KEV
HIGH
[High] Confidence: High The Ivanti EPMM vulnerability (CVE-2026-1340) has been added to the CISA Known Exploited Vulnerabilities (KEV) catalogue. Federal agencies are mandated to patch this flaw by 11 April 2026 following confirmed exploitation in the wild.
CVE-2026-1340
07
Update: NCSC UK Confirms APT28 DNS Hijacking Campaign
HIGH
[High] Confidence: High The NCSC UK has formally confirmed an active campaign by Russian state actor APT28 targeting SME routers across the UK and EU. The campaign involves hijacking DNS settings to redirect traffic and harvest credentials.
APT28

Movable Type & PraisonAI — Critical Remote Code Execution Vulnerabilities

Critical Perl Code Injection in Movable Type (CVE-2026-25776)

Confidence: High

A critical vulnerability has been discovered in the Movable Type publishing platform. Designated as CVE-2026-25776 with a CVSS score of 9.8, this flaw allows for arbitrary Perl code injection. Successful exploitation enables an attacker to execute commands on the host server with the privileges of the web server process.

The vulnerability stems from improper sanitisation of input processed by the Perl interpreter. This bypasses existing security controls and provides a direct path to server compromise. Organisations using Movable Type must prioritise patching this flaw immediately to prevent unauthorised access and potential data exfiltration.

PraisonAI Sandbox Escape Enables Unauthenticated RCE (CVE-2026-39888)

Confidence: High

PraisonAI, an emerging AI orchestration framework, is affected by a critical sandbox escape vulnerability (CVE-2026-39888) carrying a CVSS score of 9.9. This flaw allows an unauthenticated remote attacker to break out of the intended execution environment and execute arbitrary code on the underlying host system.

The escape is achieved by abusing specific agent-to-environment interaction protocols that fail to enforce strict isolation. Given the increasing adoption of autonomous AI agents in enterprise workflows, this vulnerability poses a severe risk to any organisation running PraisonAI in an exposed or multi-tenant configuration.

Nix Package Manager: Local Root Privilege Escalation (CVE-2026-39860)

Confidence: High

The Nix package manager is susceptible to a local root privilege escalation vulnerability (CVE-2026-39860). With a CVSS score of 9.8, this flaw allows a local user with minimal privileges to gain full administrative (root) access to the system. The issue relates to how Nix handles certain store paths and symbolic links, allowing for file system manipulation that leads to privilege transition.

IBM Security Verify Access: Local Root Escalation (CVE-2026-1346)

Confidence: High

IBM Security Verify Access contains a local privilege escalation vulnerability (CVE-2026-1346) with a CVSS score of 9.3. A local attacker could exploit this flaw to elevate their privileges to root on the affected appliance. This vulnerability compromises the integrity of identity management infrastructure and could be used as a pivot point for broader network attacks.

Docker Engine: AuthZ Bypass Regression (CVE-2026-34040)

Confidence: High

A regression in Docker Engine has introduced an authorisation bypass vulnerability (CVE-2026-34040), rated CVSS 8.8. This flaw allows attackers to bypass configured authorisation plugins under specific conditions, potentially leading to unauthorised container management and privilege escalation within the Docker daemon's scope.

Update: Ivanti EPMM (CVE-2026-1340) Added to CISA KEV

Confidence: High

The Ivanti EPMM vulnerability (CVE-2026-1340) has been added to the CISA Known Exploited Vulnerabilities (KEV) catalogue. Federal agencies are mandated to patch this flaw by 11 April 2026 following confirmed exploitation in the wild.

Update: NCSC UK Confirms APT28 DNS Hijacking Campaign

Confidence: High

The NCSC UK has formally confirmed an active campaign by Russian state actor APT28 targeting SME routers across the UK and EU. The campaign involves hijacking DNS settings to redirect traffic and harvest credentials.

Why This Matters

Today's findings highlight a dangerous trend of vulnerabilities in foundational infrastructure components — from CMS platforms and package managers to AI frameworks and identity management tools. The rapid escalation of Ivanti and APT28 threats underscores the speed at which discovered flaws are weaponised by both state and criminal actors.

  • Recommended Actions
  • Patch Immediately: Prioritise updates for Movable Type (CVE-2026-25776) and PraisonAI (CVE-2026-39888).
  • Audit Nix/Docker: Review configurations and apply latest security updates for Nix package manager and Docker Engine.
  • Identity Security: Update IBM Security Verify Access instances to mitigate local root escalation risks.
  • Compliance: Ensure all Ivanti EPMM instances are patched before the 11 April CISA deadline.
  • Router Integrity: Conduct integrity checks on edge router DNS and DHCP configurations to detect APT28-linked interference.

All findings grounded in A13E intelligence sweeps through 06:30 UTC 09 April 2026.

apt28cve-2026-1340cve-2026-1346cve-2026-25776cve-2026-34040cve-2026-39860cve-2026-39888cybersecuritymovabletypepraisonai

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed