Claude Code Wrote a SAP Worm. Microsoft Refused to CVE Its Own 10.0.

A security researcher published full-chain RCE proofs against Microsoft Semantic Kernel and Agent Framework 1.0. Six bypasses, end-to-end. MSRC closed the case as "Developer Error," declined to issue a CVE, and quietly merged mitigations into the upstream repo. The result: enterprise SCA tools (Snyk, Checkmarx, Dependabot) report "all clear" because there is no CVE to scan against, while six exploitable conditions remain present in production deployments.

The pattern is older than this incident. Windows Shell ate two CVEs this month. CVE-2026-21510 was patched, CVE-2026-32202 was the bypass, now under active exploitation by APT28 per Akamai's analysis and added to the CISA KEV catalog on April 28. LiteLLM's SQLi (CVE-2026-42208) was exploited within 36 hours of disclosure. Checkmarx confirmed in its own April 26 statement that LAPSUS$ leaked source code, employee data, and database credentials taken from its GitHub repo via the supply-chain breach reported earlier this month. When the security vendors themselves are inside the blast radius, the dashboard is no longer the source of truth.

Sundar Pichai confirmed in his Cloud Next 2026 blog post that 75% of new code at Google is now AI-generated and approved by engineers, up from 50% last fall. The same week, PocketOS lost its production database in nine seconds when a Cursor-based Claude Opus 4.6 agent encountered a credential mismatch in staging, scanned the codebase, found a broadly scoped Railway API token in an unrelated file, and used it to delete the production volume. Backups were on the same volume. StackHawk's 2026 AppSec survival guide, based on a survey of 250+ AppSec stakeholders, puts AI coding assistant adoption at 87%, with 50% of teams already spending more than 40% of their time triaging tool findings. AI framework CVEs piled up alongside it: LangChain Core 1.2.4 SSTI/RCE, Cursor RCE via routine git (CVE-2026-26268), and the LiteLLM and Semantic Kernel issues above.

The 75% number reframes what code review is for. When the author is a model, "did a human read this" stops being a meaningful gate. That's the StackHawk survey's quiet finding. The PocketOS post-mortem is worth reading in full because the failure was not the model's reasoning. It was the long-lived API credential the agent inherited. Same shape as the SAP worm above: the security boundary is the token, not the code.

Fortinet's 2026 Cybersecurity Skills Gap Report, conducted by Sapio Research across 2,750 IT and security decision-makers, named the skills shortage as the top breach cause for the third year running (56%), with 51% specifically citing the lack of senior-level talent and 49% reporting they cannot get approval for additional hires. AI-generated code volume is climbing past 75% at the leading edge (per Pichai above) while AI tooling adds its own CVE class. And as Deep Dive 2 covered, the CVE-keyed disclosure pipeline you triage from is itself slipping. Spectrum Security raised $19M and exited stealth on the premise that detection authoring time should drop from 121 days to under 30 minutes; Snyk and Atlassian shipped intelligent remediation for Jira; Miggo launched Pulse, an AI-driven virtual patching system targeting the window between disclosure and patch deployment.

These three forces are not independent. A senior engineer market that's tighter than it was last year cannot be cleared by raising salaries when every other security org is doing the same, and Fortinet's 49% pushback number says even the orgs that want to hire are losing the budget conversation. AI volume is part of the input curve now, not the relief curve. And if the CVE-and-scanner pipeline you triage from is missing data (Deep Dive 2), then the productivity gain from automation has to absorb a quality gain from somewhere too. The vendor activity reads like the early stage of a market re-pricing: multiple approaches, lots of capital, no consensus yet on the right unit of automation.

Actively Exploited or Zero-Day

• CVE-2026-32202 — Windows Shell zero-click spoofing → NTLM relay via UNC. Exploited by APT28 via weaponized LNK files. CISA KEV-listed April 28; federal agencies must patch by May 12.

• CVE-2026-42208 — LiteLLM pre-auth SQLi (CVSS 9.3). Patched in 1.83.7-stable. First exploit observed 26 hours after the GitHub advisory was published; attackers extracted upstream LLM credentials.

• CVE-2026-3854 — GitHub RCE. Patched. Wiz analysis describes how the bug exposed millions of private repos before the fix.

• (disputed; no CVE) Microsoft Semantic Kernel & Agent Framework 1.0 — full-chain RCE with six bypasses. MSRC closed as "Developer Error"; mitigations silently merged upstream. SCA tools have nothing to scan against.

• CVE-2026-26268 — Cursor IDE sandbox escape via .git hooks (CVSS 9.9). Patched in Cursor 2.5; public disclosure April 28. Disclosed by researcher Novee.

• Qinglong task scheduler — multiple RCEs, actively exploited for cryptomining.

High Severity

• LangChain Core 1.2.4 SSTI/RCE. Exploit-DB

• Craft CMS 5.6.16 RCE. Exploit-DB

• OpenWrt 23.05 authenticated RCE. Exploit-DB

• GUnet OpenEclass <4.2 RCE. Exploit-DB

• GNU InetUtils 2.6 telnetd remote privilege escalation. Exploit-DB

• cPanel / WHM critical auth bypass; emergency update issued. Bleeping Computer

• Thymeleaf CVE-2026-40478 template injection. Snyk

• Xibo CMS 4.3.0 RCE via SSTI. Exploit-DB

• JuzaWeb CMS 3.4.2 authenticated RCE. Exploit-DB

• Atlona ATOMERX21 authenticated command injection. Exploit-DB

Notable Aggregations

• OpenEMR — 38 vulnerabilities found across the medical-records platform.

• XAPI / Citrix XenServer — 89 vulnerabilities disclosed.

• WordPress popular redirect plugin — dormant backdoor for years before discovery.

• QEMU and UTM escape bugs — researcher writeup on multiple sandbox escape conditions.

No Patch Available

• Microsoft PhantomRPC privilege escalation — Microsoft declined to patch, framing it as expected behavior. Same dispute pattern as Semantic Kernel above.