Patch This Week: Two Fortinet CVEs Due Tomorrow, Six More Due April 27, and NIST Changed How NVD Works

John Z Black Apr 15, 2026 Vulnerabilities & Patching #vulnerability-management #cisa-kev #nist #nvd #fortinet #showdoc #google-pixel #patch-management #cve

Two different CISA deadlines this week. Don’t mix them up.

Two Fortinet CVEs – CVE-2026-35616 (FortiClient EMS) and CVE-2026-21643 (SQL Injection) – carry a federal remediation deadline of April 16. That’s today. Both are confirmed actively exploited. Fortinet keeps showing up on the KEV because these devices sit at the network perimeter at scale. A vulnerable edge appliance skips past all your endpoint protections. Patch now.

Separately, CISA added six more CVEs covering Fortinet, Microsoft, and Adobe on April 14, with a deadline of April 27. Different CVEs. Different deadline. Don’t conflate them.

NIST also changed how NVD works, effective today. CVE volume is up nearly 30% year-over-year, and the backlog was getting unmanageable. New priority order: KEV catalog first, then confirmed-exploited CVEs with CVSS 7.0+, then CVSS 9.0+ without confirmed exploitation. The practical takeaway: stop waiting for NVD enrichment before acting on KEV entries. The KEV listing is your signal. Act on it directly.

Two more worth your time: a 2020 ShowDoc vulnerability (CVE-2025-0520) is actively exploited on 2,000+ unpatched servers right now – web shells are being deployed. Update to 2.8.7 or later. And Google’s April Pixel update patches a framework-level denial of service that requires no user interaction and no special privileges. Install it.

Full breakdown of every CVE, deadline, and what to do with the NIST change