Daily CVE Report: Zero New Vulnerabilities Published, Yet High-Severity Threats Linger in Modem and ChurchCRM

A daily CVE report for April 8, 2026, reveals a significant anomaly: zero new vulnerabilities were published in the last 24 hours, despite the presence of multiple high-severity threats with active exploit potential. The highest CVSS score recorded is a critical 10, underscoring the persistent risk landscape even on a day with no new entries. This quiet period belies the ongoing danger from recently disclosed flaws in widely used systems.

Among the high-severity CVEs detailed, two stand out for their potential impact. CVE-2026-20433, scoring 8.8, targets modem firmware, where a missing bounds check could lead to a remote out-of-bounds write. This vulnerability could enable a privilege escalation if a user equipment (UE) connects to a malicious, attacker-controlled rogue base station. Simultaneously, CVE-2026-39328, with an 8.9 score, exposes a stored cross-site scripting (XSS) flaw in the open-source ChurchCRM software prior to version 7.1.0, allowing non-administrative users to inject malicious scripts via the person profile editor.

The juxtaposition of a silent publication day with these high-risk, actively exploitable vulnerabilities signals a critical maintenance phase for system administrators and security teams. The modem vulnerability, in particular, presents a direct threat to mobile network integrity and user device security, requiring immediate patching or mitigation strategies. For organizations relying on ChurchCRM, the stored XSS flaw represents a tangible internal security risk that could compromise sensitive member data. This report serves as a stark reminder that threat visibility is not solely defined by daily publication counts, but by the latent exploitability of existing, high-scoring flaws in common software and hardware.