April 2026 [Double Feature: SQL Another Day + XSS Never Dies]

A SQL injection vulnerability sits in the Microsoft SQL Server database engine, not a web front end, and lets an attacker with high local privilege escalate straight to SQL sysadmin.

An actively exploited, unauthenticated cross-site scripting flaw in SharePoint needs no privileges, and on-premises instances exposed to the internet carry the highest risk.

The actively exploited XSS demands faster action than the SQL flaw that hasn't been seen in the wild, so patch order should follow real-world risk rather than severity rating alone.

Shared service accounts widen the blast radius. Mat recommends one service account per function so you can contain and rotate without breaking everything tied to it.

Mat ties the resurgence of XSS and SQL injection in 2026 to larger codebases and AI-generated code. He notes a reported uptick in vulnerabilities tied to AI-written code that still needs manual security review.