What were the most critical CVEs disclosed this week?

This week's roundup covers 53 vulnerability disclosures analyzed by Sherlock Forensics. 7 scored 9.0 or above (critical) and 46 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: April 17 to April 24, 2026

The Week in Security

Other had 45 vulnerabilities this week including OpenClaw before 2026.3.31 contains Privilege (CVSS 9.9). WordPress had 1 high-severity issues worth watching. Oracle had 4 high-severity issues worth watching.

We tracked 53 vulnerabilities this week. 7 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

45 vulnerabilities across Other products this week. The worst: CVE-2026-41329 (CVSS 9.9) lets anyone bypass authentication. Patch now if you run Other.

CVE-2026-41329: OpenClaw before 2026.3.31 contains Privilege (CVSS 9.9)
CVE-2026-6885: Borg SPM Remote Code Execution (CVSS 9.8)
CVE-2026-39918: Vvveb prior to 1.0.8.1 contains Remote code (CVSS 9.8)
CVE-2026-33519: Incorrect Authorization CRITICAL (CVSS 9.8)
CVE-2026-26210: KTransformers through 0.5.3 unsafe (CVSS 9.8)
CVE-2026-23751: Kofax Capture Remote Code Execution (CVSS 9.8)
CVE-2026-40525: Auth Bypass (CVSS 9.1)
CVE-2026-6859: A flaw was found Vulnerability - Sherlock (CVSS 8.8)
CVE-2026-6631: Analysis: HIGH (CVSS 8.8)
CVE-2026-6581: Analysis: HIGH (CVSS 8.8)
CVE-2026-6518: Analysis: HIGH (CVSS 8.8)
CVE-2026-6249: Vvveb CMS 1.0.8 contains Remote code executio (CVSS 8.8)
CVE-2026-41352: OpenClaw Remote Code Execution (CVSS 8.8)
CVE-2026-41349: OpenClaw before 2026.3.28 agentic (CVSS 8.8)
CVE-2026-41468: Beghelli Sicuro24 SicuroWeb embeds (CVSS 8.7)
CVE-2026-41455: WeKan before 8.35 server-side request (CVSS 8.5)
CVE-2026-41454: WeKan before 8.35 missing authorization (CVSS 8.3)
CVE-2026-40516: Analysis: HIGH (CVSS 8.3)
CVE-2026-41296: OpenClaw before 2026.3.31 contains File read (CVSS 8.2)
CVE-2026-6832: Hermes WebUI Directory Traversal HIGH (CVSS 8.1)
CVE-2026-6248: The wpForo Forum plugin Remote code execution (CVSS 8.1)
CVE-2026-5966: ThreatSonar Anti-Ransomware developed by Dire (CVSS 8.1)
CVE-2026-5364: Drag and Drop File Upload RCE (CVSS 8.1)
CVE-2026-41353: OpenClaw before 2026.3.22 access (CVSS 8.1)
CVE-2026-34428: Vvveb prior to 1.0.8.1 contains File read (CVSS 7.7)
CVE-2026-41297: OpenClaw before 2026.3.31 contains Vulnerabi (CVSS 7.6)
CVE-2026-5710: Analysis: HIGH (CVSS 7.5)
CVE-2026-40515: Analysis: HIGH (CVSS 7.5)
CVE-2026-3489: Analysis: HIGH (CVSS 7.5)
CVE-2026-2262: Analysis: HIGH (CVSS 7.5)
CVE-2026-6662: Analysis: HIGH (CVSS 7.3)
CVE-2026-6635: A security vulnerability has Vulnerability (CVSS 7.3)
CVE-2026-6605: Analysis: HIGH (CVSS 7.3)
CVE-2026-6604: Analysis: HIGH (CVSS 7.3)
CVE-2026-6603: Analysis: HIGH (CVSS 7.3)
CVE-2026-6602: Analysis: HIGH (CVSS 7.3)
CVE-2026-6596: Analysis: HIGH (CVSS 7.3)
CVE-2026-6580: A security vulnerability has Vulnerability (CVSS 7.3)
CVE-2026-6574: Analysis: HIGH (CVSS 7.3)
CVE-2026-6569: Analysis: HIGH (CVSS 7.3)
CVE-2026-6568: Analysis: HIGH (CVSS 7.3)
CVE-2026-5231: Analysis: HIGH (CVSS 7.2)
CVE-2026-4132: HTTP Headers Plugin RCE HIGH (CVSS 7.2)
CVE-2026-40520: FreePBX RCE HIGH (CVSS 7.2)
CVE-2026-41299: OpenClaw before 2026.3.28 contains Access co (CVSS 7.1)

WordPress Hit With CVSS 8.1

CVE-2026-5478 scores a 8.1. WordPress needs your attention.

CVE-2026-5478: The Everest Forms plugin File read (CVSS 8.1)

Oracle Patches 4 Vulnerabilities

4 vulnerabilities across Oracle products this week. The worst: CVE-2026-34305 (CVSS 7.5) lets anyone bypass authentication. Patch now if you run Oracle.

CVE-2026-34305: Oracle HIGH (CVSS 7.5)
CVE-2026-34282: Oracle Denial of Service HIGH (CVSS 7.5)
CVE-2026-22016: Oracle HIGH (CVSS 7.5)
CVE-2026-34292: Oracle HIGH (CVSS 7.2)

IBM Patches 2 Vulnerabilities

2 vulnerabilities across IBM products this week. The worst: CVE-2026-3621 (CVSS 7.5) lets anyone bypass authentication. Patch now if you run IBM.

CVE-2026-3621: IBM WebSphere Application Server (CVSS 7.5)
CVE-2026-5935: IBM Total Storage Service Remote code (CVSS 7.3)

Google Hit With CVSS 7.2

CVE-2026-5464 scores a 7.2. Google lets attackers run code on your systems.

CVE-2026-5464: ExactMetrics – Google Analytics Remote (CVSS 7.2)

By the Numbers

Total CVEs analyzed	53
Critical (9.0+)	7
High (7.0-8.9)	46
Remote code execution	29
Authentication bypass	22
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 7 critical-severity issues patched this week.
WordPress: Review and patch 1 high-severity vulnerabilities when possible.
Oracle: Review and patch 4 high-severity vulnerabilities when possible.
IBM: Review and patch 2 high-severity vulnerabilities when possible.
Google: Review and patch 1 high-severity vulnerabilities when possible.