What were the most critical CVEs disclosed this week?

This week's roundup covers 66 vulnerability disclosures analyzed by Sherlock Forensics. 6 scored 9.0 or above (critical) and 60 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: April 26 to May 02, 2026

The Week in Security

Weaver got hit with a CVSS 9.8 for Weaver (Fanwei) E-office versions Remote. Other had 51 vulnerabilities this week including User Verification by PickPlugins (CVSS 9.8). Apache had 2 vulnerabilities this week including apache pony mail Vulnerability - Sherlock (CVSS 9.8).

We tracked 66 vulnerabilities this week. 6 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Weaver Hit With CVSS 9.8

CVE-2022-50993 scores a 9.8. Weaver lets attackers run code on your systems.

CVE-2022-50993: Weaver (Fanwei) E-office versions Remote (CVSS 9.8)

Other Had a Rough Week

51 vulnerabilities across Other products this week. The worst: CVE-2026-7458 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run Other.

CVE-2026-7458: User Verification by PickPlugins (CVSS 9.8)
CVE-2026-41940: cPanel Auth Bypass (CVSS 9.8)
CVE-2026-5166: Improper Limitation of a Directory traversal (CVSS 9.6)
CVE-2026-41386: OpenClaw before 2026.3.22 Privilege (CVSS 9.1)
CVE-2026-7641: Import and export users Privilege escalation (CVSS 8.8)
CVE-2026-7489: CTMS developed by Sunnet SQL injection (CVSS 8.8)
CVE-2026-7466: AgentFlow arbitrary code execution Remote (CVSS 8.8)
CVE-2026-7097: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-42426: OpenClaw before 2026.4.8 improper (CVSS 8.8)
CVE-2026-41463: ProjeQtor versions 7.0 through Remote (CVSS 8.8)
CVE-2026-41378: OpenClaw before 2026.3.31 privilege Remote (CVSS 8.8)
CVE-2026-42431: OpenClaw before 2026.4.8 security (CVSS 8.1)
CVE-2026-27760: OpenCATS prior to commit Code injection (CVSS 8.1)
CVE-2026-2554: WCFM – Frontend Manager Vulnerability (CVSS 8.1)
CVE-2026-42432: OpenClaw before 2026.4.8 Privilege (CVSS 7.8)
CVE-2026-41912: OpenClaw before 2026.4.8 server-side SSRF (CVSS 7.6)
CVE-2026-7649: ARMember – Membership Plugin, SQL injection (CVSS 7.5)
CVE-2026-6320: Salon Booking System – File read (CVSS 7.5)
CVE-2026-42423: OpenClaw before 2026.4.8 approval-timeout (CVSS 7.5)
CVE-2026-41405: OpenClaw before 2026.3.31 parses (CVSS 7.5)
CVE-2026-41399: OpenClaw before 2026.3.28 accepts (CVSS 7.5)
CVE-2026-41395: OpenClaw before 2026.3.28 webhook (CVSS 7.5)
CVE-2026-7670: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-7668: MikroTik RouterOS 6.49.8. This Vulnerability (CVSS 7.3)
CVE-2026-7644: ChatGPTNextWeb NextChat up to Authorization (CVSS 7.3)
CVE-2026-7630: innocommerce InnoShop up to Vulnerability (CVSS 7.3)
CVE-2026-7468: A security vulnerability has Authorization (CVSS 7.3)
CVE-2026-7314: eiceblue spire-doc-mcp-server 1.0.0. This (CVSS 7.3)
CVE-2026-7272: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-7221: TencentCloudBase-MCP up to Vulnerability (CVSS 7.3)
CVE-2026-7211: A weakness has been Command injection (CVSS 7.3)
CVE-2026-7178: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7177: ChatGPTNextWeb NextChat up to Vulnerability (CVSS 7.3)
CVE-2026-7147: JoeCastroMcp-chat-studio up to Vulnerability (CVSS 7.3)
CVE-2026-7146: A security vulnerability has (CVSS 7.3)
CVE-2026-7072: CodePanda Source canteen_management_system (CVSS 7.3)
CVE-2026-7065: BidingCC BuildingAI up to Vulnerability (CVSS 7.3)
CVE-2026-7061: A weakness has been Command injection (CVSS 7.3)
CVE-2026-7060: liyupi yu-picture up to SQL injection (CVSS 7.3)
CVE-2026-7042: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7036: Tenda i9 1.0.0.5(2204). This Directory (CVSS 7.3)
CVE-2026-7002: KLiK SocialMediaWebsite up to SQL injection (CVSS 7.3)
CVE-2026-6987: PicoClaw up to 0.2.4. Command injection (CVSS 7.3)
CVE-2026-6977: A security vulnerability has Authorization (CVSS 7.3)
CVE-2026-7490: CTMS and CPAS developed Remote code execution (CVSS 7.2)
CVE-2026-7435: SSCMS v7.4.0 SQL injection (CVSS 7.2)
CVE-2026-7049: PixelYourSite Pro – Your SSRF - Sherlock (CVSS 7.2)
CVE-2026-5324: Brizy – Page Builder Cross-site scripting (CVSS 7.2)
CVE-2018-25309: MyBB RecenThreads 17.0 Cross-site scripting (CVSS 7.2)
CVE-2026-4100: Paid Memberships Pro plugin Vulnerability (CVSS 7.1)
CVE-2026-41940: Redirecting...

Apache Patches 2 Vulnerabilities

2 vulnerabilities across Apache products this week. The worst: CVE-2026-41873 (CVSS 9.8) lets anyone bypass authentication. Patch now if you run Apache.

CVE-2026-41873: apache pony mail Vulnerability - Sherlock (CVSS 9.8)
CVE-2026-41636: apache thrift Vulnerability - Sherlock (CVSS 7.5)

IBM Patches 3 Vulnerabilities

3 vulnerabilities across IBM products this week. The worst: CVE-2026-6543 (CVSS 8.8) lets attackers run code on your systems. Patch now if you run IBM.

CVE-2026-6543: IBM Langflow Desktop 1.0.0 Remote (CVSS 8.8)
CVE-2026-6389: IBM Turbonomic prometurbo agent (CVSS 8.8)
CVE-2026-4503: IBM Langflow Desktop 1.0.0 Vulnerability (CVSS 7.5)

WordPress Patches 9 Vulnerabilities

9 vulnerabilities across WordPress products this week. The worst: CVE-2026-4062 (CVSS 7.5) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-4062: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-4061: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-4060: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-2892: Otter Blocks plugin for Vulnerability (CVSS 7.5)
CVE-2026-5113: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5112: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5111: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5110: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5109: Gravity Forms plugin for Cross-site (CVSS 7.2)

By the Numbers

Total CVEs analyzed	66
Critical (9.0+)	6
High (7.0-8.9)	60
Remote code execution	48
Authentication bypass	15
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Weaver: Update immediately. 1 critical-severity issues patched this week.
Other: Update immediately. 4 critical-severity issues patched this week.
Apache: Update immediately. 1 critical-severity issues patched this week.
IBM: Review and patch 3 high-severity vulnerabilities when possible.
WordPress: Review and patch 9 high-severity vulnerabilities when possible.