What were the most critical CVEs disclosed this week?

This week's roundup covers 123 vulnerability disclosures analyzed by Sherlock Forensics. 14 scored 9.0 or above (critical) and 109 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: April 20 to May 03, 2026

The Week in Security

Other had 100 vulnerabilities this week including OpenClaw before 2026.3.31 contains Privilege (CVSS 9.9). Weaver got hit with a CVSS 9.8 for Weaver (Fanwei) E-office versions Remote. Apache had 2 vulnerabilities this week including apache pony mail Vulnerability - Sherlock (CVSS 9.8).

We tracked 123 vulnerabilities this week. 14 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

100 vulnerabilities across Other products this week. The worst: CVE-2026-41329 (CVSS 9.9) lets anyone bypass authentication. Patch now if you run Other.

CVE-2026-41329: OpenClaw before 2026.3.31 contains Privilege (CVSS 9.9)
CVE-2026-21515: Exposure of sensitive information (CVSS 9.9)
CVE-2026-7458: User Verification by PickPlugins (CVSS 9.8)
CVE-2026-6885: Borg SPM Remote Code Execution (CVSS 9.8)
CVE-2026-41940: cPanel Auth Bypass (CVSS 9.8)
CVE-2026-39920: BridgeHead FileStore versions prior Remote (CVSS 9.8)
CVE-2026-39918: Vvveb prior to 1.0.8.1 contains Remote code (CVSS 9.8)
CVE-2026-33519: Incorrect Authorization CRITICAL (CVSS 9.8)
CVE-2026-26210: KTransformers through 0.5.3 unsafe (CVSS 9.8)
CVE-2026-23751: Kofax Capture Remote Code Execution (CVSS 9.8)
CVE-2026-5166: Improper Limitation of a Directory traversal (CVSS 9.6)
CVE-2026-41386: OpenClaw before 2026.3.22 Privilege (CVSS 9.1)
CVE-2026-7685: Edimax BR-6208AC up to Buffer overflow (CVSS 8.8)
CVE-2026-7684: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-7675: Shenzhen Libituo Technology LBT-T300-HW1 (CVSS 8.8)
CVE-2026-7674: A flaw has been Buffer overflow - Sherlock (CVSS 8.8)
CVE-2026-7641: Import and export users Privilege escalation (CVSS 8.8)
CVE-2026-7489: CTMS developed by Sunnet SQL injection (CVSS 8.8)
CVE-2026-7466: AgentFlow arbitrary code execution Remote (CVSS 8.8)
CVE-2026-7097: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-6859: A flaw was found Vulnerability - Sherlock (CVSS 8.8)
CVE-2026-6631: Analysis: HIGH (CVSS 8.8)
CVE-2026-6581: Analysis: HIGH (CVSS 8.8)
CVE-2026-6249: Vvveb CMS 1.0.8 contains Remote code executio (CVSS 8.8)
CVE-2026-42426: OpenClaw before 2026.4.8 improper (CVSS 8.8)
CVE-2026-41463: ProjeQtor versions 7.0 through Remote (CVSS 8.8)
CVE-2026-41378: OpenClaw before 2026.3.31 privilege Remote (CVSS 8.8)
CVE-2026-41352: OpenClaw Remote Code Execution (CVSS 8.8)
CVE-2026-41349: OpenClaw before 2026.3.28 agentic (CVSS 8.8)
CVE-2026-41468: Beghelli Sicuro24 SicuroWeb embeds (CVSS 8.7)
CVE-2026-41455: WeKan before 8.35 server-side request (CVSS 8.5)
CVE-2026-41454: WeKan before 8.35 missing authorization (CVSS 8.3)
CVE-2026-41296: OpenClaw before 2026.3.31 contains File read (CVSS 8.2)
CVE-2026-6832: Hermes WebUI Directory Traversal HIGH (CVSS 8.1)
CVE-2026-6248: The wpForo Forum plugin Remote code execution (CVSS 8.1)
CVE-2026-5966: ThreatSonar Anti-Ransomware developed by Dire (CVSS 8.1)
CVE-2026-5364: Drag and Drop File Upload RCE (CVSS 8.1)
CVE-2026-42431: OpenClaw before 2026.4.8 security (CVSS 8.1)
CVE-2026-41353: OpenClaw before 2026.3.22 access (CVSS 8.1)
CVE-2026-27760: OpenCATS prior to commit Code injection (CVSS 8.1)
CVE-2026-2554: WCFM – Frontend Manager Vulnerability (CVSS 8.1)
CVE-2026-42432: OpenClaw before 2026.4.8 Privilege (CVSS 7.8)
CVE-2026-34428: Vvveb prior to 1.0.8.1 contains File read (CVSS 7.7)
CVE-2026-41912: OpenClaw before 2026.4.8 server-side SSRF (CVSS 7.6)
CVE-2026-41297: OpenClaw before 2026.3.31 contains Vulnerabi (CVSS 7.6)
CVE-2026-7649: ARMember – Membership Plugin, SQL injection (CVSS 7.5)
CVE-2026-6320: Salon Booking System – File read (CVSS 7.5)
CVE-2026-42423: OpenClaw before 2026.4.8 approval-timeout (CVSS 7.5)
CVE-2026-41405: OpenClaw before 2026.3.31 parses (CVSS 7.5)
CVE-2026-41399: OpenClaw before 2026.3.28 accepts (CVSS 7.5)
CVE-2026-41395: OpenClaw before 2026.3.28 webhook (CVSS 7.5)
CVE-2026-7703: A flaw has been Code injection - Sherlock (CVSS 7.3)
CVE-2026-7698: Tiandy Easy7 Integrated Management Command (CVSS 7.3)
CVE-2026-7695: AcrElectrical EEMS Enterprise SQL injection (CVSS 7.3)
CVE-2026-7694: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-7679: YunaiV yudao-cloud up to Vulnerability (CVSS 7.3)
CVE-2026-7670: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-7668: MikroTik RouterOS 6.49.8. This Vulnerability (CVSS 7.3)
CVE-2026-7644: ChatGPTNextWeb NextChat up to Authorization (CVSS 7.3)
CVE-2026-7630: innocommerce InnoShop up to Vulnerability (CVSS 7.3)
CVE-2026-7468: A security vulnerability has Authorization (CVSS 7.3)
CVE-2026-7314: eiceblue spire-doc-mcp-server 1.0.0. This (CVSS 7.3)
CVE-2026-7272: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-7221: TencentCloudBase-MCP up to Vulnerability (CVSS 7.3)
CVE-2026-7211: A weakness has been Command injection (CVSS 7.3)
CVE-2026-7178: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7177: ChatGPTNextWeb NextChat up to Vulnerability (CVSS 7.3)
CVE-2026-7147: JoeCastroMcp-chat-studio up to Vulnerability (CVSS 7.3)
CVE-2026-7146: A security vulnerability has (CVSS 7.3)
CVE-2026-7072: CodePanda Source canteen_management_system (CVSS 7.3)
CVE-2026-7065: BidingCC BuildingAI up to Vulnerability (CVSS 7.3)
CVE-2026-7061: A weakness has been Command injection (CVSS 7.3)
CVE-2026-7060: liyupi yu-picture up to SQL injection (CVSS 7.3)
CVE-2026-7042: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7036: Tenda i9 1.0.0.5(2204). This Directory (CVSS 7.3)
CVE-2026-7002: KLiK SocialMediaWebsite up to SQL injection (CVSS 7.3)
CVE-2026-6987: PicoClaw up to 0.2.4. Command injection (CVSS 7.3)
CVE-2026-6977: A security vulnerability has Authorization (CVSS 7.3)
CVE-2026-6662: Analysis: HIGH (CVSS 7.3)
CVE-2026-6635: A security vulnerability has Vulnerability (CVSS 7.3)
CVE-2026-6605: Analysis: HIGH (CVSS 7.3)
CVE-2026-6604: Analysis: HIGH (CVSS 7.3)
CVE-2026-6603: Analysis: HIGH (CVSS 7.3)
CVE-2026-6602: Analysis: HIGH (CVSS 7.3)
CVE-2026-6596: Analysis: HIGH (CVSS 7.3)
CVE-2026-6580: A security vulnerability has Vulnerability (CVSS 7.3)
CVE-2026-6574: Analysis: HIGH (CVSS 7.3)
CVE-2026-6569: Analysis: HIGH (CVSS 7.3)
CVE-2026-6568: Analysis: HIGH (CVSS 7.3)
CVE-2026-7490: CTMS and CPAS developed Remote code execution (CVSS 7.2)
CVE-2026-7435: SSCMS v7.4.0 SQL injection (CVSS 7.2)
CVE-2026-7049: PixelYourSite Pro – Your SSRF - Sherlock (CVSS 7.2)
CVE-2026-5324: Brizy – Page Builder Cross-site scripting (CVSS 7.2)
CVE-2026-5063: NEX-Forms – Ultimate Forms Cross-site (CVSS 7.2)
CVE-2026-4132: HTTP Headers Plugin RCE HIGH (CVSS 7.2)
CVE-2026-40520: FreePBX RCE HIGH (CVSS 7.2)
CVE-2018-25309: MyBB RecenThreads 17.0 Cross-site scripting (CVSS 7.2)
CVE-2026-41299: OpenClaw before 2026.3.28 contains Access co (CVSS 7.1)
CVE-2026-4100: Paid Memberships Pro plugin Vulnerability (CVSS 7.1)
CVE-2026-41940: Redirecting...

Weaver Hit With CVSS 9.8

CVE-2022-50993 scores a 9.8. Weaver lets attackers run code on your systems.

CVE-2022-50993: Weaver (Fanwei) E-office versions Remote (CVSS 9.8)

Apache Patches 2 Vulnerabilities

2 vulnerabilities across Apache products this week. The worst: CVE-2026-41873 (CVSS 9.8) lets anyone bypass authentication. Patch now if you run Apache.

CVE-2026-41873: apache pony mail Vulnerability - Sherlock (CVSS 9.8)
CVE-2026-41636: apache thrift Vulnerability - Sherlock (CVSS 7.5)

IBM Patches 5 Vulnerabilities

5 vulnerabilities across IBM products this week. The worst: CVE-2026-6543 (CVSS 8.8) lets attackers run code on your systems. Patch now if you run IBM.

CVE-2026-6543: IBM Langflow Desktop 1.0.0 Remote (CVSS 8.8)
CVE-2026-6389: IBM Turbonomic prometurbo agent (CVSS 8.8)
CVE-2026-4503: IBM Langflow Desktop 1.0.0 Vulnerability (CVSS 7.5)
CVE-2026-3621: IBM WebSphere Application Server (CVSS 7.5)
CVE-2026-5935: IBM Total Storage Service Remote code (CVSS 7.3)

WordPress Had a Rough Week

10 vulnerabilities across WordPress products this week. The worst: CVE-2026-5478 (CVSS 8.1) needs your attention. Patch now if you run WordPress.

CVE-2026-5478: The Everest Forms plugin File read (CVSS 8.1)
CVE-2026-4062: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-4061: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-4060: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-2892: Otter Blocks plugin for Vulnerability (CVSS 7.5)
CVE-2026-5113: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5112: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5111: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5110: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5109: Gravity Forms plugin for Cross-site (CVSS 7.2)

Oracle Patches 4 Vulnerabilities

4 vulnerabilities across Oracle products this week. The worst: CVE-2026-34305 (CVSS 7.5) lets anyone bypass authentication. Patch now if you run Oracle.

CVE-2026-34305: Oracle HIGH (CVSS 7.5)
CVE-2026-34282: Oracle Denial of Service HIGH (CVSS 7.5)
CVE-2026-22016: Oracle HIGH (CVSS 7.5)
CVE-2026-34292: Oracle HIGH (CVSS 7.2)

Google Hit With CVSS 7.2

CVE-2026-5464 scores a 7.2. Google lets attackers run code on your systems.

CVE-2026-5464: ExactMetrics – Google Analytics Remote (CVSS 7.2)

By the Numbers

Total CVEs analyzed	123
Critical (9.0+)	14
High (7.0-8.9)	109
Remote code execution	78
Authentication bypass	43
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 12 critical-severity issues patched this week.
Weaver: Update immediately. 1 critical-severity issues patched this week.
Apache: Update immediately. 1 critical-severity issues patched this week.
IBM: Review and patch 5 high-severity vulnerabilities when possible.
WordPress: Review and patch 10 high-severity vulnerabilities when possible.
Oracle: Review and patch 4 high-severity vulnerabilities when possible.
Google: Review and patch 1 high-severity vulnerabilities when possible.