What were the most critical CVEs disclosed this week?

This week's roundup covers 243 vulnerability disclosures analyzed by Sherlock Forensics. 45 scored 9.0 or above (critical) and 198 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: April 27 to May 10, 2026

The Week in Security

Other had 210 vulnerabilities this week including Exposure of sensitive information (CVSS 10.0). WordPress had 22 vulnerabilities this week including MoreConvert Pro plugin for Authentication (CVSS 9.8). Weaver got hit with a CVSS 9.8 for Weaver (Fanwei) E-office versions Remote.

We tracked 243 vulnerabilities this week. 45 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

210 vulnerabilities across Other products this week. The worst: CVE-2026-42826 (CVSS 10.0) lets anyone bypass authentication. Patch now if you run Other.

CVE-2026-42826: Exposure of sensitive information (CVSS 10.0)
CVE-2026-33587: lfnov Open-notebook Vulnerability - Sherlock (CVSS 10.0)
CVE-2026-33109: Improper access control in Authorization (CVSS 9.9)
CVE-2026-7854: A security vulnerability has Buffer overflow (CVSS 9.8)
CVE-2026-7853: A weakness has been Buffer overflow (CVSS 9.8)
CVE-2026-7834: A security vulnerability has Buffer overflow (CVSS 9.8)
CVE-2026-7823: Totolink A8000RU 7.1cu.643_b20200521. (CVSS 9.8)
CVE-2026-7747: Totolink N300RH 3.2.4-B20220812. Affected (CVSS 9.8)
CVE-2026-7719: Totolink WA300 5.2cu.7112_B20190227. The (CVSS 9.8)
CVE-2026-7458: User Verification by PickPlugins (CVSS 9.8)
CVE-2026-6508: Origin Validation Error vulnerability CVSS (CVSS 9.8)
CVE-2026-44335: PraisonaiagentSSRF (CVSS 9.8)
CVE-2026-44109: OpenClaw before 2026.4.15 authentication (CVSS 9.8)
CVE-2026-43575: OpenClaw versions 2026.2.21 before (CVSS 9.8)
CVE-2026-42796: Arelle before 2.39.10 unauthenticated (CVSS 9.8)
CVE-2026-41940: cPanel Auth Bypass (CVSS 9.8)
CVE-2025-14320: Improper neutralization of input Cross-site (CVSS 9.8)
CVE-2023-54344: Eclipse Equinox OSGi 3.7.2 Remote (CVSS 9.8)
CVE-2023-54342: Eclipse Equinox OSGi versions Remote (CVSS 9.8)
CVE-2021-47936: OpenCATS 0.9.4 remote code Remote (CVSS 9.8)
CVE-2021-47923: OpenCart 3.0.3.8 session fixation (CVSS 9.8)
CVE-2026-6795: URL redirection to untrusted Vulnerability (CVSS 9.6)
CVE-2026-5791: Cross-Site request forgery (CSRF) (CVSS 9.6)
CVE-2026-5166: Improper Limitation of a Directory traversal (CVSS 9.6)
CVE-2026-44336: Praisonai Remote code execution - Sherlock (CVSS 9.6)
CVE-2026-43581: OpenClaw before 2026.4.10 improper (CVSS 9.6)
CVE-2026-35428: Improper neutralization of special Command (CVSS 9.6)
CVE-2026-25293: Buffer overflow due to - Sherlock (CVSS 9.6)
CVE-2026-44497: zfnd zebra-script Vulnerability - Sherlock (CVSS 9.1)
CVE-2026-43578: OpenClaw versions 2026.3.31 before (CVSS 9.1)
CVE-2026-43566: OpenClaw versions 2026.4.7 before (CVSS 9.1)
CVE-2026-43534: OpenClaw before 2026.4.10 input (CVSS 9.1)
CVE-2026-41583: zfnd zebra-script Vulnerability - Sherlock (CVSS 9.1)
CVE-2026-41386: OpenClaw before 2026.3.22 Privilege (CVSS 9.1)
CVE-2026-33844: Improper input validation in Vulnerability (CVSS 9.0)
CVE-2026-8234: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-8138: Tenda CX12L 16.03.53.12. This Buffer (CVSS 8.8)
CVE-2026-8137: Totolink X5000R 9.1.0u.6369_B20230113. This (CVSS 8.8)
CVE-2026-7875: NanoClaw host/container filesystem boundary (CVSS 8.8)
CVE-2026-7855: D-Link DI-8100 16.07.26A1. Affected Buffer (CVSS 8.8)
CVE-2026-7750: Totolink N300RH 3.2.4-B20220812. This Buffer (CVSS 8.8)
CVE-2026-7749: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-7748: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-7717: Totolink WA300 5.2cu.7112_B20190227. This (CVSS 8.8)
CVE-2026-7685: Edimax BR-6208AC up to Buffer overflow (CVSS 8.8)
CVE-2026-7684: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-7675: Shenzhen Libituo Technology LBT-T300-HW1 (CVSS 8.8)
CVE-2026-7674: A flaw has been Buffer overflow - Sherlock (CVSS 8.8)
CVE-2026-7641: Import and export users Privilege escalation (CVSS 8.8)
CVE-2026-7489: CTMS developed by Sunnet SQL injection (CVSS 8.8)
CVE-2026-7466: AgentFlow arbitrary code execution Remote (CVSS 8.8)
CVE-2026-7097: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-6002: Improper neutralization of Script-Related (CVSS 8.8)
CVE-2026-5784: Improper neutralization of input Cross-site (CVSS 8.8)
CVE-2026-5127: User Frontend: AI Powered Deserialization (CVSS 8.8)
CVE-2026-44115: OpenClaw before 2026.4.22 exec (CVSS 8.8)
CVE-2026-44110: OpenClaw before 2026.4.15 Authorization (CVSS 8.8)
CVE-2026-43584: OpenClaw before 2026.4.10 insufficient (CVSS 8.8)
CVE-2026-43571: OpenClaw before 2026.4.10 plugin (CVSS 8.8)
CVE-2026-43569: OpenClaw before 2026.4.9 Authentication (CVSS 8.8)
CVE-2026-43530: OpenClaw versions 2026.2.23 before (CVSS 8.8)
CVE-2026-42435: OpenClaw versions from 2026.2.22 (CVSS 8.8)
CVE-2026-42434: OpenClaw versions 2026.4.5 before (CVSS 8.8)
CVE-2026-42426: OpenClaw before 2026.4.8 improper (CVSS 8.8)
CVE-2026-41934: VvveBefore version 1.0.8.2 Remote (CVSS 8.8)
CVE-2026-41463: ProjeQtor versions 7.0 through Remote (CVSS 8.8)
CVE-2026-41378: OpenClaw before 2026.3.31 privilege Remote (CVSS 8.8)
CVE-2026-3953: Improper neutralization of input Cross-site (CVSS 8.8)
CVE-2026-32207: Improper neutralization of input Cross-site (CVSS 8.8)
CVE-2026-29514: NetBox versions 4.3.5 through Remote (CVSS 8.8)
CVE-2026-20034: A vulnerability in the - Sherlock (CVSS 8.8)
CVE-2023-54348: ERPGo SaaS 3.9 CSVulnerability - Sherlock (CVSS 8.8)
CVE-2023-54345: Frappe ERPNext Vulnerability - Sherlock (CVSS 8.8)
CVE-2022-50944: Aero CMS 0.0.1 PHP Code injection (CVSS 8.8)
CVE-2021-47949: CyberPanel 2.1 command execution File read (CVSS 8.8)
CVE-2021-47943: TextPattern CMS 4.8.7 Remote code execution (CVSS 8.8)
CVE-2021-47939: Evolution CMS 3.1.6 Remote code execution (CVSS 8.8)
CVE-2021-47938: ImpressCMS 1.4.2 remote code Remote (CVSS 8.8)
CVE-2021-47937: e107 CMS 2.3.0 Remote code execution (CVSS 8.8)
CVE-2021-47935: Sentry 8.2.0 remote code Remote (CVSS 8.8)
CVE-2026-44116: OpenClaw before 2026.4.22 server-side SSRF (CVSS 8.6)
CVE-2026-35435: Improper access control in (CVSS 8.6)
CVE-2026-42439: OpenClaw before 2026.4.10 server-side SSRF (CVSS 8.5)
CVE-2025-14341: Improperly controlled modification of (CVSS 8.3)
CVE-2026-43526: OpenClaw before 2026.4.12 server-side SSRF (CVSS 8.2)
CVE-2026-34327: Externally controlled reference to (CVSS 8.2)
CVE-2021-47930: Balbooa Joomla Forms Builder SQL injection (CVSS 8.2)
CVE-2021-47928: OpencarTMD Vendor System SQL injection (CVSS 8.2)
CVE-2026-7807: SmarterToolSmarterMail builds prior (CVSS 8.1)
CVE-2026-7252: WP-Optimize – Cache, Compress Remote (CVSS 8.1)
CVE-2026-44400: MailEnablEnterprise Premium 10.55 (CVSS 8.1)
CVE-2026-43585: OpenClaw before 2026.4.15 captures (CVSS 8.1)
CVE-2026-42431: OpenClaw before 2026.4.8 security (CVSS 8.1)
CVE-2026-42284: gitpython project gitpython Vulnerability (CVSS 8.1)
CVE-2026-41105: Server-side request forgery (ssrf) (CVSS 8.1)
CVE-2026-33588: lfnov Open-notebook Directory traversal (CVSS 8.1)
CVE-2026-29004: BusyBox before commit 42202bf Remote (CVSS 8.1)
CVE-2026-27760: OpenCATS prior to commit Code injection (CVSS 8.1)
CVE-2026-2554: WCFM – Frontend Manager Vulnerability (CVSS 8.1)
CVE-2022-50994: DrayTek Vigor 2960 firmware Remote (CVSS 8.1)
CVE-2026-44118: OpenClaw before 2026.4.22 derives (CVSS 7.8)
CVE-2026-44114: OpenClaw before 2026.4.20 fails (CVSS 7.8)
CVE-2026-42432: OpenClaw before 2026.4.8 Privilege (CVSS 7.8)
CVE-2026-24082: Memory Corruption when copying (CVSS 7.8)
CVE-2025-47408: Memory corruption when another (CVSS 7.8)
CVE-2025-47407: Memory corruption while creating (CVSS 7.8)
CVE-2025-47405: Memory corruption when processing (CVSS 7.8)
CVE-2021-47945: ArguSurveillance DVR 4.0 Vulnerability (CVSS 7.8)
CVE-2026-43580: OpenClaw before 2026.4.10 incomplete SSRF (CVSS 7.7)
CVE-2026-43576: OpenClaw before 2026.4.5 server-side SSRF (CVSS 7.7)
CVE-2026-43573: OpenClaw before 2026.4.10 server-side SSRF (CVSS 7.7)
CVE-2026-43532: OpenClaw versions 2026.4.7 before (CVSS 7.7)
CVE-2026-43527: OpenClaw before 2026.4.14 server-side SSRF (CVSS 7.7)
CVE-2026-42438: OpenClaw versions 2026.4.9 before (CVSS 7.7)
CVE-2026-42436: OpenClaw before 2026.4.14 improper (CVSS 7.7)
CVE-2026-20185: A vulnerability in the Denial of service (CVSS 7.7)
CVE-2026-20167: A vulnerability in the Denial of service (CVSS 7.7)
CVE-2026-41912: OpenClaw before 2026.4.8 server-side SSRF (CVSS 7.6)
CVE-2026-7649: ARMember – Membership Plugin, SQL injection (CVSS 7.5)
CVE-2026-6918: eclipse openj9 Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-6320: Salon Booking System – File read (CVSS 7.5)
CVE-2026-5192: Forminator Forms – Contact Directory (CVSS 7.5)
CVE-2026-44498: zfnd zebrad Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-4304: WeePie Cookie Allow plugin SQL injection (CVSS 7.5)
CVE-2026-42437: OpenClaw versions 2026.4.9 before Denial of (CVSS 7.5)
CVE-2026-42423: OpenClaw before 2026.4.8 approval-timeout (CVSS 7.5)
CVE-2026-41584: zfnd zebra-chain Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-41471: Easy PayPal Events & Information disclosure (CVSS 7.5)
CVE-2026-41405: OpenClaw before 2026.3.31 parses (CVSS 7.5)
CVE-2026-41399: OpenClaw before 2026.3.28 accepts (CVSS 7.5)
CVE-2026-41395: OpenClaw before 2026.3.28 webhook (CVSS 7.5)
CVE-2026-3456: GeekyBot — Generate AI SQL injection (CVSS 7.5)
CVE-2026-3359: ForMaker by 10Web SQL injection - Sherlock (CVSS 7.5)
CVE-2026-33111: Improper neutralization of special Command (CVSS 7.5)
CVE-2026-32834: Easy PayPal Events & Authentication bypass (CVSS 7.5)
CVE-2026-26164: Improper neutralization of special (CVSS 7.5)
CVE-2026-25863: Conditional Fields for Contact (CVSS 7.5)
CVE-2026-20188: A vulnerability in the Denial of service (CVSS 7.5)
CVE-2026-1719: Gravity Bookings Premium plugin SQL (CVSS 7.5)
CVE-2023-54347: open-emr openemr Vulnerability - Sherlock (CVSS 7.5)
CVE-2021-47944: memoNotepad 4.2 Denial of service (CVSS 7.5)
CVE-2026-42011: A flaw was found Vulnerability - Sherlock (CVSS 7.4)
CVE-2026-8216: Industrial Application Software IAS (CVSS 7.3)
CVE-2026-8133: A security vulnerability haSQL injection (CVSS 7.3)
CVE-2026-8132: A weakness has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-8131: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8130: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8129: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8128: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8126: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-8098: A security vulnerability haSQL injection (CVSS 7.3)
CVE-2026-8083: SourceCodester Pharmacy Sales and SQL (CVSS 7.3)
CVE-2026-8032: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7812: 54yyyu code-mcp up to Command injection (CVSS 7.3)
CVE-2026-7811: 54yyyu code-mcp up to Directory traversal (CVSS 7.3)
CVE-2026-7810: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-7788: Axle-Bucamp MCP-Docusaurus up to Directory (CVSS 7.3)
CVE-2026-7785: A-G-U-P-T-A wireshark-mcp - Sherlock (CVSS 7.3)
CVE-2026-7784: RTGS2017 NagaAgent up to Directory traversal (CVSS 7.3)
CVE-2026-7735: osrGoBGP up to Buffer overflow - Sherlock (CVSS 7.3)
CVE-2026-7733: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7727: Shandong Hoteam Software PDM SQL injection (CVSS 7.3)
CVE-2026-7723: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7711: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7710: YunaiV yudao-cloud up to Vulnerability (CVSS 7.3)
CVE-2026-7703: A flaw has been Code injection - Sherlock (CVSS 7.3)
CVE-2026-7698: Tiandy Easy7 Integrated Management Command (CVSS 7.3)
CVE-2026-7695: AcrElectrical EEMS Enterprise SQL injection (CVSS 7.3)
CVE-2026-7694: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-7679: YunaiV yudao-cloud up to Vulnerability (CVSS 7.3)
CVE-2026-7670: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-7668: MikroTik RouterOS 6.49.8. This Vulnerability (CVSS 7.3)
CVE-2026-7644: ChatGPTNextWeb NextChat up to Authorization (CVSS 7.3)
CVE-2026-7630: innocommerce InnoShop up to Vulnerability (CVSS 7.3)
CVE-2026-7468: A security vulnerability has Authorization (CVSS 7.3)
CVE-2026-7314: eiceblue spire-doc-mcp-server 1.0.0. This (CVSS 7.3)
CVE-2026-7272: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-7221: TencentCloudBase-MCP up to Vulnerability (CVSS 7.3)
CVE-2026-7211: A weakness has been Command injection (CVSS 7.3)
CVE-2026-7178: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7177: ChatGPTNextWeb NextChat up to Vulnerability (CVSS 7.3)
CVE-2026-7147: JoeCastroMcp-chat-studio up to Vulnerability (CVSS 7.3)
CVE-2026-7146: A security vulnerability has (CVSS 7.3)
CVE-2026-7072: CodePanda Source canteen_management_system (CVSS 7.3)
CVE-2026-7065: BidingCC BuildingAI up to Vulnerability (CVSS 7.3)
CVE-2026-7061: A weakness has been Command injection (CVSS 7.3)
CVE-2026-7060: liyupi yu-picture up to SQL injection (CVSS 7.3)
CVE-2026-7042: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7036: Tenda i9 1.0.0.5(2204). This Directory (CVSS 7.3)
CVE-2026-43531: OpenClaw before 2026.4.9 environment (CVSS 7.3)
CVE-2026-7857: D-Link DI-8100 16.07.26A1. This Buffer (CVSS 7.2)
CVE-2026-7856: A flaw has been Buffer overflow - Sherlock (CVSS 7.2)
CVE-2026-7851: D-Link DI-8100 16.07.26A1. This Buffer (CVSS 7.2)
CVE-2026-7833: A weakness has been Command injection (CVSS 7.2)
CVE-2026-7490: CTMS and CPAS developed Remote code execution (CVSS 7.2)
CVE-2026-7448: LatePoint – Calendar Booking Cross-site (CVSS 7.2)
CVE-2026-7435: SSCMS v7.4.0 SQL injection (CVSS 7.2)
CVE-2026-7332: LatePoint – Calendar Booking Cross-site (CVSS 7.2)
CVE-2026-7330: Auto Affiliate Links plugin Cross-site (CVSS 7.2)
CVE-2026-7049: PixelYourSite Pro – Your SSRF - Sherlock (CVSS 7.2)
CVE-2026-5324: Brizy – Page Builder Cross-site scripting (CVSS 7.2)
CVE-2026-5063: NEX-Forms – Ultimate Forms Cross-site (CVSS 7.2)
CVE-2026-3120: Improper Control of Generation Command (CVSS 7.2)
CVE-2026-20035: A vulnerability in the SSRF - Sherlock (CVSS 7.2)
CVE-2018-25309: MyBB RecenThreads 17.0 Cross-site scripting (CVSS 7.2)
CVE-2026-44243: gitpython project gitpython Vulnerability (CVSS 7.1)
CVE-2026-43616: Detect-It-Easy prior to 3.21 Directory (CVSS 7.1)
CVE-2026-4100: Paid Memberships Pro plugin Vulnerability (CVSS 7.1)
CVE-2026-7832: IObit Advanced SystemCare 19. Vulnerability (CVSS 7.0)
CVE-2026-41940: Redirecting...

WordPress Had a Rough Week

22 vulnerabilities across WordPress products this week. The worst: CVE-2026-5722 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-5722: MoreConvert Pro plugin for Authentication (CVSS 9.8)
CVE-2026-5294: Geeky Bot plugin for Remote code execution (CVSS 9.8)
CVE-2025-13618: Mentoring plugin for WordPress (CVSS 9.8)
CVE-2021-47940: WordPress Plugin Download From File read (CVSS 9.8)
CVE-2021-47933: WordPress MStore API 2.0.6 Remote (CVSS 9.8)
CVE-2021-47932: WordPress TheCartPress 1.5.3.6 (CVSS 9.8)
CVE-2026-6692: SlideRevolution plugin for Remote code execution (CVSS 8.8)
CVE-2026-6261: BeTheme for WordPress Remote code execution (CVSS 8.8)
CVE-2021-47941: WordPress Plugin Survey & SQL injection (CVSS 8.2)
CVE-2026-5100: AWP Classifieds plugin for SQL injection (CVSS 7.5)
CVE-2026-4348: BetterDocs Pro plugin for SQL injection (CVSS 7.5)
CVE-2026-4062: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-4061: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-4060: Geo MashuPlugin for SQL injection - Sherlock (CVSS 7.5)
CVE-2026-2892: Otter Blocks plugin for Vulnerability (CVSS 7.5)
CVE-2023-54346: WordPress Plugin Backup Migration (CVSS 7.5)
CVE-2026-5113: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5112: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5111: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5110: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-5109: Gravity Forms plugin for Cross-site (CVSS 7.2)
CVE-2026-4803: Royal Elementor Addons plugin Cross-site (CVSS 7.2)

Weaver Hit With CVSS 9.8

CVE-2022-50993 scores a 9.8. Weaver lets attackers run code on your systems.

CVE-2022-50993: Weaver (Fanwei) E-office versions Remote (CVSS 9.8)

Apache Patches 4 Vulnerabilities

4 vulnerabilities across Apache products this week. The worst: CVE-2026-41873 (CVSS 9.8) lets anyone bypass authentication. Patch now if you run Apache.

CVE-2026-41873: apache pony mail Vulnerability - Sherlock (CVSS 9.8)
CVE-2026-40010: apache wicket Vulnerability - Sherlock (CVSS 9.1)
CVE-2026-39816: apache nifi Vulnerability - Sherlock (CVSS 8.8)
CVE-2026-41636: apache thrift Vulnerability - Sherlock (CVSS 7.5)

Microsoft Hit With CVSS 9.6

CVE-2026-33823 scores a 9.6. Microsoft lets anyone bypass authentication.

CVE-2026-33823: Improper authorization in Microsoft (CVSS 9.6)

IBM Patches 3 Vulnerabilities

3 vulnerabilities across IBM products this week. The worst: CVE-2026-6543 (CVSS 8.8) lets attackers run code on your systems. Patch now if you run IBM.

CVE-2026-6543: IBM Langflow Desktop 1.0.0 Remote (CVSS 8.8)
CVE-2026-6389: IBM Turbonomic prometurbo agent (CVSS 8.8)
CVE-2026-4503: IBM Langflow Desktop 1.0.0 Vulnerability (CVSS 7.5)

Oracle Hit With CVSS 8.7

CVE-2026-35228 scores a 8.7. Oracle lets attackers run code on your systems.

CVE-2026-35228: Oracle MCP Server Helper Vulnerability (CVSS 8.7)

Ivanti Hit With CVSS 7.4

CVE-2026-7821 scores a 7.4. Ivanti lets anyone bypass authentication.

CVE-2026-7821: ivanti endpoint manager mobile Information (CVSS 7.4)

By the Numbers

Total CVEs analyzed	243
Critical (9.0+)	45
High (7.0-8.9)	198
Remote code execution	152
Authentication bypass	87
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 35 critical-severity issues patched this week.
WordPress: Update immediately. 6 critical-severity issues patched this week.
Weaver: Update immediately. 1 critical-severity issues patched this week.
Apache: Update immediately. 2 critical-severity issues patched this week.
Microsoft: Update immediately. 1 critical-severity issues patched this week.
IBM: Review and patch 3 high-severity vulnerabilities when possible.
Oracle: Review and patch 1 high-severity vulnerabilities when possible.
Ivanti: Review and patch 1 high-severity vulnerabilities when possible.