What were the most critical CVEs disclosed this week?

This week's roundup covers 403 vulnerability disclosures analyzed by Sherlock Forensics. 69 scored 9.0 or above (critical) and 334 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: May 04 to May 17, 2026

The Week in Security

Other had 336 vulnerabilities this week including Exposure of sensitive information (CVSS 10.0). phpMyFAQ got hit with a CVSS 9.8 for phpMyFAQ before 4.1.2 unauthenticated SQL. WordPress had 29 vulnerabilities this week including BurStatistics – Privacy-Friendly (CVSS 9.8).

We tracked 403 vulnerabilities this week. 69 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

336 vulnerabilities across Other products this week. The worst: CVE-2026-42826 (CVSS 10.0) lets anyone bypass authentication. Patch now if you run Other.

CVE-2026-42826: Exposure of sensitive information (CVSS 10.0)
CVE-2026-33587: lfnov Open-notebook Vulnerability - Sherlock (CVSS 10.0)
CVE-2026-42898: Improper control of generation Code (CVSS 9.9)
CVE-2026-42823: Improper access control in (CVSS 9.9)
CVE-2026-33109: Improper access control in Authorization (CVSS 9.9)
CVE-2026-7854: A security vulnerability has Buffer overflow (CVSS 9.8)
CVE-2026-7853: A weakness has been Buffer overflow (CVSS 9.8)
CVE-2026-7834: A security vulnerability has Buffer overflow (CVSS 9.8)
CVE-2026-7823: Totolink A8000RU 7.1cu.643_b20200521. (CVSS 9.8)
CVE-2026-7747: Totolink N300RH 3.2.4-B20220812. Affected (CVSS 9.8)
CVE-2026-7719: Totolink WA300 5.2cu.7112_B20190227. The (CVSS 9.8)
CVE-2026-6508: Origin Validation Error vulnerability CVSS (CVSS 9.8)
CVE-2026-44335: PraisonaiagentSSRF (CVSS 9.8)
CVE-2026-44109: OpenClaw before 2026.4.15 authentication (CVSS 9.8)
CVE-2026-43575: OpenClaw versions 2026.2.21 before (CVSS 9.8)
CVE-2026-42796: Arelle before 2.39.10 unauthenticated (CVSS 9.8)
CVE-2026-41096: Heap-based buffer overflow in (CVSS 9.8)
CVE-2026-41089: Stack-based buffer overflow in (CVSS 9.8)
CVE-2026-2347: Authorization bypass through User-Controlled (CVSS 9.8)
CVE-2025-6577: Improper neutralization of special SQL (CVSS 9.8)
CVE-2025-14320: Improper neutralization of input Cross-site (CVSS 9.8)
CVE-2025-11024: Improper neutralization of special SQL (CVSS 9.8)
CVE-2023-54344: Eclipse Equinox OSGi 3.7.2 Remote (CVSS 9.8)
CVE-2023-54342: Eclipse Equinox OSGi versions Remote (CVSS 9.8)
CVE-2021-47936: OpenCATS 0.9.4 remote code Remote (CVSS 9.8)
CVE-2021-47923: OpenCart 3.0.3.8 session fixation (CVSS 9.8)
CVE-2026-6795: URL redirection to untrusted Vulnerability (CVSS 9.6)
CVE-2026-5791: Cross-Site request forgery (CSRF) (CVSS 9.6)
CVE-2026-44336: Praisonai Remote code execution - Sherlock (CVSS 9.6)
CVE-2026-43581: OpenClaw before 2026.4.10 improper (CVSS 9.6)
CVE-2026-41615: Exposure of sensitive information (CVSS 9.6)
CVE-2026-35428: Improper neutralization of special Command (CVSS 9.6)
CVE-2026-25293: Buffer overflow due to - Sherlock (CVSS 9.6)
CVE-2026-40402: Use after free in Privilege escalation (CVSS 9.3)
CVE-2026-40379: Exposure of sensitive information (CVSS 9.3)
CVE-2026-44497: zfnd zebra-script Vulnerability - Sherlock (CVSS 9.1)
CVE-2026-43578: OpenClaw versions 2026.3.31 before (CVSS 9.1)
CVE-2026-43566: OpenClaw versions 2026.4.7 before (CVSS 9.1)
CVE-2026-43534: OpenClaw before 2026.4.10 input (CVSS 9.1)
CVE-2026-42833: Execution with unnecessary privileges (CVSS 9.1)
CVE-2026-41583: zfnd zebra-script Vulnerability - Sherlock (CVSS 9.1)
CVE-2026-41551: ROS# (CVSS 9.1)
CVE-2026-41225: A vulnerability exists in (CVSS 9.1)
CVE-2026-41103: Incorrect implementation of authentication (CVSS 9.1)
CVE-2026-25787: Affected Devices do not Vulnerability (CVSS 9.1)
CVE-2026-25786: Affected Devices do not Vulnerability (CVSS 9.1)
CVE-2026-33844: Improper input validation in Vulnerability (CVSS 9.0)
CVE-2026-8719: AI Engine – The Privilege escalation (CVSS 8.8)
CVE-2026-8449: Linux ksmbd remote memory Privilege escalation (CVSS 8.8)
CVE-2026-8429: SPIP versions prior to Remote code execution (CVSS 8.8)
CVE-2026-8260: D-Link DCS-935L up to Buffer overflow (CVSS 8.8)
CVE-2026-8234: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-8138: Tenda CX12L 16.03.53.12. This Buffer (CVSS 8.8)
CVE-2026-8137: Totolink X5000R 9.1.0u.6369_B20230113. This (CVSS 8.8)
CVE-2026-7875: NanoClaw host/container filesystem boundary (CVSS 8.8)
CVE-2026-7855: D-Link DI-8100 16.07.26A1. Affected Buffer (CVSS 8.8)
CVE-2026-7750: Totolink N300RH 3.2.4-B20220812. This Buffer (CVSS 8.8)
CVE-2026-7749: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-7748: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-7717: Totolink WA300 5.2cu.7112_B20190227. This (CVSS 8.8)
CVE-2026-7256: ** UNSUPPORTED WHEN ASSIGNED Command (CVSS 8.8)
CVE-2026-6281: A potential vulnerability was Remote (CVSS 8.8)
CVE-2026-6228: Frontend Admin by DynamiApps (CVSS 8.8)
CVE-2026-6002: Improper neutralization of Script-Related (CVSS 8.8)
CVE-2026-6001: Authorization bypass through User-Controlled (CVSS 8.8)
CVE-2026-5784: Improper neutralization of input Cross-site (CVSS 8.8)
CVE-2026-5127: User Frontend: AI Powered Deserialization (CVSS 8.8)
CVE-2026-45229: Quark Drive before 0.8.5 Vulnerability (CVSS 8.8)
CVE-2026-45227: Heym before 0.0.21 sandbox Vulnerability (CVSS 8.8)
CVE-2026-45006: OpenClaw before 2026.4.23 improper (CVSS 8.8)
CVE-2026-44293: protobufjs project protobufjs Vulnerability (CVSS 8.8)
CVE-2026-44115: OpenClaw before 2026.4.22 exec (CVSS 8.8)
CVE-2026-44110: OpenClaw before 2026.4.15 Authorization (CVSS 8.8)
CVE-2026-43584: OpenClaw before 2026.4.10 insufficient (CVSS 8.8)
CVE-2026-43571: OpenClaw before 2026.4.10 plugin (CVSS 8.8)
CVE-2026-43569: OpenClaw before 2026.4.9 Authentication (CVSS 8.8)
CVE-2026-43530: OpenClaw versions 2026.2.23 before (CVSS 8.8)
CVE-2026-42435: OpenClaw versions from 2026.2.22 (CVSS 8.8)
CVE-2026-42434: OpenClaw versions 2026.4.5 before (CVSS 8.8)
CVE-2026-41957: An authenticated remote code Remote (CVSS 8.8)
CVE-2026-41934: VvveBefore version 1.0.8.2 Remote (CVSS 8.8)
CVE-2026-41109: Improper neutralization of special (CVSS 8.8)
CVE-2026-41094: Improper control of generation Code (CVSS 8.8)
CVE-2026-41086: Improper access control in (CVSS 8.8)
CVE-2026-40420: Improper access control in (CVSS 8.8)
CVE-2026-40403: Heap-based buffer overflow in (CVSS 8.8)
CVE-2026-40365: Insufficient granularity of access (CVSS 8.8)
CVE-2026-40357: Deserialization of untrusted data (CVSS 8.8)
CVE-2026-3953: Improper neutralization of input Cross-site (CVSS 8.8)
CVE-2026-35439: Deserialization of untrusted data (CVSS 8.8)
CVE-2026-35436: Insufficient granularity of access (CVSS 8.8)
CVE-2026-34329: Heap-based buffer overflow in (CVSS 8.8)
CVE-2026-33112: Deserialization of untrusted data (CVSS 8.8)
CVE-2026-33110: Deserialization of untrusted data (CVSS 8.8)
CVE-2026-32207: Improper neutralization of input Cross-site (CVSS 8.8)
CVE-2026-29514: NetBox versions 4.3.5 through Remote (CVSS 8.8)
CVE-2026-2465: Incorrect Authorization vulnerability in (CVSS 8.8)
CVE-2026-20034: A vulnerability in the - Sherlock (CVSS 8.8)
CVE-2025-15025: Authorization bypass through (CVSS 8.8)
CVE-2025-15024: Improper Control of Generation Code (CVSS 8.8)
CVE-2025-15023: Incorrect Authorization vulnerability in (CVSS 8.8)
CVE-2025-12008: Authorization bypass through (CVSS 8.8)
CVE-2023-54348: ERPGo SaaS 3.9 CSVulnerability - Sherlock (CVSS 8.8)
CVE-2023-54345: Frappe ERPNext Vulnerability - Sherlock (CVSS 8.8)
CVE-2022-50944: Aero CMS 0.0.1 PHP Code injection (CVSS 8.8)
CVE-2021-47949: CyberPanel 2.1 command execution File read (CVSS 8.8)
CVE-2021-47943: TextPattern CMS 4.8.7 Remote code execution (CVSS 8.8)
CVE-2021-47939: Evolution CMS 3.1.6 Remote code execution (CVSS 8.8)
CVE-2021-47938: ImpressCMS 1.4.2 remote code Remote (CVSS 8.8)
CVE-2021-47937: e107 CMS 2.3.0 Remote code execution (CVSS 8.8)
CVE-2021-47935: Sentry 8.2.0 remote code Remote (CVSS 8.8)
CVE-2026-42930: When running in Appliance Vulnerability (CVSS 8.7)
CVE-2026-42924: An authenticated attacker with (CVSS 8.7)
CVE-2026-41953: A vulnerability exists in (CVSS 8.7)
CVE-2026-40698: A vulnerability exists in (CVSS 8.7)
CVE-2026-40631: An authenticated attacker with (CVSS 8.7)
CVE-2026-40061: When BIG-IP DNS is Vulnerability - Sherlock (CVSS 8.7)
CVE-2026-34176: When running in Appliance Command injection (CVSS 8.7)
CVE-2026-32673: A vulnerability exists in (CVSS 8.7)
CVE-2026-44116: OpenClaw before 2026.4.22 server-side SSRF (CVSS 8.6)
CVE-2026-35435: Improper access control in (CVSS 8.6)
CVE-2026-20224: A vulnerability in the XXE - Sherlock (CVSS 8.6)
CVE-2026-42439: OpenClaw before 2026.4.10 server-side SSRF (CVSS 8.5)
CVE-2026-40367: Untrusted pointer dereference in (CVSS 8.4)
CVE-2026-40366: Use after free in Vulnerability - Sherlock (CVSS 8.4)
CVE-2026-40364: Access of resource using Vulnerability (CVSS 8.4)
CVE-2026-40363: Heap-based buffer overflow in (CVSS 8.4)
CVE-2026-40361: Use after free in Vulnerability - Sherlock (CVSS 8.4)
CVE-2026-40358: Use after free in Vulnerability - Sherlock (CVSS 8.4)
CVE-2026-34963: barebox version prior to Buffer overflow (CVSS 8.4)
CVE-2025-14341: Improperly controlled modification of (CVSS 8.3)
CVE-2026-5395: Fluent Forms – Customizable Vulnerability (CVSS 8.2)
CVE-2026-43526: OpenClaw before 2026.4.12 server-side SSRF (CVSS 8.2)
CVE-2026-34327: Externally controlled reference to (CVSS 8.2)
CVE-2026-34259: Due to an OS Vulnerability - Sherlock (CVSS 8.2)
CVE-2026-33833: Improper neutralization of special (CVSS 8.2)
CVE-2021-47930: Balbooa Joomla Forms Builder SQL injection (CVSS 8.2)
CVE-2021-47928: OpencarTMD Vendor System SQL injection (CVSS 8.2)
CVE-2026-7807: SmarterToolSmarterMail builds prior (CVSS 8.1)
CVE-2026-7252: WP-Optimize – Cache, Compress Remote (CVSS 8.1)
CVE-2026-6282: A potential improper file Vulnerability (CVSS 8.1)
CVE-2026-44400: MailEnablEnterprise Premium 10.55 (CVSS 8.1)
CVE-2026-43640: Bitwarden Server prior to Vulnerability (CVSS 8.1)
CVE-2026-43585: OpenClaw before 2026.4.15 captures (CVSS 8.1)
CVE-2026-42897: Improper neutralization of input Cross-site (CVSS 8.1)
CVE-2026-42284: gitpython project gitpython Vulnerability (CVSS 8.1)
CVE-2026-41105: Server-side request forgery (ssrf) (CVSS 8.1)
CVE-2026-4094: FOX – Currency Switcher Vulnerability (CVSS 8.1)
CVE-2026-40415: Use after free in Vulnerability - Sherlock (CVSS 8.1)
CVE-2026-3892: Motors – Car Dealership File read (CVSS 8.1)
CVE-2026-33588: lfnov Open-notebook Directory traversal (CVSS 8.1)
CVE-2026-29004: BusyBox before commit 42202bf Remote (CVSS 8.1)
CVE-2026-20916: An authenticated iControl REST File read (CVSS 8.1)
CVE-2022-50994: DrayTek Vigor 2960 firmware Remote (CVSS 8.1)
CVE-2026-4802: A flaw was found Vulnerability - Sherlock (CVSS 8.0)
CVE-2026-43639: Bitwarden Server prior to Vulnerability (CVSS 8.0)
CVE-2026-40368: Deserialization of untrusted data (CVSS 8.0)
CVE-2026-34332: Use after free in Vulnerability - Sherlock (CVSS 8.0)
CVE-2026-41217: A vulnerability exists in (CVSS 7.9)
CVE-2026-45004: OpenClaw before 2026.4.23 arbitrary Remote (CVSS 7.8)
CVE-2026-44412: Solid Edge SE2026 (CVSS 7.8)
CVE-2026-44118: OpenClaw before 2026.4.22 derives (CVSS 7.8)
CVE-2026-44114: OpenClaw before 2026.4.20 fails (CVSS 7.8)
CVE-2026-42896: Integer overflow or wraparound (CVSS 7.8)
CVE-2026-42831: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-41611: Improper neutralization of script-related (CVSS 7.8)
CVE-2026-41088: External control of file Privilege escalation (CVSS 7.8)
CVE-2026-40419: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-40418: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-40417: Weak authentication in Dynamics (CVSS 7.8)
CVE-2026-40408: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-40407: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40399: Stack-based buffer overflow in (CVSS 7.8)
CVE-2026-40398: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40397: Integer underflow (CVSS 7.8)
CVE-2026-40382: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-40381: Improper access control in (CVSS 7.8)
CVE-2026-40377: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40369: Untrusted pointer dereference in (CVSS 7.8)
CVE-2026-40362: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40359: Use after free in Vulnerability - Sherlock (CVSS 7.8)
CVE-2026-35421: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-35420: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-35418: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-35417: Access of resource using Privilege escalation (CVSS 7.8)
CVE-2026-35415: Integer overflow or wraparound (CVSS 7.8)
CVE-2026-34690: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34682: Substance3D - Designer versions Remote (CVSS 7.8)
CVE-2026-34681: Substance3D - Designer versions Remote (CVSS 7.8)
CVE-2026-34644: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34643: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34642: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34640: Media Encoder versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34639: Media Encoder versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34638: Premiere Pro versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34637: Premiere Pro versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34636: Premiere Pro versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34351: Concurrent execution using shared (CVSS 7.8)
CVE-2026-34344: Access of resource using Privilege escalation (CVSS 7.8)
CVE-2026-34343: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-34338: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-34337: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-34334: Concurrent execution using shared (CVSS 7.8)
CVE-2026-34333: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-34330: Integer overflow or wraparound (CVSS 7.8)
CVE-2026-33841: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-33840: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-33837: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-33835: Use after free in Privilege escalation (CVSS 7.8)
CVE-2026-33834: Improper access control in (CVSS 7.8)
CVE-2026-32204: External control of file Privilege escalation (CVSS 7.8)
CVE-2026-24082: Memory Corruption when copying (CVSS 7.8)
CVE-2025-47408: Memory corruption when another (CVSS 7.8)
CVE-2025-47407: Memory corruption while creating (CVSS 7.8)
CVE-2025-47405: Memory corruption when processing (CVSS 7.8)
CVE-2021-47945: ArguSurveillance DVR 4.0 Vulnerability (CVSS 7.8)
CVE-2026-43580: OpenClaw before 2026.4.10 incomplete SSRF (CVSS 7.7)
CVE-2026-43576: OpenClaw before 2026.4.5 server-side SSRF (CVSS 7.7)
CVE-2026-43573: OpenClaw before 2026.4.10 server-side SSRF (CVSS 7.7)
CVE-2026-43532: OpenClaw versions 2026.4.7 before (CVSS 7.7)
CVE-2026-43527: OpenClaw before 2026.4.14 server-side SSRF (CVSS 7.7)
CVE-2026-42832: Improper access control in Authorization (CVSS 7.7)
CVE-2026-42438: OpenClaw versions 2026.4.9 before (CVSS 7.7)
CVE-2026-42436: OpenClaw before 2026.4.14 improper (CVSS 7.7)
CVE-2026-27662: Affected Devices do not Vulnerability (CVSS 7.7)
CVE-2026-20185: A vulnerability in the Denial of service (CVSS 7.7)
CVE-2026-20167: A vulnerability in the Denial of service (CVSS 7.7)
CVE-2026-45225: Heym before 0.0.21 path Directory traversal (CVSS 7.6)
CVE-2026-7287: ** UNSUPPORTED WHEN ASSIGNED Buffer overflow (CVSS 7.5)
CVE-2026-6918: eclipse openj9 Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-5773: haxx curl Vulnerability (CVSS 7.5)
CVE-2026-5192: Forminator Forms – Contact Directory (CVSS 7.5)
CVE-2026-44498: zfnd zebrad Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-4304: WeePie Cookie Allow plugin SQL injection (CVSS 7.5)
CVE-2026-42920: When a Client SSL Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-42437: OpenClaw versions 2026.4.9 before Denial of (CVSS 7.5)
CVE-2026-42409: When an HTTP/2 profile Vulnerability (CVSS 7.5)
CVE-2026-41956: When a classification profile Vulnerability (CVSS 7.5)
CVE-2026-41584: zfnd zebra-chain Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-41471: Easy PayPal Events & Information disclosure (CVSS 7.5)
CVE-2026-41227: On an HTTP/2 virtual Denial of service (CVSS 7.5)
CVE-2026-41218: When BIG-IPEM iRules Vulnerability (CVSS 7.5)
CVE-2026-40618: When an SSL profile Vulnerability (CVSS 7.5)
CVE-2026-40423: When a SIProfile Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-40406: Use after free in Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-40405: Null pointer dereference in Vulnerability (CVSS 7.5)
CVE-2026-39458: When a BIG-IP DNS Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-39455: When the BIG-IP Configuration Vulnerability (CVSS 7.5)
CVE-2026-35424: Missing release of memory Vulnerability (CVSS 7.5)
CVE-2026-34665: CAI Content Credentials versions (CVSS 7.5)
CVE-2026-3456: GeekyBot — Generate AI SQL injection (CVSS 7.5)
CVE-2026-3359: ForMaker by 10Web SQL injection - Sherlock (CVSS 7.5)
CVE-2026-33111: Improper neutralization of special Command (CVSS 7.5)
CVE-2026-32834: Easy PayPal Events & Authentication bypass (CVSS 7.5)
CVE-2026-32161: Concurrent execution using shared (CVSS 7.5)
CVE-2026-2993: AI Chatbot & Workflow SQL injection (CVSS 7.5)
CVE-2026-26164: Improper neutralization of special (CVSS 7.5)
CVE-2026-25863: Conditional Fields for Contact (CVSS 7.5)
CVE-2026-20188: A vulnerability in the Denial of service (CVSS 7.5)
CVE-2026-1719: Gravity Bookings Premium plugin SQL (CVSS 7.5)
CVE-2026-1250: Court Reservation – Manage SQL injection (CVSS 7.5)
CVE-2025-40833: affected Devices contain a Denial of service (CVSS 7.5)
CVE-2023-54347: open-emr openemr Vulnerability - Sherlock (CVSS 7.5)
CVE-2021-47944: memoNotepad 4.2 Denial of service (CVSS 7.5)
CVE-2026-42893: Improper neutralization of special Command (CVSS 7.4)
CVE-2026-42011: A flaw was found Vulnerability - Sherlock (CVSS 7.4)
CVE-2026-40414: Null pointer dereference in Vulnerability (CVSS 7.4)
CVE-2026-40413: Null pointer dereference in Vulnerability (CVSS 7.4)
CVE-2026-8768: vercel ai up to Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-8759: xiandafu beetl up to Vulnerability (CVSS 7.3)
CVE-2026-8758: Metasoft 美特软件 MetaCRM up (CVSS 7.3)
CVE-2026-8757: adenhq hive up to Directory traversal (CVSS 7.3)
CVE-2026-8756: fishaudio Bert-VITS2 up to Directory (CVSS 7.3)
CVE-2026-8755: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-8751: h2oai h2o-3 up to Deserialization - Sherlock (CVSS 7.3)
CVE-2026-8734: Oinone Pamirs up to SQL injection - Sherlock (CVSS 7.3)
CVE-2026-8725: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-8321: inkeep agents 0.58.14. This Authentication (CVSS 7.3)
CVE-2026-8305: OpenClaw up to 2026.1.24. Vulnerability (CVSS 7.3)
CVE-2026-8216: Industrial Application Software IAS (CVSS 7.3)
CVE-2026-8133: A security vulnerability haSQL injection (CVSS 7.3)
CVE-2026-8132: A weakness has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-8131: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8130: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8129: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8128: SourceCodester SUP Online Shopping SQL (CVSS 7.3)
CVE-2026-8126: A flaw has been SQL injection - Sherlock (CVSS 7.3)
CVE-2026-8098: A security vulnerability haSQL injection (CVSS 7.3)
CVE-2026-8083: SourceCodester Pharmacy Sales and SQL (CVSS 7.3)
CVE-2026-8032: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7812: 54yyyu code-mcp up to Command injection (CVSS 7.3)
CVE-2026-7811: 54yyyu code-mcp up to Directory traversal (CVSS 7.3)
CVE-2026-7810: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-7788: Axle-Bucamp MCP-Docusaurus up to Directory (CVSS 7.3)
CVE-2026-7785: A-G-U-P-T-A wireshark-mcp - Sherlock (CVSS 7.3)
CVE-2026-7784: RTGS2017 NagaAgent up to Directory traversal (CVSS 7.3)
CVE-2026-7735: osrGoBGP up to Buffer overflow - Sherlock (CVSS 7.3)
CVE-2026-7733: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7727: Shandong Hoteam Software PDM SQL injection (CVSS 7.3)
CVE-2026-7723: A flaw has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7711: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-7710: YunaiV yudao-cloud up to Vulnerability (CVSS 7.3)
CVE-2026-44995: OpenClaw before 2026.4.20 improper Code (CVSS 7.3)
CVE-2026-43531: OpenClaw before 2026.4.9 environment (CVSS 7.3)
CVE-2026-32177: Heap-based buffer overflow in (CVSS 7.3)
CVE-2026-8764: A security vulnerability has Buffer overflow (CVSS 7.2)
CVE-2026-7857: D-Link DI-8100 16.07.26A1. This Buffer (CVSS 7.2)
CVE-2026-7856: A flaw has been Buffer overflow - Sherlock (CVSS 7.2)
CVE-2026-7851: D-Link DI-8100 16.07.26A1. This Buffer (CVSS 7.2)
CVE-2026-7833: A weakness has been Command injection (CVSS 7.2)
CVE-2026-7448: LatePoint – Calendar Booking Cross-site (CVSS 7.2)
CVE-2026-7332: LatePoint – Calendar Booking Cross-site (CVSS 7.2)
CVE-2026-7330: Auto Affiliate Links plugin Cross-site (CVSS 7.2)
CVE-2026-6177: Custom Twitter Feeds plugin Cross-site (CVSS 7.2)
CVE-2026-39459: A vulnerability exists in (CVSS 7.2)
CVE-2026-3120: Improper Control of Generation Command (CVSS 7.2)
CVE-2026-20035: A vulnerability in the SSRF - Sherlock (CVSS 7.2)
CVE-2026-4609: ProfileGrid – User Profiles, Vulnerability (CVSS 7.1)
CVE-2026-45226: Heym before 0.0.21 Authorization bypass (CVSS 7.1)
CVE-2026-45001: OpenClaw before 2026.4.20 guard SSRF (CVSS 7.1)
CVE-2026-44243: gitpython project gitpython Vulnerability (CVSS 7.1)
CVE-2026-43616: Detect-It-Easy prior to 3.21 Directory (CVSS 7.1)
CVE-2026-41102: Improper access control in Authorization (CVSS 7.1)
CVE-2026-41101: Improper access control in Authorization (CVSS 7.1)
CVE-2026-40401: Null pointer dereference in Vulnerability (CVSS 7.1)
CVE-2026-25789: Affected Devices do not Vulnerability (CVSS 7.1)
CVE-2026-7832: IObit Advanced SystemCare 19. Vulnerability (CVSS 7.0)
CVE-2026-42825: Use after free in Privilege escalation (CVSS 7.0)
CVE-2026-40410: Use after free in Privilege escalation (CVSS 7.0)
CVE-2026-35416: Use after free in Privilege escalation (CVSS 7.0)
CVE-2026-34347: Use after free in Privilege escalation (CVSS 7.0)
CVE-2026-34345: Concurrent execution using shared (CVSS 7.0)
CVE-2026-34342: Concurrent execution using shared (CVSS 7.0)
CVE-2026-34340: Use after free in Privilege escalation (CVSS 7.0)
CVE-2026-34331: Concurrent execution using shared (CVSS 7.0)
CVE-2026-33839: Concurrent execution using shared (CVSS 7.0)

phpMyFAQ Hit With CVSS 9.8

CVE-2026-46364 scores a 9.8. phpMyFAQ lets attackers run code on your systems.

CVE-2026-46364: phpMyFAQ before 4.1.2 unauthenticated SQL (CVSS 9.8)

WordPress Had a Rough Week

29 vulnerabilities across WordPress products this week. The worst: CVE-2026-8181 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-8181: BurStatistics – Privacy-Friendly (CVSS 9.8)
CVE-2026-6510: InfusedWoo Pro plugin for Privilege escalation (CVSS 9.8)
CVE-2026-6271: Career Section plugin for Remote code execution (CVSS 9.8)
CVE-2026-5722: MoreConvert Pro plugin for Authentication (CVSS 9.8)
CVE-2026-5294: Geeky Bot plugin for Remote code execution (CVSS 9.8)
CVE-2026-5229: Form Notify plugin for Authentication bypass (CVSS 9.8)
CVE-2025-13618: Mentoring plugin for WordPress (CVSS 9.8)
CVE-2021-47940: WordPress Plugin Download From File read (CVSS 9.8)
CVE-2021-47933: WordPress MStore API 2.0.6 Remote (CVSS 9.8)
CVE-2021-47932: WordPress TheCartPress 1.5.3.6 (CVSS 9.8)
CVE-2026-6512: InfusedWoo Pro plugin for Authorization (CVSS 9.1)
CVE-2026-6692: SlideRevolution plugin for Remote code execution (CVSS 8.8)
CVE-2026-6506: InfusedWoo Pro plugin for Privilege escalation (CVSS 8.8)
CVE-2026-6261: BeTheme for WordPress Remote code execution (CVSS 8.8)
CVE-2026-3425: RTMKit Addons for Elementor Authorization (CVSS 8.8)
CVE-2026-5396: Fluent Forms plugin for Authorization bypass (CVSS 8.2)
CVE-2021-47941: WordPress Plugin Survey & SQL injection (CVSS 8.2)
CVE-2026-4030: Database Backup for WordPress File read (CVSS 8.1)
CVE-2026-6514: InfusedWoo Pro plugin for File read (CVSS 7.5)
CVE-2026-6403: Quick Playground plugin for Directory (CVSS 7.5)
CVE-2026-5100: AWP Classifieds plugin for SQL injection (CVSS 7.5)
CVE-2026-4798: Avada Builder plugin for SQL injection (CVSS 7.5)
CVE-2026-4348: BetterDocs Pro plugin for SQL injection (CVSS 7.5)
CVE-2026-4031: Database Backup for WordPress Authorization (CVSS 7.5)
CVE-2026-4029: Database Backup for WordPress Vulnerability (CVSS 7.5)
CVE-2023-54346: WordPress Plugin Backup Migration (CVSS 7.5)
CVE-2026-6690: LifePress plugin for WordPress Cross-site (CVSS 7.2)
CVE-2026-4803: Royal Elementor Addons plugin Cross-site (CVSS 7.2)
CVE-2026-3718: ManageWP Worker plugin for Cross-site (CVSS 7.2)

Spring Framework Hit With CVSS 9.6

CVE-2026-34263 scores a 9.6. Spring Framework lets attackers run code on your systems.

CVE-2026-34263: Due to improper Spring Code injection (CVSS 9.6)

SAP Hit With CVSS 9.6

CVE-2026-34260 scores a 9.6. SAP lets attackers run code on your systems.

CVE-2026-34260: SAP S/4HANA (CVSS 9.6)

Microsoft Patches 6 Vulnerabilities

6 vulnerabilities across Microsoft products this week. The worst: CVE-2026-33823 (CVSS 9.6) lets anyone bypass authentication. Patch now if you run Microsoft.

CVE-2026-33823: Improper authorization in Microsoft (CVSS 9.6)
CVE-2026-35438: Missing authorization in Windows (CVSS 8.3)
CVE-2026-40360: Out-of-bounds read in Microsoft (CVSS 7.8)
CVE-2026-34336: Buffer over-read in Windows Vulnerability (CVSS 7.8)
CVE-2026-33838: Double free in Windows Privilege escalation (CVSS 7.8)
CVE-2026-34341: Double free in Windows Privilege escalation (CVSS 7.0)

Adobe Had a Rough Week

16 vulnerabilities across Adobe products this week. The worst: CVE-2026-34659 (CVSS 9.6) lets attackers run code on your systems. Patch now if you run Adobe.

CVE-2026-34659: Adobe Connect versions 2025.9.15, Remote (CVSS 9.6)
CVE-2026-34660: Adobe Connect versions 2025.9.15, Remote (CVSS 9.3)
CVE-2026-34686: Adobe Commerce versions 2.4.9-beta1, (CVSS 8.7)
CVE-2026-34653: Adobe Commerce versions 2.4.9-beta1, (CVSS 8.7)
CVE-2026-34687: adobe illustrator Remote code execution (CVSS 7.8)
CVE-2026-34676: adobe substance 3d painter Remote (CVSS 7.8)
CVE-2026-34675: adobe substance 3d painter Remote (CVSS 7.8)
CVE-2026-34661: adobe illustrator Remote code execution (CVSS 7.8)
CVE-2026-34652: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34651: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34650: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34649: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34648: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34646: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34645: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34647: Adobe Commerce versions 2.4.9-beta1, SSRF (CVSS 7.4)

Siemens Patches 4 Vulnerabilities

4 vulnerabilities across Siemens products this week. The worst: CVE-2026-22924 (CVSS 9.1) lets attackers run code on your systems. Patch now if you run Siemens.

CVE-2026-22924: SIMATICN 4100 (CVSS 9.1)
CVE-2025-40949: RUGGEDCOM ROX MX5000 (CVSS 9.1)
CVE-2026-22925: SIMATICN 4100 (CVSS 7.5)
CVE-2025-40947: RUGGEDCOM ROX MX5000 (CVSS 7.5)

Microsoft Azure Hit With CVSS 9.1

CVE-2026-33117 scores a 9.1. Microsoft Azure lets attackers run code on your systems.

CVE-2026-33117: Improper authentication in Azure (CVSS 9.1)

Crabbox Patches 3 Vulnerabilities

3 vulnerabilities across Crabbox products this week. The worst: CVE-2026-8634 (CVSS 9.1) lets anyone bypass authentication. Patch now if you run Crabbox.

CVE-2026-8634: Crabbox prior to v0.12.0 Vulnerability (CVSS 9.1)
CVE-2026-8621: Crabbox prior to v0.12.0 Authentication (CVSS 8.8)
CVE-2026-8629: Crabbox prior to v0.12.0 Privilege escalation (CVSS 8.1)

Apache Patches 2 Vulnerabilities

2 vulnerabilities across Apache products this week. The worst: CVE-2026-40010 (CVSS 9.1) needs your attention. Patch now if you run Apache.

CVE-2026-40010: apache wicket Vulnerability - Sherlock (CVSS 9.1)
CVE-2026-39816: apache nifi Vulnerability - Sherlock (CVSS 8.8)

Oracle Hit With CVSS 8.7

CVE-2026-35228 scores a 8.7. Oracle lets attackers run code on your systems.

CVE-2026-35228: Oracle MCP Server Helper Vulnerability (CVSS 8.7)

Ivanti Hit With CVSS 7.4

CVE-2026-7821 scores a 7.4. Ivanti lets anyone bypass authentication.

CVE-2026-7821: ivanti endpoint manager mobile Information (CVSS 7.4)

Google Hit With CVSS 7.1

CVE-2026-5371 scores a 7.1. Google lets attackers run code on your systems.

CVE-2026-5371: MonsterInsights – Google Analytics (CVSS 7.1)

By the Numbers

Total CVEs analyzed	403
Critical (9.0+)	69
High (7.0-8.9)	334
Remote code execution	211
Authentication bypass	188
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 47 critical-severity issues patched this week.
phpMyFAQ: Update immediately. 1 critical-severity issues patched this week.
WordPress: Update immediately. 11 critical-severity issues patched this week.
Spring Framework: Update immediately. 1 critical-severity issues patched this week.
SAP: Update immediately. 1 critical-severity issues patched this week.
Microsoft: Update immediately. 1 critical-severity issues patched this week.
Adobe: Update immediately. 2 critical-severity issues patched this week.
Siemens: Update immediately. 2 critical-severity issues patched this week.
Microsoft Azure: Update immediately. 1 critical-severity issues patched this week.
Crabbox: Update immediately. 1 critical-severity issues patched this week.
Apache: Update immediately. 1 critical-severity issues patched this week.
Oracle: Review and patch 1 high-severity vulnerabilities when possible.
Ivanti: Review and patch 1 high-severity vulnerabilities when possible.
Google: Review and patch 1 high-severity vulnerabilities when possible.