What were the most critical CVEs disclosed this week?

This week's roundup covers 16 vulnerability disclosures analyzed by Sherlock Forensics. 6 scored 9.0 or above (critical) and 10 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: April 01 to April 08, 2026

The Week in Security

Windmill had 2 vulnerabilities this week including Windmill SQL Injection Scores 9.9 (CVSS 9.9). WordPress got hit with a CVSS 9.8 for Everest Forms WordPress. Weaver got hit with a CVSS 9.8 for Weaver E-cology Hit.

We tracked 16 vulnerabilities this week. 6 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Windmill Patches 2 Vulnerabilities

2 vulnerabilities across Windmill products this week. The worst: CVE-2026-23696 (CVSS 9.9) lets attackers run code on your systems. Patch now if you run Windmill.

CVE-2026-23696: Windmill SQL Injection Scores 9.9 (CVSS 9.9)
CVE-2026-22683: Windmill Authorization (CVSS 8.8)

WordPress Hit With CVSS 9.8

CVE-2026-3296 scores a 9.8. WordPress needs your attention.

CVE-2026-3296: Everest Forms WordPress (CVSS 9.8)

Weaver Hit With CVSS 9.8

CVE-2026-22679 scores a 9.8. Weaver lets attackers run code on your systems.

CVE-2026-22679: Weaver E-cology Hit (CVSS 9.8)

Other Hit With CVSS 9.8

CVE-2021-4473 scores a 9.8. Other lets attackers run code on your systems.

CVE-2021-4473: Tianxin Management (CVSS 9.8)

Cockpit Hit With CVSS 9.8

CVE-2026-4631 scores a 9.8. Cockpit lets attackers run code on your systems.

CVE-2026-4631: Cockpit SSH Command (CVSS 9.8)

IBM Patches 5 Vulnerabilities

5 vulnerabilities across IBM products this week. The worst: CVE-2026-1346 (CVSS 9.3) needs your attention. Patch now if you run IBM.

CVE-2026-1346: IBM Verify Access Privilege Escalation (CVSS 9.3)
CVE-2026-3357: IBM Langflow Insecure (CVSS 8.8)
CVE-2026-1342: IBM Verify Identity (CVSS 8.5)
CVE-2026-4788: IBM Tivoli Netcool (CVSS 8.4)
CVE-2026-1343: IBM Verify Access SSRF Puts (CVSS 7.2)

Red Hat Hit With CVSS 8.2

CVE-2026-4740 scores a 8.2. Red Hat lets anyone bypass authentication.

CVE-2026-4740: Red Hat ACM Certificate Forgery Scores (CVSS 8.2)

PowerJob Patches 2 Vulnerabilities

2 vulnerabilities across PowerJob products this week. The worst: CVE-2026-5739 (CVSS 7.3) lets attackers run code on your systems. Patch now if you run PowerJob.

CVE-2026-5739: PowerJob Code Injection Puts (CVSS 7.3)
CVE-2026-5736: PowerJob detailPlus (CVSS 7.3)

Docker Hit With CVSS 7.3

CVE-2026-5741 scores a 7.3. Docker needs your attention.

CVE-2026-5741: docker-mcp-server Command Injection (CVSS 7.3)

OpenHarness Hit With CVSS 7.1

CVE-2026-22682 scores a 7.1. OpenHarness lets attackers run code on your systems.

CVE-2026-22682: OpenHarness File Tool (CVSS 7.1)

By the Numbers

Total CVEs analyzed	16
Critical (9.0+)	6
High (7.0-8.9)	10
Remote code execution	8
Authentication bypass	2
Cross-site scripting	0
SQL injection	1

What To Do This Week

One action item per vendor. Start at the top and work down.

Windmill: Update immediately. 1 critical-severity issues patched this week.
WordPress: Update immediately. 1 critical-severity issues patched this week.
Weaver: Update immediately. 1 critical-severity issues patched this week.
Other: Update immediately. 1 critical-severity issues patched this week.
Cockpit: Update immediately. 1 critical-severity issues patched this week.
IBM: Update immediately. 1 critical-severity issues patched this week.
Red Hat: Review and patch 1 high-severity vulnerabilities when possible.
PowerJob: Review and patch 2 high-severity vulnerabilities when possible.
Docker: Review and patch 1 high-severity vulnerabilities when possible.
OpenHarness: Review and patch 1 high-severity vulnerabilities when possible.