The Week in Security
Windmill had 2 vulnerabilities this week including Windmill SQL Injection Scores 9.9 (CVSS 9.9). WordPress got hit with a CVSS 9.8 for Everest Forms WordPress. Weaver got hit with a CVSS 9.8 for Weaver E-cology Hit.
We tracked 16 vulnerabilities this week. 6 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.
Windmill Patches 2 Vulnerabilities
2 vulnerabilities across Windmill products this week. The worst: CVE-2026-23696 (CVSS 9.9) lets attackers run code on your systems. Patch now if you run Windmill.
- CVE-2026-23696: Windmill SQL Injection Scores 9.9 (CVSS 9.9)
- CVE-2026-22683: Windmill Authorization (CVSS 8.8)
WordPress Hit With CVSS 9.8
CVE-2026-3296 scores a 9.8. WordPress needs your attention.
- CVE-2026-3296: Everest Forms WordPress (CVSS 9.8)
Weaver Hit With CVSS 9.8
CVE-2026-22679 scores a 9.8. Weaver lets attackers run code on your systems.
- CVE-2026-22679: Weaver E-cology Hit (CVSS 9.8)
Other Hit With CVSS 9.8
CVE-2021-4473 scores a 9.8. Other lets attackers run code on your systems.
- CVE-2021-4473: Tianxin Management (CVSS 9.8)
Cockpit Hit With CVSS 9.8
CVE-2026-4631 scores a 9.8. Cockpit lets attackers run code on your systems.
- CVE-2026-4631: Cockpit SSH Command (CVSS 9.8)
IBM Patches 5 Vulnerabilities
5 vulnerabilities across IBM products this week. The worst: CVE-2026-1346 (CVSS 9.3) needs your attention. Patch now if you run IBM.
- CVE-2026-1346: IBM Verify Access Privilege Escalation (CVSS 9.3)
- CVE-2026-3357: IBM Langflow Insecure (CVSS 8.8)
- CVE-2026-1342: IBM Verify Identity (CVSS 8.5)
- CVE-2026-4788: IBM Tivoli Netcool (CVSS 8.4)
- CVE-2026-1343: IBM Verify Access SSRF Puts (CVSS 7.2)
Red Hat Hit With CVSS 8.2
CVE-2026-4740 scores a 8.2. Red Hat lets anyone bypass authentication.
- CVE-2026-4740: Red Hat ACM Certificate Forgery Scores (CVSS 8.2)
PowerJob Patches 2 Vulnerabilities
2 vulnerabilities across PowerJob products this week. The worst: CVE-2026-5739 (CVSS 7.3) lets attackers run code on your systems. Patch now if you run PowerJob.
- CVE-2026-5739: PowerJob Code Injection Puts (CVSS 7.3)
- CVE-2026-5736: PowerJob detailPlus (CVSS 7.3)
Docker Hit With CVSS 7.3
CVE-2026-5741 scores a 7.3. Docker needs your attention.
- CVE-2026-5741: docker-mcp-server Command Injection (CVSS 7.3)
OpenHarness Hit With CVSS 7.1
CVE-2026-22682 scores a 7.1. OpenHarness lets attackers run code on your systems.
- CVE-2026-22682: OpenHarness File Tool (CVSS 7.1)
By the Numbers
| Total CVEs analyzed | 16 |
| Critical (9.0+) | 6 |
| High (7.0-8.9) | 10 |
| Remote code execution | 8 |
| Authentication bypass | 2 |
| Cross-site scripting | 0 |
| SQL injection | 1 |
What To Do This Week
One action item per vendor. Start at the top and work down.
- Windmill: Update immediately. 1 critical-severity issues patched this week.
- WordPress: Update immediately. 1 critical-severity issues patched this week.
- Weaver: Update immediately. 1 critical-severity issues patched this week.
- Other: Update immediately. 1 critical-severity issues patched this week.
- Cockpit: Update immediately. 1 critical-severity issues patched this week.
- IBM: Update immediately. 1 critical-severity issues patched this week.
- Red Hat: Review and patch 1 high-severity vulnerabilities when possible.
- PowerJob: Review and patch 2 high-severity vulnerabilities when possible.
- Docker: Review and patch 1 high-severity vulnerabilities when possible.
- OpenHarness: Review and patch 1 high-severity vulnerabilities when possible.