This Week in Cybersecurity
This was a high-volume week. We analyzed 53 vulnerabilities rated HIGH or CRITICAL, with six scoring 9.0 or above. The headline story is CVE-2026-41940: a cPanel and WHM authentication bypass rated CVSS 9.8 that CISA added to the Known Exploited Vulnerabilities catalog with a remediation deadline of May 3, 2026. If you run cPanel, stop reading and patch now.
The second major story is CVE-2026-31431 (copy.fail): a Linux kernel container escape that has been sitting undetected in every mainstream distribution since 2017. A 732-byte Python script gives root from any unprivileged user account. This is a container escape, not just privilege escalation. If you run Docker, Kubernetes or any multi-tenant Linux infrastructure, this demands immediate attention.
Beyond the headliners, remote code execution dominated this week at 26 vulnerabilities. Authentication bypasses were the second most common pattern at 15. WordPress plugin vulnerabilities continue to appear regularly, with cross-site scripting making up 7 of the week's disclosures. SQL injection rounded out the attack types with 5 entries.
Compared to last week, the total volume is consistent but the severity profile shifted upward. Six CRITICAL vulnerabilities this week versus three last week. The CISA KEV addition elevates urgency for federal agencies and anyone following the KEV catalog as a prioritization guide.
The Big Ones
1. CVE-2026-41940: cPanel Authentication Bypass (CVSS 9.8)
What it is: An authentication bypass in cPanel and WHM that lets unauthenticated remote attackers gain admin access. No credentials needed. Affects versions 11.40 through 136.0.4, which covers the vast majority of the 1.4 million active cPanel installations worldwide.
Why it matters: CISA confirmed active exploitation and added it to KEV. Public exploits are documented. cPanel admin access means full server control: creating accounts, modifying DNS, reading email, deploying web shells and pivoting to other services.
What to do: Update to 136.0.5+ immediately. Run /scripts/upcp --force. If you cannot update, firewall ports 2082-2087 to trusted IPs only. Check logs for unauthorized access.
2. CVE-2026-31431: copy.fail Linux Container Escape (CVSS 9.8)
What it is: A logic bug in the Linux kernel crypto API (authencesn module) that allows any unprivileged user to escape containers and get root. The 2017 algif_aead optimization allowed page-cache pages to enter a writable scatterlist. A 732-byte Python script chains AF_ALG and splice() to exploit it.
Why it matters: Nine years undetected. Works on every mainstream Linux distribution since 2017. This breaks container isolation on Docker, Podman and Kubernetes. If you run multi-tenant infrastructure, CI/CD runners or shared dev boxes, any local user can root the host.
What to do: Disable algif_aead immediately: echo "install algif_aead /bin/true" | sudo tee /etc/modprobe.d/disable-algif-aead.conf && sudo modprobe -r algif_aead. Schedule kernel updates across your fleet.
3. CVE-2026-7458: User Verification Plugin (CVSS 9.8)
What it is: A critical vulnerability in the User Verification plugin by PickPlugins for WordPress. Allows unauthenticated attackers to compromise user accounts.
Why it matters: WordPress powers over 40% of the web. User verification plugins handle sensitive authentication flows. A CVSS 9.8 in this context means mass exploitation potential for WordPress sites using this plugin.
What to do: Update the plugin immediately or deactivate it if no patch is available. Audit user accounts for unauthorized changes.
4. CVE-2022-50993: Weaver E-office Remote Exploitation (CVSS 9.8)
What it is: A remote code execution vulnerability in Weaver (Fanwei) E-office, a widely used enterprise OA system in Asia-Pacific markets.
Why it matters: Enterprise OA systems handle internal documents, approvals and workflows. RCE at CVSS 9.8 means complete compromise of the collaboration platform and access to all internal business data flowing through it.
5. CVE-2026-41873: Apache Pony Mail (CVSS 9.8)
What it is: A critical vulnerability in Apache Pony Mail, the mailing list archive system used by many open-source projects and organizations for email archival.
Why it matters: Mailing list archives often contain sensitive technical discussions, security disclosures and internal communications. Compromise could expose pre-disclosure security discussions.
Trends This Week
Remote code execution dominated. 26 of 53 vulnerabilities this week involve RCE. This is not new, but the volume is elevated. When nearly half of all disclosures give attackers the ability to execute arbitrary code on your systems, the message is clear: patch management is not optional.
Authentication bypasses are the second biggest category. 15 vulnerabilities this week involve some form of authentication bypass or improper access control. The cPanel CVE is the most severe example, but the pattern extends across WordPress plugins, enterprise applications and web frameworks. Credential security and access control remain the weakest link in most organizations.
WordPress plugin vulnerabilities continue at steady pace. 7 cross-site scripting vulnerabilities in WordPress plugins this week. WordPress site owners need a plugin audit process, not just core updates.
The Linux kernel is not untouchable. copy.fail sat in the kernel for nine years. Your container isolation assumptions may be wrong. Kernel-level security assessments should be part of your infrastructure review, not an afterthought.
By the Numbers
| Total CVEs analyzed | 53 |
| Critical (9.0+) | 6 |
| High (7.0-8.9) | 47 |
| CISA KEV additions | 1 |
| Remote code execution | 26 |
| Authentication bypass | 15 |
| Cross-site scripting | 7 |
| SQL injection | 5 |
What to Patch First
If you only patch five things this week, patch these. In order of priority:
- CVE-2026-41940: cPanel auth bypass (CVSS 9.8, CISA KEV, active exploitation). Deadline: May 3, 2026. Update cPanel to 136.0.5+. This is mandatory if you follow the KEV catalog.
- CVE-2026-31431: copy.fail Linux container escape (CVSS 9.8, public exploit). Disable
algif_aeadon every Linux system. Schedule kernel updates. Priority for Kubernetes, Docker and CI/CD infrastructure. - CVE-2026-7458: WordPress User Verification plugin (CVSS 9.8). Update or deactivate the plugin. Audit user accounts.
- CVE-2022-50993: Weaver E-office RCE (CVSS 9.8). If you run Weaver E-office, patch immediately.
- CVE-2026-41873: Apache Pony Mail (CVSS 9.8). Update if you run Pony Mail for mailing list archival.
Everything else this week is HIGH severity (7.0-8.9). Prioritize RCE vulnerabilities in products you actually run. The full CVE index is below.
Need Help Prioritizing?
53 CVEs in one week is a lot to triage, especially without a dedicated security team. If you are unsure which of these affect your stack, or if you need to validate that your patching actually closed the gaps, that is exactly what a penetration test confirms.
Our free security scorecard gives you a starting point. It shows your external attack surface in 60 seconds. From there, we can scope a targeted assessment based on this week's threat landscape and your specific infrastructure.
Full CVE Index (April 26 to May 2, 2026)
All 53 CVEs analyzed this week, sorted by severity. Click any entry for the full analysis with remediation guidance.
Critical (CVSS 9.0+)
- CVE-2026-41940: cPanel and WHM authentication bypass (CVSS 9.8, CISA KEV)
- CVE-2026-7458: User Verification by PickPlugins (CVSS 9.8)
- CVE-2022-50993: Weaver E-office remote exploitation (CVSS 9.8)
- CVE-2026-5166: Directory traversal (CVSS 9.8)
- CVE-2026-41386: OpenClaw privilege escalation (CVSS 9.8)
- CVE-2026-41873: Apache Pony Mail (CVSS 9.8)
High (CVSS 7.0-8.9)
47 HIGH severity CVEs were published this week across web frameworks, plugins, enterprise software and infrastructure components. Browse the full list on our Intelligence Feed (CVE Analysis filter).