What were the most critical CVEs disclosed this week?

This week's roundup covers 214 critical vulnerability disclosures analyzed by Sherlock Forensics. Each CVE is assessed for real-world exploitability, affected product prevalence and recommended remediation priority. Organizations running affected products should check the detailed analysis below and prioritize patching based on CVSS severity and active exploitation status.

How should organizations respond to new CVE disclosures?

Effective CVE response requires automated vulnerability scanning that checks your asset inventory against new disclosures within 24 hours, a prioritized patching workflow that addresses critical and actively exploited vulnerabilities within 72 hours, compensating controls for vulnerabilities that cannot be immediately patched, and validation testing to confirm patches are effective. Sherlock Forensics managed security service automates this workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your specific deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup 2026-05-18

This Week in Cybersecurity

We analyzed 214 vulnerabilities rated HIGH or CRITICAL this week, with 30 scoring 9.0 or above. Remote code execution was the dominant attack type at 104 vulnerabilities, followed by authentication bypass at 106. Cross-site scripting accounted for 0 and SQL injection for 0.

What to Patch First

If you only patch a few things this week, start with the CRITICAL entries below. These represent the highest risk based on CVSS score, exploit availability and affected product prevalence.

Critical (CVSS 9.0+)

CVE-2026-5229: CVE-2026-5229: Form Notify plugin for Authentication bypass (CVSS 9.8)
CVE-2026-46364: CVE-2026-46364: phpMyFAQ before 4.1.2 unauthenticated SQL (CVSS 9.8)
CVE-2026-8634: CVE-2026-8634: Crabbox prior to v0.12.0 Vulnerability - (CVSS 9.1)
CVE-2026-2347: CVE-2026-2347: Authorization bypass through User-Controlled (CVSS 9.8)
CVE-2026-6512: CVE-2026-6512: InfusedWoo Pro plugin for Authorization (CVSS 9.1)
CVE-2026-6510: CVE-2026-6510: InfusedWoo Pro plugin for PrivilegEscalation (CVSS 9.8)
CVE-2025-11024: CVE-2025-11024: Improper neutralization of special SQL (CVSS 9.8)
CVE-2026-8181: CVE-2026-8181: BurStatistics – Privacy-Friendly (CVSS 9.8)
CVE-2026-41615: CVE-2026-41615: Exposure of sensitive information (CVSS 9.6)
CVE-2026-6271: CVE-2026-6271: Career Section plugin foRemote codExecution (CVSS 9.8)
CVE-2026-41225: CVE-2026-41225: A vulnerability exists in CVSS 9.1 - (CVSS 9.1)
CVE-2025-6577: CVE-2025-6577: Improper neutralization of special SQL (CVSS 9.8)
CVE-2026-33117: CVE-2026-33117: Improper authentication in Azure (CVSS 9.1)
CVE-2026-42898: CVE-2026-42898: Improper control of generation Code (CVSS 9.9)
CVE-2026-34659: CVE-2026-34659: Adobe Connect versions 2025.9.15, Remote (CVSS 9.6)
CVE-2026-25786: CVE-2026-25786: AffecteDevices do not Vulnerability - (CVSS 9.1)
CVE-2026-41551: CVE-2026-41551: ROS# (CVSS 9.1)
CVE-2026-34263: CVE-2026-34263: Due to improper Spring Code injection - (CVSS 9.6)
CVE-2025-40949: CVE-2025-40949: RUGGEDCOM ROX MX5000 (CVSS 9.1)
CVE-2026-41096: CVE-2026-41096: Heap-based buffer overflow in CVSS 9.8 - (CVSS 9.8)
CVE-2026-34660: CVE-2026-34660: Adobe Connect versions 2025.9.15, Remote (CVSS 9.3)
CVE-2026-41089: CVE-2026-41089: Stack-based buffer overflow in CVSS 9.8 - (CVSS 9.8)
CVE-2026-40402: CVE-2026-40402: Use after free in PrivilegEscalation - (CVSS 9.3)
CVE-2026-25787: CVE-2026-25787: AffecteDevices do not Vulnerability - (CVSS 9.1)
CVE-2026-34260: CVE-2026-34260: SAP S/4HANA (CVSS 9.6)
CVE-2026-42823: CVE-2026-42823: Improper access control in (CVSS 9.9)
CVE-2026-41103: CVE-2026-41103: Incorrect implementation of authentication (CVSS 9.1)
CVE-2026-40379: CVE-2026-40379: Exposure of sensitive information (CVSS 9.3)
CVE-2026-22924: CVE-2026-22924: SIMATICN 4100 (CVSS 9.1)
CVE-2026-42833: CVE-2026-42833: Execution with unnecessary privileges (CVSS 9.1)

By the Numbers

Total CVEs analyzed	214
Critical (9.0+)	30
High (7.0-8.9)	184
Remote code execution	104
Authentication bypass	106
Cross-site scripting	0
SQL injection	0

Full CVE Index

All 214 CVEs analyzed this week. Click any entry for the full analysis with remediation guidance.

Critical (CVSS 9.0+)

CVE-2026-5229: CVE-2026-5229: Form Notify plugin for Authentication bypass (CVSS 9.8)
CVE-2026-46364: CVE-2026-46364: phpMyFAQ before 4.1.2 unauthenticated SQL (CVSS 9.8)
CVE-2026-8634: CVE-2026-8634: Crabbox prior to v0.12.0 Vulnerability - (CVSS 9.1)
CVE-2026-2347: CVE-2026-2347: Authorization bypass through User-Controlled (CVSS 9.8)
CVE-2026-6512: CVE-2026-6512: InfusedWoo Pro plugin for Authorization (CVSS 9.1)
CVE-2026-6510: CVE-2026-6510: InfusedWoo Pro plugin for PrivilegEscalation (CVSS 9.8)
CVE-2025-11024: CVE-2025-11024: Improper neutralization of special SQL (CVSS 9.8)
CVE-2026-8181: CVE-2026-8181: BurStatistics – Privacy-Friendly (CVSS 9.8)
CVE-2026-41615: CVE-2026-41615: Exposure of sensitive information (CVSS 9.6)
CVE-2026-6271: CVE-2026-6271: Career Section plugin foRemote codExecution (CVSS 9.8)
CVE-2026-41225: CVE-2026-41225: A vulnerability exists in CVSS 9.1 - (CVSS 9.1)
CVE-2025-6577: CVE-2025-6577: Improper neutralization of special SQL (CVSS 9.8)
CVE-2026-33117: CVE-2026-33117: Improper authentication in Azure (CVSS 9.1)
CVE-2026-42898: CVE-2026-42898: Improper control of generation Code (CVSS 9.9)
CVE-2026-34659: CVE-2026-34659: Adobe Connect versions 2025.9.15, Remote (CVSS 9.6)
CVE-2026-25786: CVE-2026-25786: AffecteDevices do not Vulnerability - (CVSS 9.1)
CVE-2026-41551: CVE-2026-41551: ROS# (CVSS 9.1)
CVE-2026-34263: CVE-2026-34263: Due to improper Spring Code injection - (CVSS 9.6)
CVE-2025-40949: CVE-2025-40949: RUGGEDCOM ROX MX5000 (CVSS 9.1)
CVE-2026-41096: CVE-2026-41096: Heap-based buffer overflow in CVSS 9.8 - (CVSS 9.8)
CVE-2026-34660: CVE-2026-34660: Adobe Connect versions 2025.9.15, Remote (CVSS 9.3)
CVE-2026-41089: CVE-2026-41089: Stack-based buffer overflow in CVSS 9.8 - (CVSS 9.8)
CVE-2026-40402: CVE-2026-40402: Use after free in PrivilegEscalation - (CVSS 9.3)
CVE-2026-25787: CVE-2026-25787: AffecteDevices do not Vulnerability - (CVSS 9.1)
CVE-2026-34260: CVE-2026-34260: SAP S/4HANA (CVSS 9.6)
CVE-2026-42823: CVE-2026-42823: Improper access control in (CVSS 9.9)
CVE-2026-41103: CVE-2026-41103: Incorrect implementation of authentication (CVSS 9.1)
CVE-2026-40379: CVE-2026-40379: Exposure of sensitive information (CVSS 9.3)
CVE-2026-22924: CVE-2026-22924: SIMATICN 4100 (CVSS 9.1)
CVE-2026-42833: CVE-2026-42833: Execution with unnecessary privileges (CVSS 9.1)

High (CVSS 7.0-8.9)

184 HIGH severity CVEs were published this week. Browse the full list on our Intelligence Feed (CVE Analysis filter).