What were the most critical CVEs disclosed this week?

This week's roundup covers 233 vulnerability disclosures analyzed by Sherlock Forensics. 30 scored 9.0 or above (critical) and 203 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: May 11 to May 24, 2026

The Week in Security

Other had 188 vulnerabilities this week including Improper control of generation Code (CVSS 9.9). WordPress had 15 vulnerabilities this week including InfusedWoo Pro plugin for PrivilegEscalation (CVSS 9.8). PHP got hit with a CVSS 9.8 for phpMyFAQ before 4.1.2 unauthenticated SQL.

We tracked 233 vulnerabilities this week. 30 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

188 vulnerabilities across Other products this week. The worst: CVE-2026-42898 (CVSS 9.9) lets attackers run code on your systems. Patch now if you run Other.

CVE-2026-42898: Improper control of generation Code (CVSS 9.9)
CVE-2026-42823: Improper access control in (CVSS 9.9)
CVE-2026-8181: BurStatistics – Privacy-Friendly (CVSS 9.8)
CVE-2026-41096: Heap-based buffer overflow in CVSS 9.8 (CVSS 9.8)
CVE-2026-41089: Stack-based buffer overflow in CVSS 9.8 (CVSS 9.8)
CVE-2026-2347: Authorization bypass through User-Controlled (CVSS 9.8)
CVE-2025-6577: Improper neutralization of special SQL (CVSS 9.8)
CVE-2025-11024: Improper neutralization of special SQL (CVSS 9.8)
CVE-2026-41615: Exposure of sensitive information (CVSS 9.6)
CVE-2026-40402: Use after free in PrivilegEscalation (CVSS 9.3)
CVE-2026-40379: Exposure of sensitive information (CVSS 9.3)
CVE-2026-8634: Crabbox prior to v0.12.0 Vulnerability (CVSS 9.1)
CVE-2026-42833: Execution with unnecessary privileges (CVSS 9.1)
CVE-2026-41551: ROS# (CVSS 9.1)
CVE-2026-41225: A vulnerability exists in CVSS 9.1 (CVSS 9.1)
CVE-2026-41103: Incorrect implementation of authentication (CVSS 9.1)
CVE-2026-25787: AffecteDevices do not Vulnerability (CVSS 9.1)
CVE-2026-25786: AffecteDevices do not Vulnerability (CVSS 9.1)
CVE-2026-8719: AI Engine – The PrivilegEscalation (CVSS 8.8)
CVE-2026-8621: Crabbox prior to v0.12.0 Authentication (CVSS 8.8)
CVE-2026-8449: Linux ksmbd remote memory PrivilegEscalation (CVSS 8.8)
CVE-2026-8429: SPIP versions prior to Remote codExecution (CVSS 8.8)
CVE-2026-8260: D-Link DCS-935L up to Buffer overflow (CVSS 8.8)
CVE-2026-7256: ** UNSUPPORTED WHEN ASSIGNED Command (CVSS 8.8)
CVE-2026-6281: A potential vulnerability was Remote (CVSS 8.8)
CVE-2026-6228: Frontend Admin by DynamiApps (CVSS 8.8)
CVE-2026-6001: Authorization bypass through User-Controlled (CVSS 8.8)
CVE-2026-45229: Quark Drive before 0.8.5 Vulnerability (CVSS 8.8)
CVE-2026-45227: Heym before 0.0.21 sandbox Vulnerability (CVSS 8.8)
CVE-2026-45006: OpenClaw before 2026.4.23 improper (CVSS 8.8)
CVE-2026-44293: protobufjs project protobufjs Vulnerability (CVSS 8.8)
CVE-2026-41957: An authenticated remote code Remote (CVSS 8.8)
CVE-2026-41109: Improper neutralization of special (CVSS 8.8)
CVE-2026-41094: Improper control of generation Code (CVSS 8.8)
CVE-2026-41086: Improper access control in (CVSS 8.8)
CVE-2026-40420: Improper access control in (CVSS 8.8)
CVE-2026-40403: Heap-based buffer overflow in CVSS 8.8 (CVSS 8.8)
CVE-2026-40365: Insufficient granularity of access (CVSS 8.8)
CVE-2026-40357: Deserialization of untrusteData CVSS 8.8 (CVSS 8.8)
CVE-2026-35439: Deserialization of untrusteData CVSS 8.8 (CVSS 8.8)
CVE-2026-35436: Insufficient granularity of access (CVSS 8.8)
CVE-2026-34329: Heap-based buffer overflow in CVSS 8.8 (CVSS 8.8)
CVE-2026-33112: Deserialization of untrusteData CVSS 8.8 (CVSS 8.8)
CVE-2026-33110: Deserialization of untrusteData CVSS 8.8 (CVSS 8.8)
CVE-2026-2465: Incorrect Authorization vulnerability in (CVSS 8.8)
CVE-2025-15025: Authorization bypass through (CVSS 8.8)
CVE-2025-15024: Improper Control of Generation Code (CVSS 8.8)
CVE-2025-15023: Incorrect Authorization vulnerability in (CVSS 8.8)
CVE-2025-12008: Authorization bypass through (CVSS 8.8)
CVE-2026-42930: When running in Appliance Vulnerability (CVSS 8.7)
CVE-2026-42924: An authenticated attacker with (CVSS 8.7)
CVE-2026-41953: A vulnerability exists in (CVSS 8.7)
CVE-2026-40698: A vulnerability exists in (CVSS 8.7)
CVE-2026-40631: An authenticated attacker with (CVSS 8.7)
CVE-2026-40061: When BIG-IP DNS is Vulnerability - Sherlock (CVSS 8.7)
CVE-2026-34176: When running in Appliance Command injection (CVSS 8.7)
CVE-2026-32673: A vulnerability exists in CVSS 8.7 (CVSS 8.7)
CVE-2026-20224: A vulnerability in the XXE - Sherlock (CVSS 8.6)
CVE-2026-40367: Untrusted pointer dereference in (CVSS 8.4)
CVE-2026-40366: Use after free in Vulnerability - Sherlock (CVSS 8.4)
CVE-2026-40364: Access of resource using Vulnerability (CVSS 8.4)
CVE-2026-40363: Heap-based buffer overflow in CVSS 8.4 (CVSS 8.4)
CVE-2026-40361: Use after free in Vulnerability - Sherlock (CVSS 8.4)
CVE-2026-40358: Use after free in Vulnerability - Sherlock (CVSS 8.4)
CVE-2026-34963: barebox version prior to Buffer overflow (CVSS 8.4)
CVE-2026-5395: Fluent Forms – Customizable Vulnerability (CVSS 8.2)
CVE-2026-34259: Due to an OS Vulnerability - Sherlock (CVSS 8.2)
CVE-2026-33833: Improper neutralization of special (CVSS 8.2)
CVE-2026-8629: Crabbox prior to v0.12.0 PrivilegEscalation (CVSS 8.1)
CVE-2026-6282: A potential improper file Vulnerability (CVSS 8.1)
CVE-2026-43640: Bitwarden Server prior to Vulnerability (CVSS 8.1)
CVE-2026-42897: Improper neutralization of input Cross-site (CVSS 8.1)
CVE-2026-4094: FOX – Currency Switcher Vulnerability (CVSS 8.1)
CVE-2026-40415: Use after free in Vulnerability - Sherlock (CVSS 8.1)
CVE-2026-3892: Motors – Car Dealership File read (CVSS 8.1)
CVE-2026-20916: An authenticated iControl REST File read (CVSS 8.1)
CVE-2026-4802: A flaWas found Vulnerability - Sherlock (CVSS 8.0)
CVE-2026-43639: Bitwarden Server prior to Vulnerability (CVSS 8.0)
CVE-2026-40368: Deserialization of untrusteData CVSS 8.0 (CVSS 8.0)
CVE-2026-34332: Use after free in Vulnerability - Sherlock (CVSS 8.0)
CVE-2026-41217: A vulnerability exists in CVSS 7.9 (CVSS 7.9)
CVE-2026-45004: OpenClaw before 2026.4.23 arbitrary Remote (CVSS 7.8)
CVE-2026-44412: Solid Edge SE2026 (CVSS 7.8)
CVE-2026-42896: Integer overflow or wraparound (CVSS 7.8)
CVE-2026-42831: Heap-based buffer overflow in CVSS 7.8 (CVSS 7.8)
CVE-2026-41611: Improper neutralization of script-related (CVSS 7.8)
CVE-2026-41088: External control oFile PrivilegEscalation (CVSS 7.8)
CVE-2026-40419: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-40418: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-40417: Weak authentication in Dynamics (CVSS 7.8)
CVE-2026-40408: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-40407: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40399: Stack-based buffer overflow in (CVSS 7.8)
CVE-2026-40398: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40397: Integer underflow (CVSS 7.8)
CVE-2026-40382: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-40381: Improper access control in (CVSS 7.8)
CVE-2026-40377: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-40369: Untrusted pointer dereference in (CVSS 7.8)
CVE-2026-40362: Heap-based buffer overflow in CVSS 7.8 (CVSS 7.8)
CVE-2026-40359: Use after free in Vulnerability - Sherlock (CVSS 7.8)
CVE-2026-35421: Heap-based buffer overflow in CVSS 7.8 (CVSS 7.8)
CVE-2026-35420: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-35418: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-35417: Access of resource using PrivilegEscalation (CVSS 7.8)
CVE-2026-35415: Integer overflow or wraparound (CVSS 7.8)
CVE-2026-34690: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34682: Substance3D - Designer versions Remote (CVSS 7.8)
CVE-2026-34681: Substance3D - Designer versions Remote (CVSS 7.8)
CVE-2026-34644: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34643: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34642: After Effects versions 26.0, Remote (CVSS 7.8)
CVE-2026-34640: Media Encoder versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34639: Media Encoder versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34638: Premiere Pro versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34637: Premiere Pro versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34636: Premiere Pro versions 26.0.2, Remote (CVSS 7.8)
CVE-2026-34351: Concurrent execution using shared (CVSS 7.8)
CVE-2026-34344: Access of resource using PrivilegEscalation (CVSS 7.8)
CVE-2026-34343: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-34338: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-34337: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-34334: Concurrent execution using shared (CVSS 7.8)
CVE-2026-34333: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-34330: Integer overflow or wraparound (CVSS 7.8)
CVE-2026-33841: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-33840: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-33837: Heap-based buffer overflow in (CVSS 7.8)
CVE-2026-33835: Use after free in PrivilegEscalation (CVSS 7.8)
CVE-2026-33834: Improper access control in (CVSS 7.8)
CVE-2026-32204: External control oFile PrivilegEscalation (CVSS 7.8)
CVE-2026-42832: Improper access control in Authorization (CVSS 7.7)
CVE-2026-27662: AffecteDevices do not Vulnerability (CVSS 7.7)
CVE-2026-45225: Heym before 0.0.21 path Directory traversal (CVSS 7.6)
CVE-2026-7287: ** UNSUPPORTED WHEN ASSIGNED Buffer overflow (CVSS 7.5)
CVE-2026-5773: haxx curl Vulnerability (CVSS 7.5)
CVE-2026-42920: When a Client SSL Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-42409: When an HTTP/2 profile Vulnerability (CVSS 7.5)
CVE-2026-41956: When a classification profile Vulnerability (CVSS 7.5)
CVE-2026-41227: On an HTTP/2 virtual Denial of service (CVSS 7.5)
CVE-2026-41218: When BIG-IPEM iRules Vulnerability (CVSS 7.5)
CVE-2026-40618: When an SSL profile Vulnerability (CVSS 7.5)
CVE-2026-40423: When a SIProfile Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-40406: Use after free in Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-40405: Null pointer dereference in Vulnerability (CVSS 7.5)
CVE-2026-39458: When a BIG-IP DNS Vulnerability - Sherlock (CVSS 7.5)
CVE-2026-39455: When the BIG-IP Configuration Vulnerability (CVSS 7.5)
CVE-2026-35424: Missing release of memory Vulnerability (CVSS 7.5)
CVE-2026-34665: CAI Content Credentials versions (CVSS 7.5)
CVE-2026-32161: Concurrent execution using shared (CVSS 7.5)
CVE-2026-2993: AI Chatbot & Workflow SQL injection (CVSS 7.5)
CVE-2026-1250: Court Reservation – Manage SQL injection (CVSS 7.5)
CVE-2025-40833: affecteDevices contain a Denial of service (CVSS 7.5)
CVE-2026-42893: Improper neutralization of special Command (CVSS 7.4)
CVE-2026-40414: Null pointer dereference in Vulnerability (CVSS 7.4)
CVE-2026-40413: Null pointer dereference in Vulnerability (CVSS 7.4)
CVE-2026-8768: vercel ai up to Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-8759: xiandafu beetl up to Vulnerability (CVSS 7.3)
CVE-2026-8758: Metasoft 美特软件 MetaCRM up (CVSS 7.3)
CVE-2026-8757: adenhq hive up to Directory traversal (CVSS 7.3)
CVE-2026-8756: fishaudio Bert-VITS2 up to Directory (CVSS 7.3)
CVE-2026-8755: A flaw has been Directory traversal (CVSS 7.3)
CVE-2026-8751: h2oai h2o-3 up to Deserialization - Sherlock (CVSS 7.3)
CVE-2026-8734: Oinone Pamirs up to SQL injection - Sherlock (CVSS 7.3)
CVE-2026-8725: A weakness has been Vulnerability - Sherlock (CVSS 7.3)
CVE-2026-8321: inkeep agents 0.58.14. This Authentication (CVSS 7.3)
CVE-2026-8305: OpenClaw up to 2026.1.24. Vulnerability (CVSS 7.3)
CVE-2026-44995: OpenClaw before 2026.4.20 improper Code (CVSS 7.3)
CVE-2026-32177: Heap-based buffer overflow in (CVSS 7.3)
CVE-2026-8764: A security vulnerability has Buffer overflow (CVSS 7.2)
CVE-2026-6177: Custom Twitter Feeds plugin Cross-site (CVSS 7.2)
CVE-2026-39459: A vulnerability exists in CVSS 7.2 (CVSS 7.2)
CVE-2026-4609: ProfileGrid – User Profiles, Vulnerability (CVSS 7.1)
CVE-2026-45226: Heym before 0.0.21 Authorization bypass (CVSS 7.1)
CVE-2026-45001: OpenClaw before 2026.4.20 guard SSRF (CVSS 7.1)
CVE-2026-41102: Improper access control in Authorization (CVSS 7.1)
CVE-2026-41101: Improper access control in Authorization (CVSS 7.1)
CVE-2026-40401: Null pointer dereference in Vulnerability (CVSS 7.1)
CVE-2026-25789: AffecteDevices do not Vulnerability (CVSS 7.1)
CVE-2026-42825: Use after free in PrivilegEscalation (CVSS 7.0)
CVE-2026-40410: Use after free in PrivilegEscalation (CVSS 7.0)
CVE-2026-35416: Use after free in PrivilegEscalation (CVSS 7.0)
CVE-2026-34347: Use after free in PrivilegEscalation (CVSS 7.0)
CVE-2026-34345: Concurrent execution using shared (CVSS 7.0)
CVE-2026-34342: Concurrent execution using shared (CVSS 7.0)
CVE-2026-34340: Use after free in PrivilegEscalation (CVSS 7.0)
CVE-2026-34331: Concurrent execution using shared (CVSS 7.0)
CVE-2026-33839: Concurrent execution using shared (CVSS 7.0)

WordPress Had a Rough Week

15 vulnerabilities across WordPress products this week. The worst: CVE-2026-6510 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-6510: InfusedWoo Pro plugin for PrivilegEscalation (CVSS 9.8)
CVE-2026-6271: Career Section plugin foRemote codExecution (CVSS 9.8)
CVE-2026-5229: Form Notify plugin for Authentication bypass (CVSS 9.8)
CVE-2026-6512: InfusedWoo Pro plugin for Authorization (CVSS 9.1)
CVE-2026-6506: InfusedWoo Pro plugin for PrivilegEscalation (CVSS 8.8)
CVE-2026-3425: RTMKit Addons for Elementor Authorization (CVSS 8.8)
CVE-2026-5396: Fluent Forms plugin for Authorization bypass (CVSS 8.2)
CVE-2026-4030: Database Backup for WordPress File read (CVSS 8.1)
CVE-2026-6514: InfusedWoo Pro plugin for File read (CVSS 7.5)
CVE-2026-6403: Quick Playground plugin for Directory (CVSS 7.5)
CVE-2026-4798: Avada Builder plugin for SQL injection (CVSS 7.5)
CVE-2026-4031: Database Backup for WordPress Authorization (CVSS 7.5)
CVE-2026-4029: Database Backup for WordPress Vulnerability (CVSS 7.5)
CVE-2026-6690: LifePress plugin for WordPress Cross-site (CVSS 7.2)
CVE-2026-3718: ManageWP Worker plugin for Cross-site (CVSS 7.2)

PHP Hit With CVSS 9.8

CVE-2026-46364 scores a 9.8. PHP lets attackers run code on your systems.

CVE-2026-46364: phpMyFAQ before 4.1.2 unauthenticated SQL (CVSS 9.8)

Spring Framework Hit With CVSS 9.6

CVE-2026-34263 scores a 9.6. Spring Framework lets attackers run code on your systems.

CVE-2026-34263: Due to improper Spring Code injection (CVSS 9.6)

SAP Hit With CVSS 9.6

CVE-2026-34260 scores a 9.6. SAP lets attackers run code on your systems.

CVE-2026-34260: SAP S/4HANA (CVSS 9.6)

Adobe Had a Rough Week

16 vulnerabilities across Adobe products this week. The worst: CVE-2026-34659 (CVSS 9.6) lets attackers run code on your systems. Patch now if you run Adobe.

CVE-2026-34659: Adobe Connect versions 2025.9.15, Remote (CVSS 9.6)
CVE-2026-34660: Adobe Connect versions 2025.9.15, Remote (CVSS 9.3)
CVE-2026-34686: Adobe Commerce versions 2.4.9-beta1, (CVSS 8.7)
CVE-2026-34653: Adobe Commerce versions 2.4.9-beta1, (CVSS 8.7)
CVE-2026-34687: adobe illustratoRemote codExecution (CVSS 7.8)
CVE-2026-34676: adobe substance 3d painteRemote (CVSS 7.8)
CVE-2026-34675: adobe substance 3d painteRemote (CVSS 7.8)
CVE-2026-34661: adobe illustratoRemote codExecution (CVSS 7.8)
CVE-2026-34652: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34651: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34650: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34649: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34648: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34646: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34645: Adobe Commerce versions 2.4.9-beta1, (CVSS 7.5)
CVE-2026-34647: Adobe Commerce versions 2.4.9-beta1, SSRF (CVSS 7.4)

Siemens Patches 4 Vulnerabilities

4 vulnerabilities across Siemens products this week. The worst: CVE-2026-22924 (CVSS 9.1) lets attackers run code on your systems. Patch now if you run Siemens.

CVE-2026-22924: SIMATICN 4100 (CVSS 9.1)
CVE-2025-40949: RUGGEDCOM ROX MX5000 (CVSS 9.1)
CVE-2026-22925: SIMATICN 4100 (CVSS 7.5)
CVE-2025-40947: RUGGEDCOM ROX MX5000 (CVSS 7.5)

Microsoft Azure Hit With CVSS 9.1

CVE-2026-33117 scores a 9.1. Microsoft Azure lets attackers run code on your systems.

CVE-2026-33117: Improper authentication in Azure (CVSS 9.1)

Microsoft Patches 5 Vulnerabilities

5 vulnerabilities across Microsoft products this week. The worst: CVE-2026-35438 (CVSS 8.3) lets anyone bypass authentication. Patch now if you run Microsoft.

CVE-2026-35438: Missing authorization in Windows (CVSS 8.3)
CVE-2026-40360: Out-of-bounds read in Microsoft (CVSS 7.8)
CVE-2026-34336: Buffer over-read in Windows Vulnerability (CVSS 7.8)
CVE-2026-33838: Double free in Windows PrivilegEscalation (CVSS 7.8)
CVE-2026-34341: Double free in Windows PrivilegEscalation (CVSS 7.0)

Google Hit With CVSS 7.1

CVE-2026-5371 scores a 7.1. Google lets attackers run code on your systems.

CVE-2026-5371: MonsterInsights – Google Analytics (CVSS 7.1)

By the Numbers

Total CVEs analyzed	233
Critical (9.0+)	30
High (7.0-8.9)	203
Remote code execution	111
Authentication bypass	117
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 18 critical-severity issues patched this week.
WordPress: Update immediately. 4 critical-severity issues patched this week.
PHP: Update immediately. 1 critical-severity issues patched this week.
Spring Framework: Update immediately. 1 critical-severity issues patched this week.
SAP: Update immediately. 1 critical-severity issues patched this week.
Adobe: Update immediately. 2 critical-severity issues patched this week.
Siemens: Update immediately. 2 critical-severity issues patched this week.
Microsoft Azure: Update immediately. 1 critical-severity issues patched this week.
Microsoft: Review and patch 5 high-severity vulnerabilities when possible.
Google: Review and patch 1 high-severity vulnerabilities when possible.