What were the most critical CVEs disclosed this week?

This week's roundup covers 78 vulnerability disclosures analyzed by Sherlock Forensics. 17 scored 9.0 or above (critical) and 61 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: May 18 to May 31, 2026

The Week in Security

Other had 59 vulnerabilities this week including HestiaCP versions 1.9.0 through Deserialization (CVSS 10.0). Microsoft had 7 vulnerabilities this week including nlnetlabs unbound Vulnerability (CVSS 10.0). Microsoft Azure got hit with a CVSS 10.0 for Improper authentication in Azure Privilege escalation.

We tracked 78 vulnerabilities this week. 17 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

59 vulnerabilities across Other products this week. The worst: CVE-2026-43633 (CVSS 10.0) lets attackers run code on your systems. Patch now if you run Other.

CVE-2026-43633: HestiaCP versions 1.9.0 through Deserialization (CVSS 10.0)
CVE-2026-20223: A vulnerability in the access CVSS 10.0 (CVSS 10.0)
CVE-2026-9141: Taiko AG1000-01A SMS Alert Authentication bypass (CVSS 9.8)
CVE-2026-9139: Taiko AG1000-01A SMS Alert Vulnerability (CVSS 9.8)
CVE-2026-8836: lwIP up to 2.2.1. Buffer overflow (CVSS 9.8)
CVE-2026-6279: Avada Builder Plugin Remote Code Execution (CVSS 9.8)
CVE-2026-5118: Divi Form Builder plugin Privilege escalation (CVSS 9.8)
CVE-2026-45230: DumbAssets through 1.0.11 path Directory traversal (CVSS 9.1)
CVE-2026-8776: Edimax BR-6428NS 1.10. This Buffer overflow (CVSS 8.8)
CVE-2026-8775: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-7522: AdvanceDatabase Cleaner - Authorization bypass (CVSS 8.8)
CVE-2026-7498: Improper neutralization of input Cross-site scripting (CVSS 8.8)
CVE-2026-7467: Read More & Accordion Privilege escalation (CVSS 8.8)
CVE-2026-5200: AcyMailing - An Ultimate Vulnerability (CVSS 8.8)
CVE-2026-47102: LiteLLM prior to 1.83.10 Vulnerability (CVSS 8.8)
CVE-2026-47101: LiteLLM prior to 1.83.14 Privilege escalation (CVSS 8.8)
CVE-2026-24425: Twig versions 2.16.x and Vulnerability (CVSS 8.8)
CVE-2026-5804: An improper authentication vulnerability CVSS 8.4 (CVSS 8.4)
CVE-2026-48235: Open ISES Tickets before SQL injection (CVSS 8.2)
CVE-2026-8851: SOGo 5.12.7 SQL injection CVSS 8.1 (CVSS 8.1)
CVE-2026-8711: NGINX JavaScript has a Buffer overflow (CVSS 8.1)
CVE-2026-7504: A flaw was found Vulnerability (CVSS 8.1)
CVE-2026-48242: Open ISES Tickets before Vulnerability (CVSS 8.1)
CVE-2026-48241: Open ISES Tickets before Vulnerability (CVSS 8.1)
CVE-2026-43618: Rsync version 3.4.2 and prior Vulnerability (CVSS 8.1)
CVE-2026-47092: Claude HUD through 0.0.12, Remote code execution (CVSS 7.8)
CVE-2026-22554: MediaArea MediaInfoLib Channel Splitting Buffer overflow (CVSS 7.8)
CVE-2026-41948: Dify version 1.14.1 and Directory traversal (CVSS 7.7)
CVE-2026-9144: Taiko AG1000-01A SMS Alert Cross-site scripting (CVSS 7.6)
CVE-2026-5783: Improper neutralization of input Cross-site scripting (CVSS 7.6)
CVE-2026-9064: A flaw was found Denial of service (CVSS 7.5)
CVE-2026-9011: Ditty - Responsive News Authorization bypass (CVSS 7.5)
CVE-2026-9003: E-LAN Hybrid Recording System SQL injection (CVSS 7.5)
CVE-2026-8073: Kirki - Freeform Page File read (CVSS 7.5)
CVE-2026-7507: A session fixation vulnerability CVSS 7.5 (CVSS 7.5)
CVE-2026-7307: A flaw was found Denial of service (CVSS 7.5)
CVE-2026-5946: Multiple flaws have been Vulnerability (CVSS 7.5)
CVE-2026-43634: HestiaCP versions 1.2.0 through Vulnerability (CVSS 7.5)
CVE-2026-42009: A flaw was found Denial of service (CVSS 7.5)
CVE-2026-3985: Creative Mail - Easier SQL injection (CVSS 7.5)
CVE-2026-3039: BIND servers that are Vulnerability (CVSS 7.5)
CVE-2026-20239: In Splunk Enterprise versions Vulnerability (CVSS 7.5)
CVE-2025-13479: Authorization bypass through User-Controlled CVSS 7.5 (CVSS 7.5)
CVE-2026-41947: Dify version 1.14.1 and Authorization bypass (CVSS 7.4)
CVE-2026-8785: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-8771: linlinjava litemall up to SQL injection (CVSS 7.3)
CVE-2026-7613: Cost of Goods by Cross-site scripting (CVSS 7.2)
CVE-2026-7571: A flaw was found Information disclosure (CVSS 7.1)
CVE-2026-48240: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48239: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48238: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48237: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48236: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48234: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48233: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48232: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2026-48231: Open ISES Tickets before SQL injection (CVSS 7.1)
CVE-2025-13477: Exposure of private personal Authentication bypass (CVSS 7.1)
CVE-2026-29518: Rsync versions before 3.4.3 Privilege escalation (CVSS 7.0)

Microsoft: 4 Critical Flaws at Once

7 vulnerabilities across Microsoft products this week. The worst: CVE-2026-42960 (CVSS 10.0) lets anyone bypass authentication. Patch now if you run Microsoft.

CVE-2026-42960: nlnetlabs unbound Vulnerability (CVSS 10.0)
CVE-2026-4885: Piotnet Addons for Elementor Remote code execution (CVSS 9.8)
CVE-2026-4883: Piotnet Forms plugin for Remote code execution (CVSS 9.8)
CVE-2026-33278: nlnetlabs unbound Remote code execution (CVSS 9.8)
CVE-2026-45584: microsoft malware protection engine Buffer overflow (CVSS 8.1)
CVE-2026-42834: microsoft windows admin center Privilege escalation (CVSS 7.8)
CVE-2026-42944: nlnetlabs unbound Vulnerability (CVSS 7.5)

Microsoft Azure Hit With CVSS 10.0

CVE-2026-42822 scores a 10.0. Microsoft Azure lets attackers run code on your systems.

CVE-2026-42822: Improper authentication in Azure Privilege escalation (CVSS 10.0)

WordPress Had a Rough Week

10 vulnerabilities across WordPress products this week. The worst: CVE-2026-7637 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-7637: Boost plugin for WordPress Deserialization (CVSS 9.8)
CVE-2026-7284: Easy Elements for Elementor Privilege escalation (CVSS 9.8)
CVE-2026-6960: BookingPress Pro plugin for Remote code execution (CVSS 9.8)
CVE-2026-6555: ProSolution WP Client plugin Remote code execution (CVSS 9.8)
CVE-2026-9018: Easy Elements for Elementor Privilege escalation (CVSS 8.8)
CVE-2026-6456: Account Switcher plugin for Privilege escalation (CVSS 8.8)
CVE-2026-9010: Boost plugin for WordPresSQL injection (CVSS 7.5)
CVE-2026-8912: Contest Gallery plugin for SQL injection (CVSS 7.5)
CVE-2026-8679: AudioIgniter plugin for WordPress Vulnerability (CVSS 7.5)
CVE-2026-4834: WP ERPro plugin SQL injection (CVSS 7.5)

Google Chrome Hit With CVSS 8.8

CVE-2026-45495 scores a 8.8. Google Chrome lets attackers run code on your systems.

CVE-2026-45495: Microsoft Edge (Chromium) Remote Code Execution (CVSS 8.8)

By the Numbers

Total CVEs analyzed	78
Critical (9.0+)	17
High (7.0-8.9)	61
Remote code execution	55
Authentication bypass	23
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 8 critical-severity issues patched this week.
Microsoft: Update immediately. 4 critical-severity issues patched this week.
Microsoft Azure: Update immediately. 1 critical-severity issues patched this week.
WordPress: Update immediately. 4 critical-severity issues patched this week.
Google Chrome: Review and patch 1 high-severity vulnerabilities when possible.