What were the most critical CVEs disclosed this week?

This week's roundup covers 179 vulnerability disclosures analyzed by Sherlock Forensics. 28 scored 9.0 or above (critical) and 151 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: May 25 to June 07, 2026

The Week in Security

Oracle had 18 vulnerabilities this week including Oracle REST Data Services Vulnerability (CVSS 10.0). WordPress had 10 vulnerabilities this week including WP Maps Pro plugin Privilege escalation (CVSS 9.8). Other had 115 vulnerabilities this week including Advanced Custom Fields: Extended Privilege escalation (CVSS 9.8).

We tracked 179 vulnerabilities this week. 28 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Oracle Had a Rough Week

18 vulnerabilities across Oracle products this week. The worst: CVE-2026-46840 (CVSS 10.0) lets anyone bypass authentication. Patch now if you run Oracle.

CVE-2026-46840: Oracle REST Data Services Vulnerability (CVSS 10.0)
CVE-2026-46839: Oracle REST Data Services Vulnerability (CVSS 9.9)
CVE-2026-46824: Oracle Universal Work Queue Vulnerability (CVSS 9.9)
CVE-2026-46822: Oracle iAssets product of Vulnerability (CVSS 9.9)
CVE-2026-46775: Oracle REST Data Services Vulnerability (CVSS 9.9)
CVE-2026-46817: Oracle Payments product of Vulnerability (CVSS 9.8)
CVE-2026-34311: Oracle Hospitality OPERA 5 Vulnerability (CVSS 9.8)
CVE-2026-46837: Oracle Flow Manufacturing product Vulnerability (CVSS 8.8)
CVE-2026-46827: Oracle Payroll product of Vulnerability (CVSS 8.8)
CVE-2026-46826: Oracle Payroll product of Vulnerability (CVSS 8.8)
CVE-2026-46820: Oracle Financials Common Modules Vulnerability (CVSS 8.5)
CVE-2026-46828: Oracle Payroll product of Vulnerability (CVSS 8.1)
CVE-2026-35277: Oracle REST Data Services Vulnerability (CVSS 8.1)
CVE-2026-35266: Oracle REST Data Services Denial of service (CVSS 7.9)
CVE-2026-46823: Oracle Public Sector Financials Vulnerability (CVSS 7.7)
CVE-2026-46821: Oracle Financials Common Modules Vulnerability (CVSS 7.7)
CVE-2026-46829: Oracle REST Data Services Denial of service (CVSS 7.5)
CVE-2026-46818: Oracle Payments product of Vulnerability (CVSS 7.4)

WordPress Had a Rough Week

10 vulnerabilities across WordPress products this week. The worst: CVE-2026-8732 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-8732: WP Maps Pro plugin Privilege escalation (CVSS 9.8)
CVE-2026-4290: WP Travel Pro plugin Vulnerability (CVSS 9.1)
CVE-2025-11993: WooCommerce Infinite Scroll and Deserialization (CVSS 8.8)
CVE-2026-6455: WP Contact Form 7 SQL injection (CVSS 8.1)
CVE-2026-9757: GEO my WP plugin SQL injection (CVSS 7.5)
CVE-2026-9200: Query Shortcode plugin for Authorization bypass (CVSS 7.5)
CVE-2026-8143: HBook plugin for WordPress Cross-site scripting (CVSS 7.2)
CVE-2026-7634: SlimStat Analytics plugin for Cross-site scripting (CVSS 7.2)
CVE-2026-6169: affiliate-toolkit plugin for WordPress Remote code execution (CVSS 7.2)
CVE-2026-3375: LiteSpeed Cache plugin for Cross-site scripting (CVSS 7.2)

Other Had a Rough Week

115 vulnerabilities across Other products this week. The worst: CVE-2026-8809 (CVSS 9.8) needs your attention. Patch now if you run Other.

CVE-2026-8809: Advanced Custom Fields: Extended Privilege escalation (CVSS 9.8)
CVE-2026-8760: Login with OTPlugin Authentication bypass (CVSS 9.8)
CVE-2026-48904: Joomla\! Vulnerability (CVSS 9.8)
CVE-2026-48899: Joomla\! Privilege escalation (CVSS 9.8)
CVE-2026-48898: Joomla\! Privilege escalation (CVSS 9.8)
CVE-2026-48027: Nx console Vulnerability (CVSS 9.8)
CVE-2026-45247: Mirasvit Full Page Cache Remote code execution (CVSS 9.8)
CVE-2026-3655: OTP Login With Phone Authentication bypass (CVSS 9.8)
CVE-2026-24444: SDMC NE6037 cable modem Vulnerability (CVSS 9.8)
CVE-2026-10187: Totolink N300RH 6.1c.1353_B20190305. Affected Buffer overflow (CVSS 9.8)
CVE-2026-10071: DreamMaker developed by Interinfo Remote code execution (CVSS 9.8)
CVE-2025-12686: Buffer copy without checking Buffer overflow (CVSS 9.8)
CVE-2026-4408: A flaw was found Vulnerability (CVSS 9.0)
CVE-2026-9632: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-9631: UTT HiPER 1250GW up Buffer overflow (CVSS 8.8)
CVE-2026-9628: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-9627: UTT HiPER 1200GW up Buffer overflow (CVSS 8.8)
CVE-2026-9227: GutenBee - Gutenberg Blocks Remote code execution (CVSS 8.8)
CVE-2026-9009: Crawlomatic Multipage Scraper Post Remote code execution (CVSS 8.8)
CVE-2026-8832: WPCode - Insert Headers Remote code execution (CVSS 8.8)
CVE-2026-8787: Firebase Support & Chat Privilege escalation (CVSS 8.8)
CVE-2026-7802: Frontend Admin by DynamiApps Authorization bypass (CVSS 8.8)
CVE-2026-7465: Spectra Gutenberg Blocks - Remote code execution (CVSS 8.8)
CVE-2026-6226: Frontend Admin by DynamiApps Privilege escalation (CVSS 8.8)
CVE-2026-48557: Spatie Laravel Media Library Vulnerability (CVSS 8.8)
CVE-2026-46368: luci-app-https-dns-proxy through 2025.12.29-5 - Command (CVSS 8.8)
CVE-2026-44832: snipeitapp snipe-it Vulnerability (CVSS 8.8)
CVE-2026-35674: OpenClaw before 2026.5.18 scope Vulnerability (CVSS 8.8)
CVE-2026-10192: Tenda W12 3.0.0.7(4763). The Buffer overflow (CVSS 8.8)
CVE-2026-10191: Tenda W12 3.0.0.7(4763). Impacted Buffer overflow (CVSS 8.8)
CVE-2026-10189: Tenda W12 3.0.0.7(4763). This Buffer overflow (CVSS 8.8)
CVE-2026-10188: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-10179: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-10165: Edimax BR-6478AC 1.23. The Buffer overflow (CVSS 8.8)
CVE-2026-10164: Edimax BR-6478AC 1.23. Impacted Buffer overflow (CVSS 8.8)
CVE-2026-10163: Edimax BR-6478AC 1.23. This Buffer overflow (CVSS 8.8)
CVE-2026-10162: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-10160: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-10159: A weakness has been Buffer overflow (CVSS 8.8)
CVE-2026-10126: Edimax BR-6478AC 1.23. Affected Buffer overflow (CVSS 8.8)
CVE-2026-10125: Edimax BR-6478AC 1.23. Affected Buffer overflow (CVSS 8.8)
CVE-2026-10124: Shibby Tomato up to Buffer overflow (CVSS 8.8)
CVE-2026-10121: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-10119: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-10067: Shibby Tomato 1.28. Impacted Buffer overflow (CVSS 8.8)
CVE-2026-10066: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2025-41669: Web-based Management allows a Remote code execution (CVSS 8.8)
CVE-2026-49489: OpenCATS through 0.9.7.4 Sql injection (CVSS 8.5)
CVE-2026-4480: A flaw was found Remote code execution (CVSS 8.5)
CVE-2026-32905: OpenClaw before 2026.5.4 Authorization bypass (CVSS 8.3)
CVE-2026-10105: agno 2.6.5 SQL injection CVSS 8.3 (CVSS 8.3)
CVE-2026-8994: Login with NEAR plugin Authentication bypass (CVSS 8.1)
CVE-2026-6075: Media Library Assistant plugin Vulnerability (CVSS 8.1)
CVE-2026-49490: OpenCATS from version 0.9.1a SQL injection (CVSS 8.1)
CVE-2025-13392: Improper check for unusual Vulnerability (CVSS 8.1)
CVE-2026-35630: OpenClaw before 2026.5.18 Authorization bypass (CVSS 8.0)
CVE-2026-7454: autodesk 3ds max Vulnerability (CVSS 7.8)
CVE-2026-7452: autodesk 3ds max Vulnerability (CVSS 7.8)
CVE-2026-7451: autodesk 3ds max Vulnerability (CVSS 7.8)
CVE-2025-41670: A local user with Privilege escalation (CVSS 7.8)
CVE-2026-9804: A flaw was found Directory traversal (CVSS 7.7)
CVE-2026-42965: A flaw was found Vulnerability (CVSS 7.7)
CVE-2026-7797: Appointment Booking Calendar - SQL injection (CVSS 7.5)
CVE-2026-7459: Simple History - Track, Vulnerability (CVSS 7.5)
CVE-2026-48544: Taipy 4.1.1, fixed in Directory traversal (CVSS 7.5)
CVE-2026-40850: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40819: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40818: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40817: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40816: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40815: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40814: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40813: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40812: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40811: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-40810: An unauthenticated remote attacker SQL injection (CVSS 7.5)
CVE-2026-32847: DeepCode through commit c991dc2 Directory traversal (CVSS 7.5)
CVE-2026-10108: xiaomusic v0.5.7 unauthenticated path Directory traversal (CVSS 7.5)
CVE-2026-10073: DreamMaker developed by Interinfo Directory traversal (CVSS 7.5)
CVE-2026-10069: Shibby Tomato 1.28. The Vulnerability (CVSS 7.5)
CVE-2026-10044: Usagi-org ai-goofish-monitor unauthenticated arbitrary (CVSS 7.5)
CVE-2026-48555: Spatie Laravel Media Library Vulnerability (CVSS 7.4)
CVE-2026-46579: A flaw was found Vulnerability (CVSS 7.4)
CVE-2026-9795: A flaw was found Privilege escalation (CVSS 7.3)
CVE-2026-9606: itsourcecode Courier Management System SQL injection (CVSS 7.3)
CVE-2026-9605: A flaw has been Buffer overflow (CVSS 7.3)
CVE-2026-9584: A security vulnerability haSQL injection (CVSS 7.3)
CVE-2026-9580: JeecgBoot up to 3.9.1. Authorization bypass (CVSS 7.3)
CVE-2026-9575: itsourcecode Student Transcript Processing SQL injection (CVSS 7.3)
CVE-2026-9574: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-9573: itsourcecode Student Transcript Processing SQL injection (CVSS 7.3)
CVE-2026-9562: sambitraj STUDENT-MANAGEMENT-SYSTEM up to Authorization bypass (CVSS 7.3)
CVE-2026-9552: Das Parking Management System SQL injection (CVSS 7.3)
CVE-2026-9551: Das Parking Management System SQL injection (CVSS 7.3)
CVE-2026-9550: AcrElectrical EEMS Enterprise Directory traversal (CVSS 7.3)
CVE-2026-9544: Shenzhen Sixun Software Sixun SQL injection (CVSS 7.3)
CVE-2026-10186: A security vulnerability has SQL injection (CVSS 7.3)
CVE-2026-10185: A weakness has been SQL injection (CVSS 7.3)
CVE-2026-10184: SourceCodester Hospitals Patient Records SQL injection (CVSS 7.3)
CVE-2026-10178: code-projects Online Music Site SQL injection (CVSS 7.3)
CVE-2026-10167: A weakness has been Vulnerability (CVSS 7.3)
CVE-2026-10157: Open5GS up to 2.7.6. Vulnerability (CVSS 7.3)
CVE-2026-10111: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-10110: code-projects Student Details Management SQL injection (CVSS 7.3)
CVE-2026-7052: HT Contact Form - Cross-site scripting (CVSS 7.2)
CVE-2026-42785: OpenKM 6.3.12 remote code Remote code execution (CVSS 7.2)
CVE-2026-42425: OpenKM 6.3.12 unrestricted SQL Vulnerability (CVSS 7.2)
CVE-2026-2374: LogiNo Captcha reCAPTCHA Cross-site scripting (CVSS 7.2)
CVE-2026-10072: DreamMaker developed by Interinfo Remote code execution (CVSS 7.2)
CVE-2025-11262: Link Whisper Free plugin Cross-site scripting (CVSS 7.2)
CVE-2026-40836: An low privileged remote SQL injection (CVSS 7.1)
CVE-2026-40834: An low privileged remote SQL injection (CVSS 7.1)
CVE-2026-40833: An low privileged remote SQL injection (CVSS 7.1)
CVE-2026-1933: A flaw was found Vulnerability (CVSS 7.1)
CVE-2026-44604: A command injection vulnerability Remote code execution (CVSS 7.0)

Microsoft Had a Rough Week

15 vulnerabilities across Microsoft products this week. The worst: CVE-2026-48689 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run Microsoft.

CVE-2026-48689: pavel-odintsov fastnetmon Remote code execution (CVSS 9.8)
CVE-2026-46819: Oracle Internet Procurement Connector Vulnerability (CVSS 9.1)
CVE-2026-46833: Net Service component of Vulnerability (CVSS 9.0)
CVE-2026-10183: TRENDnet TEW-432BRP 3.10B20. This Buffer overflow (CVSS 8.8)
CVE-2026-10181: TRENDnet TEW-432BRP 3.10B20. The Buffer overflow (CVSS 8.8)
CVE-2026-10161: TRENDnet TEW-432BRP 3.10B20. This Buffer overflow (CVSS 8.8)
CVE-2026-10158: TRENDnet TEW-432BRP 3.10B20. Affected Buffer overflow (CVSS 8.8)
CVE-2026-10123: TRENDnet TEW-432BRP 3.10B20. This Buffer overflow (CVSS 8.8)
CVE-2026-10122: TRENDnet TEW-432BRP 3.10B20. This Buffer overflow (CVSS 8.8)
CVE-2026-10120: TRENDnet TEW-432BRP 3.10B20. The Buffer overflow (CVSS 8.8)
CVE-2026-10063: TRENDnet TEW-432BRP 3.10B20. Affected Buffer overflow (CVSS 8.8)
CVE-2026-10062: TRENDnet TEW-432BRP 3.10B20. Affected Buffer overflow (CVSS 8.8)
CVE-2026-3623: IBM Netezza Performance Server Privilege escalation (CVSS 7.8)
CVE-2026-46835: Net Service component of Denial of service (CVSS 7.5)
CVE-2026-46834: Net Service component of Denial of service (CVSS 7.5)

IBM Had a Rough Week

19 vulnerabilities across IBM products this week. The worst: CVE-2026-8633 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run IBM.

CVE-2026-8633: IBM Web Server Plug-ins Remote code execution (CVSS 9.8)
CVE-2026-8175: IBM Aspera High-Speed Transfer Remote code execution (CVSS 9.8)
CVE-2026-7524: IBM Langflow OSS 1.0.0 Remote code execution (CVSS 9.8)
CVE-2026-8179: IBM Aspera High-Speed Transfer Buffer overflow (CVSS 8.8)
CVE-2026-5065: IBM Controller 11.0.1, 11.1.0, Vulnerability (CVSS 8.8)
CVE-2026-7365: IBM Operations Analytics - Vulnerability (CVSS 8.4)
CVE-2026-8855: ibm http server Remote code execution (CVSS 8.1)
CVE-2026-8834: ibm http server Buffer overflow (CVSS 8.0)
CVE-2026-8856: ibm http server Denial of service (CVSS 7.7)
CVE-2026-9170: IBM Web Server Plug-ins Remote code execution (CVSS 7.5)
CVE-2026-8854: ibm http server Denial of service (CVSS 7.5)
CVE-2026-8850: ibm http server Denial of service (CVSS 7.5)
CVE-2026-8620: IBM Web Server Plug-ins Vulnerability (CVSS 7.5)
CVE-2026-8180: IBM Aspera High-Speed Transfer Denial of service (CVSS 7.5)
CVE-2026-3366: IBM InfoSphere Optim Test File read (CVSS 7.5)
CVE-2026-8835: ibm http server Denial of service (CVSS 7.3)
CVE-2024-56462: IBM QRadar 7.5.0 through Vulnerability (CVSS 7.2)
CVE-2026-7528: IBM Langflow OSS 1.0.0 Denial of service (CVSS 7.1)
CVE-2026-1718: IBM Db2 11.5.0 through Denial of service (CVSS 7.1)

PHP Patches 2 Vulnerabilities

2 vulnerabilities across PHP products this week. The worst: CVE-2026-35671 (CVSS 8.8) lets anyone bypass authentication. Patch now if you run PHP.

CVE-2026-35671: phpMyFAQ before 4.1.3 insecure Vulnerability (CVSS 8.8)
CVE-2026-35675: phpMyFAQ before 4.1.3 Authentication bypass (CVSS 8.2)

By the Numbers

Total CVEs analyzed	179
Critical (9.0+)	28
High (7.0-8.9)	151
Remote code execution	89
Authentication bypass	87
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Oracle: Update immediately. 7 critical-severity issues patched this week.
WordPress: Update immediately. 2 critical-severity issues patched this week.
Other: Update immediately. 13 critical-severity issues patched this week.
Microsoft: Update immediately. 3 critical-severity issues patched this week.
IBM: Update immediately. 3 critical-severity issues patched this week.
PHP: Review and patch 2 high-severity vulnerabilities when possible.