What were the most critical CVEs disclosed this week?

This week's roundup covers 143 vulnerability disclosures analyzed by Sherlock Forensics. 15 scored 9.0 or above (critical) and 128 rated high. Each CVE is grouped by vendor and assessed for real-world exploitability with patching priorities.

How should organizations respond to new CVE disclosures?

Start with automated vulnerability scanning against new disclosures within 24 hours. Patch critical and actively exploited vulnerabilities within 72 hours. Deploy compensating controls for anything you cannot patch immediately. Validate that your patches actually work. Sherlock Forensics managed security service automates this entire workflow.

Where can I get professional help responding to these vulnerabilities?

Sherlock Forensics offers emergency CVE response assessments with 24-hour turnaround to verify whether your deployment is vulnerable and test whether your compensating controls block exploitation. Managed security clients receive automated alerting when new CVEs affect their technology stack. Contact 604.229.1994 for immediate assistance.

Weekly Security Roundup: June 01 to June 14, 2026

The Week in Security

Other had 120 vulnerabilities this week including Authentication bypass by spoofing Privilege escalation (CVSS 10.0). WordPress had 7 vulnerabilities this week including ARMember Premium plugin for SQL injection (CVSS 9.8). Microsoft had 7 vulnerabilities this week including NetMan 204 fails to Vulnerability (CVSS 9.8).

We tracked 143 vulnerabilities this week. 15 scored 9.0 or above. If you only have time for one thing today, scroll to "What To Do This Week" at the bottom.

Other Had a Rough Week

120 vulnerabilities across Other products this week. The worst: CVE-2026-48567 (CVSS 10.0) lets attackers run code on your systems. Patch now if you run Other.

CVE-2026-48567: Authentication bypass by spoofing Privilege escalation (CVSS 10.0)
CVE-2026-8206: Kirki - Freeform Page Privilege escalation (CVSS 9.8)
CVE-2026-6274: Improper Authentication, Missing authentication Vulnerability (CVSS 9.8)
CVE-2026-47117: OpenMed before 1.5.2 Remote code execution (CVSS 9.8)
CVE-2026-4104: Authorization bypass through User-Controlled SQL injection (CVSS 9.8)
CVE-2026-35075: An unauthenticated remote attacker Vulnerability (CVSS 9.8)
CVE-2026-25550: Seagull Software BarTender 2010, Remote code execution (CVSS 9.8)
CVE-2026-10580: Hippoo Mobile App for Authentication bypass (CVSS 9.8)
CVE-2026-49492: Markdown Preview Enhanced before Vulnerability (CVSS 8.8)
CVE-2026-49143: BrowserStack Runner through 0.9.5 Remote code execution (CVSS 8.8)
CVE-2026-43623: microtar through 0.1.0 stack-based Buffer overflow (CVSS 8.8)
CVE-2026-35085: A remote attacker with Buffer overflow (CVSS 8.8)
CVE-2026-35084: A remote attacker with Buffer overflow (CVSS 8.8)
CVE-2026-35083: A remote attacker with Buffer overflow (CVSS 8.8)
CVE-2026-25277: Memory corruption while using Buffer overflow (CVSS 8.8)
CVE-2026-25276: Memory corruption while using Vulnerability (CVSS 8.8)
CVE-2026-1829: Content Visibility for Divi Remote code execution (CVSS 8.8)
CVE-2026-1784: Route OpenShift resource allows Vulnerability (CVSS 8.8)
CVE-2026-11413: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-10293: A flaw has been Buffer overflow (CVSS 8.8)
CVE-2026-10292: UTT HiPER 1200GW up Buffer overflow (CVSS 8.8)
CVE-2026-10270: D-Link DI-7001 MINI up Buffer overflow (CVSS 8.8)
CVE-2026-10259: A security vulnerability has Buffer overflow (CVSS 8.8)
CVE-2026-10206: D-Link DI-8400 up to Buffer overflow (CVSS 8.8)
CVE-2026-49120: Medplum before 5.1.14 server-side Vulnerability (CVSS 8.5)
CVE-2026-49491: Pixa Bank 2.0 SQL injection (CVSS 8.2)
CVE-2026-28299: SolarWinds Web Help Desk Vulnerability (CVSS 8.2)
CVE-2026-24088: Cryptographic Issue while processing Vulnerability (CVSS 8.2)
CVE-2026-49121: AI Tensor Engine for Remote code execution (CVSS 8.1)
CVE-2026-35080: ugw-restoreinfo method allows a Vulnerability (CVSS 8.1)
CVE-2026-35079: ugw-restore method allows a Vulnerability (CVSS 8.1)
CVE-2026-11416: MoviePilot path traversal vulnerability Directory traversal (CVSS 8.1)
CVE-2026-47294: Deserialization of untrusted data CVSS 8.0 (CVSS 8.0)
CVE-2026-50264: An out-of-bounds write flaw Privilege escalation (CVSS 7.8)
CVE-2026-50261: A use-after-free flaw was Privilege escalation (CVSS 7.8)
CVE-2026-50260: A use-after-free flaw was Privilege escalation (CVSS 7.8)
CVE-2026-50259: A stack-based buffer overflow Privilege escalation (CVSS 7.8)
CVE-2026-50258: A stack-based buffer overflow Privilege escalation (CVSS 7.8)
CVE-2026-50257: A use-after-free flaw was Privilege escalation (CVSS 7.8)
CVE-2026-50256: A stack-based buffer overflow Privilege escalation (CVSS 7.8)
CVE-2026-43958: A flaw was found Remote code execution (CVSS 7.8)
CVE-2026-25551: Seagull Software BarTender 2021 Deserialization (CVSS 7.8)
CVE-2026-25260: Memory Corruption when accessing Vulnerability (CVSS 7.8)
CVE-2026-25259: Memory corruption while processing Vulnerability (CVSS 7.8)
CVE-2026-25258: Memory corruption while processing Vulnerability (CVSS 7.8)
CVE-2026-20245: A vulnerability in the Remote code execution (CVSS 7.8)
CVE-2026-10118: A flaw was found Remote code execution (CVSS 7.8)
CVE-2025-59606: Memory Corruption when writing Vulnerability (CVSS 7.8)
CVE-2025-59605: Memory Corruption when processing Vulnerability (CVSS 7.8)
CVE-2025-59604: Memory Corruption when running Vulnerability (CVSS 7.8)
CVE-2026-45497: Improper neutralization of special Command injection (CVSS 7.7)
CVE-2026-50234: Lyrion Music Server 9.2.0 Directory traversal (CVSS 7.5)
CVE-2026-49136: Banana Slides through 0.4.0, Directory traversal (CVSS 7.5)
CVE-2026-41032: It is possible for Vulnerability (CVSS 7.5)
CVE-2026-28318: solarwinds serv-u Vulnerability (CVSS 7.5)
CVE-2026-10737: SP Project & Document Privilege escalation (CVSS 7.5)
CVE-2024-14036: Dräger Core 1.0.5 and Denial of service (CVSS 7.5)
CVE-2026-11463: USCiLab Cereal up to Vulnerability (CVSS 7.3)
CVE-2026-11460: A flaw has been Vulnerability (CVSS 7.3)
CVE-2026-11457: erzhongxmu JeeWMS up to Vulnerability (CVSS 7.3)
CVE-2026-11456: Chanjet CRM 1.0. This SQL injection (CVSS 7.3)
CVE-2026-11451: A flaw has been Command injection (CVSS 7.3)
CVE-2026-11437: A flaw has been Vulnerability (CVSS 7.3)
CVE-2026-11435: A security vulnerability has SQL injection (CVSS 7.3)
CVE-2026-11344: code-projects Vehicle Management System Vulnerability (CVSS 7.3)
CVE-2026-11342: code-projects Hotel and Tourism SQL injection (CVSS 7.3)
CVE-2026-11334: tittuvarghese CollegeManagementSystem (CVSS 7.3)
CVE-2026-10877: A security vulnerability has SQL injection (CVSS 7.3)
CVE-2026-10777: ealpha072 Student-Management-System up to Vulnerability (CVSS 7.3)
CVE-2026-10771: crmeb crmeb_java 1.4. Affected Vulnerability (CVSS 7.3)
CVE-2026-10704: SourceCodester Pizzafy E-Commerce System SQL injection (CVSS 7.3)
CVE-2026-10694: SourceCodester Online Food Ordering Vulnerability (CVSS 7.3)
CVE-2026-10620: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-10619: sayan365 student-management-system up to Vulnerability (CVSS 7.3)
CVE-2026-10617: A security vulnerability has CVSS 7.3 (CVSS 7.3)
CVE-2026-10608: DedeCMS 5.7.88. This affects SQL injection (CVSS 7.3)
CVE-2026-10607: DedeCMS 5.7.88. The impacted SQL injection (CVSS 7.3)
CVE-2026-10290: A weakness has been SQL injection (CVSS 7.3)
CVE-2026-10288: code-projects Hotel and Tourism Vulnerability (CVSS 7.3)
CVE-2026-10287: SourceCodester SEO Meta Tag Vulnerability (CVSS 7.3)
CVE-2026-10281: A weakness has been Vulnerability (CVSS 7.3)
CVE-2026-10280: horizon921 mcpilot 0.1.0. The Vulnerability (CVSS 7.3)
CVE-2026-10263: SourceCodester Computer Repair Shop SQL injection (CVSS 7.3)
CVE-2026-10262: code-projects Real State Services SQL injection (CVSS 7.3)
CVE-2026-10261: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-10260: CodeAstro Online Job Portal SQL injection (CVSS 7.3)
CVE-2026-10253: itsourcecode Online House Rental SQL injection (CVSS 7.3)
CVE-2026-10252: A security vulnerability has SQL injection (CVSS 7.3)
CVE-2026-10251: A weakness has been SQL injection (CVSS 7.3)
CVE-2026-10250: itsourcecode Online Blood Bank SQL injection (CVSS 7.3)
CVE-2026-10249: itsourcecode Online Blood Bank SQL injection (CVSS 7.3)
CVE-2026-10243: A security vulnerability has CVSS 7.3 (CVSS 7.3)
CVE-2026-10236: SourceCodester Water Billing Management Authorization bypass (CVSS 7.3)
CVE-2026-10226: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-10221: NousResearch hermes-agent up to Vulnerability (CVSS 7.3)
CVE-2026-10220: NousResearch hermes-agent up to Vulnerability (CVSS 7.3)
CVE-2026-10219: nextlevelbuilder GoClaw up to Command injection (CVSS 7.3)
CVE-2026-10214: A weakness has been Command injection (CVSS 7.3)
CVE-2026-10208: A flaw has been SQL injection (CVSS 7.3)
CVE-2026-8901: Integration for Freshsales - Cross-site scripting (CVSS 7.2)
CVE-2026-8438: All-In-One Security (AIOS) - Cross-site scripting (CVSS 7.2)
CVE-2026-7537: MDJM Event Management plugin Remote code execution (CVSS 7.2)
CVE-2026-50232: Lyrion Music Server 9.2.0 Cross-site scripting (CVSS 7.2)
CVE-2026-50231: Lyrion Music Server 9.2.0 Cross-site scripting (CVSS 7.2)
CVE-2026-24092: Memory Corruption when processing Vulnerability (CVSS 7.2)
CVE-2026-24091: Memory corruption while processing Vulnerability (CVSS 7.2)
CVE-2026-24089: Memory corruption while processing Vulnerability (CVSS 7.2)
CVE-2026-24087: Memory corruption while processing Vulnerability (CVSS 7.2)
CVE-2026-24085: Memory Corruption when processing Vulnerability (CVSS 7.2)
CVE-2026-10873: Shibby Tomato 1.28.0000. Impacted Command injection (CVSS 7.2)
CVE-2026-10872: Shibby Tomato 1.28.0000. This Command injection (CVSS 7.2)
CVE-2026-10871: Shibby Tomato 1.28.0000. This Command injection (CVSS 7.2)
CVE-2026-10870: A flaw has been Command injection (CVSS 7.2)
CVE-2026-10843: A flaw was found Vulnerability (CVSS 7.2)
CVE-2026-10586: Gutenberg Essential Blocks - Vulnerability (CVSS 7.2)
CVE-2026-49135: CodexBar prior to 0.32.0 Vulnerability (CVSS 7.1)
CVE-2026-49134: CodexBar prior to 0.32.0 Remote code execution (CVSS 7.1)
CVE-2026-24090: Cryptographic issue while processing Vulnerability (CVSS 7.1)
CVE-2026-11422: Markdown Preview Enhanced 0.8.x Code injection (CVSS 7.1)
CVE-2025-52612: hcltech icontrol Cross-site scripting (CVSS 7.1)

WordPress Patches 7 Vulnerabilities

7 vulnerabilities across WordPress products this week. The worst: CVE-2026-5076 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run WordPress.

CVE-2026-5076: ARMember Premium plugin for SQL injection (CVSS 9.8)
CVE-2026-7654: Admin Columns plugin for Remote code execution (CVSS 8.8)
CVE-2026-5415: WP Captcha PRO (CVSS 8.8)
CVE-2026-5411: WP Captcha PRO (CVSS 8.8)
CVE-2026-9290: WP User Manager - Authorization bypass (CVSS 7.5)
CVE-2026-5073: ARMember Premium plugin for SQL injection (CVSS 7.5)
CVE-2026-9851: Booking Package plugin for Privilege escalation (CVSS 7.2)

Microsoft: 3 Critical Flaws at Once

7 vulnerabilities across Microsoft products this week. The worst: CVE-2025-71318 (CVSS 9.8) lets attackers run code on your systems. Patch now if you run Microsoft.

CVE-2025-71318: NetMan 204 fails to Vulnerability (CVSS 9.8)
CVE-2025-71317: NetMan 204 hard-coded backdoor Vulnerability (CVSS 9.8)
CVE-2026-48579: Improper authorization in Microsoft Authorization bypass (CVSS 9.1)
CVE-2026-49494: Comodo Internet Security's firewall Vulnerability (CVSS 7.5)
CVE-2026-11462: Chengdu Everbrite Network Technology Authorization bypass (CVSS 7.3)
CVE-2026-11452: GL.iNet GL-MT3000 up to Command injection (CVSS 7.3)
CVE-2026-11450: GL.iNet GL-MT3000 4.4.5. This Command injection (CVSS 7.3)

IBM: 3 Critical Flaws at Once

5 vulnerabilities across IBM products this week. The worst: CVE-2026-8644 (CVSS 9.1) lets anyone bypass authentication. Patch now if you run IBM.

CVE-2026-8644: IBM WebSphere Application Server Vulnerability (CVSS 9.1)
CVE-2026-9319: IBM WebSphere Application Server Remote code execution (CVSS 9.0)
CVE-2026-9311: IBM WebSphere Application Server Remote code execution (CVSS 9.0)
CVE-2026-7770: IBM i Access Family Remote code execution (CVSS 8.8)
CVE-2026-9330: IBM WebSphere Application Server Remote code execution (CVSS 8.5)

Cisco Hit With CVSS 8.6

CVE-2026-20230 scores a 8.6. Cisco lets attackers run code on your systems.

CVE-2026-20230: A vulnerability in Cisco SSRF (CVSS 8.6)

PHP Hit With CVSS 7.3

CVE-2026-10273 scores a 7.3. PHP lets attackers run code on your systems.

CVE-2026-10273: php-censor up to 2.1.6. Command injection (CVSS 7.3)

HP Patches 2 Vulnerabilities

2 vulnerabilities across HP products this week. The worst: CVE-2026-10227 (CVSS 7.3) lets attackers run code on your systems. Patch now if you run HP.

CVE-2026-10227: raisulislamg4 student_management_system_by_php up to SQL (CVSS 7.3)
CVE-2026-10225: raisulislamg4 student_management_system_by_php up to SQL (CVSS 7.3)

By the Numbers

Total CVEs analyzed	143
Critical (9.0+)	15
High (7.0-8.9)	128
Remote code execution	103
Authentication bypass	39
Cross-site scripting	0
SQL injection	0

What To Do This Week

One action item per vendor. Start at the top and work down.

Other: Update immediately. 8 critical-severity issues patched this week.
WordPress: Update immediately. 1 critical-severity issues patched this week.
Microsoft: Update immediately. 3 critical-severity issues patched this week.
IBM: Update immediately. 3 critical-severity issues patched this week.
Cisco: Review and patch 1 high-severity vulnerabilities when possible.
PHP: Review and patch 1 high-severity vulnerabilities when possible.
HP: Review and patch 2 high-severity vulnerabilities when possible.