WordPress May 2026: 4 Critical Plugins with Auth Bypass / RCE (CVSS 9.8)
Burst Analytics, Career Section, InfusedWoo Pro, Form Notify — 4 WordPress plugins with auth bypass / RCE / privilege escalation disclosed in May 2026. Versions and mitigation.
SAP S/4HANA CVE-2026-34260: Authenticated SQL Injection in Enterprise Search ABAP
SAP S/4HANA Enterprise Search ABAP: SQL injection (CVSS 9.6) via user input concatenated without validation. Sensitive data exfiltration risk, audit recommended.
Microsoft Patch Tuesday May 2026 — Wave 2: Hyper-V LPE, Entra ID Spoofing, Authenticator
May 2026 Patch Tuesday follow-up: 3 new CRITICAL CVEs — Hyper-V use-after-free LPE (9.3), Entra ID spoofing (9.3), Microsoft Authenticator info disclosure (9.6). Patch now.
ArchiveBox CVE-2026-42601: RCE via /add/ — No Patch Available (CVSS 9.8)
ArchiveBox ≤ 0.8.6rc0: the /add/ endpoint merges an unvalidated config JSON into plugin environment variables. Unauthenticated RCE, no official fix. Mitigation.
Angular Expressions CVE-2026-44643: Sandbox Escape → RCE (CVSS 10.0)
angular-expressions < 1.5.2: an attacker can craft a filter expression that escapes the sandbox and executes arbitrary code. CVSS 10.0, scope changed. Patch and mitigation.
Adobe Connect: 2 Critical CVEs (Deserialization + Auth Bypass) — CVE-2026-34659 & 34660
Adobe Connect ≤ 2025.9.15: deserialization of untrusted data (CVSS 9.6) + incorrect authorization (CVSS 9.3) → RCE and script injection. Patch and hardening.
PHP 8.x: 3 CRITICAL CVEs at once (PDO Firebird SQLi + 2 SOAP UAFs)
PHP 8.2.31 / 8.3.31 / 8.4.21 / 8.5.6 fix 3 CRITICAL CVEs (CVSS 9.8): PDO Firebird NUL-byte SQL injection + 2 SOAP use-after-free flaws exploitable for RCE.
OpenClaw: 3 Critical Auth Bypass CVEs in the Browser Sandbox
OpenClaw < 2026.4.15 stacks 3 CRITICAL CVEs (CVSS 9.6-9.8): exposed noVNC, Feishu webhook without validation, CDP relay on 0.0.0.0. Patch and hardening guide.
Microsoft Patch Tuesday May 2026: 4 CRITICAL CVEs (Netlogon, DNS, Dynamics, Azure)
May 2026 Patch Tuesday — 4 CRITICAL CVEs: Windows Netlogon RCE (9.8), Windows DNS RCE (9.8), Dynamics 365 code injection (9.9), Azure Logic Apps EoP (9.9).
Gotenberg CVE-2026-40281: PDF API Takeover via ExifTool Injection (CVSS 10.0)
Gotenberg ≤ 8.30.1: a newline in PDF metadata values injects ExifTool pseudo-tags — arbitrary file overwrite/symlinks in the container. CVSS 10.0, patch 8.31.0.
GitHub Enterprise Server CVE-2026-8034: SSRF via Notebook Viewer (URL Parser Confusion)
GitHub Enterprise Server < 3.21 contains an SSRF (CVSS 9.8) in the notebook viewer — URL parser confusion between validation and HTTP request. Patch and mitigation.
Chrome CVE-2026-7910: Use-After-Free in Views (Site Isolation Bypass)
Chrome < 148.0.7778.96 contains a use-after-free in Views (CVSS 9.6) allowing site isolation bypass from a compromised renderer. Urgent browser patch.
PhpSpreadsheet CVE-2026-34084: RCE via phar:// in IOFactory::load()
PhpSpreadsheet (all branches < 5.6.0) allows RCE and SSRF via phar://, ftp:// and ssh2.sftp:// in IOFactory::load(). Patch and PHP hardening guide.
CVE-2026-0300 Palo Alto PAN-OS: Unauth Root RCE Already in CISA KEV
Critical buffer overflow (CVSS 9.8) in the User-ID Authentication Portal of Palo Alto PAN-OS — unauth root RCE. Added to CISA KEV. Patch and workaround.
Nginx UI CVE-2026-42238: Unauth Root RCE in the 10 Minutes After Startup
Nginx UI < 2.3.8 exposes /api/restore unauthenticated for the first 10 minutes after startup. Root RCE via app.ini command injection. Patch and mitigation.
n8n CVE-2026-42233: Oracle SQL Injection via Webhook in Database Node
n8n (before 1.123.32 / 2.17.4 / 2.18.1) contains a critical SQL injection (CVSS 9.8) on the Oracle Database node select operation. Webhook-driven data exfiltration.
LiteLLM CVE-2026-42208: AI Gateway SQL Injection Added to CISA KEV
LiteLLM AI Gateway (v1.81.16 → 1.83.7) contains a critical SQL injection (CVSS 9.8) on LLM routes. API key theft, added to CISA KEV — patch urgently.
CoreDNS CVE-2026-35579: TSIG Authentication Bypass on gRPC, QUIC, DoH and DoH3
CoreDNS < 1.14.3 fails to validate the TSIG HMAC on modern transports. AXFR, DDNS and TSIG-gated plugins bypassable without a key. Patch and workaround.
WattBox 800/820 CVE-2026-41446: Diagnostic Backdoor in Plaintext on the Label
Snap One WattBox 800 and 820 (firmware < 2.10.0.0) ship with diagnostic endpoints whose auth relies on MAC + service tag — both printed on the label. Root RCE.
Traefik CVE-2026-35051 & CVE-2026-39858: 10.0 Auth Bypass in ForwardAuth
Two critical Traefik CVEs (CVSS 10.0) bypass ForwardAuth via trusted upstream and underscore header smuggling. Affected versions, exploitation, IOCs and patch guide.
Totolink A8000RU: 22 Critical Command Injection CVEs in One Week
The Totolink A8000RU router stacks 22 CRITICAL CVEs (CVSS 9.8) in /cgi-bin/cstecgi.cgi command injection. All exploits public — analysis, IOCs, mitigation.
Tenda AC18 CVE-2026-31255: Unauthenticated RCE via SetSambaCfg
Tenda AC18 router v15.03.05.05 contains a critical command injection (CVSS 9.8) on /goform/SetSambaCfg. Analysis, exploitation and mitigation.
ProjeQtor CVE-2026-41462: Unauthenticated SQL Injection on Login
ProjeQtor 7.0 to 12.4.3 contains a critical SQL injection (CVSS 9.8) on the login endpoint. Privileged account creation, data theft, possible RCE.
D-Link DI-8100 CVE-2026-7248: Critical Buffer Overflow in tgfile.htm
D-Link DI-8100 firmware 16.07.26A1 contains an unauthenticated buffer overflow (CVSS 9.8) on tgfile.htm. Public PoC, analysis and mitigation.
Patch Management Guide: How to Handle CVEs Quickly and Effectively
Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.
How to Monitor CVE Vulnerabilities Across Your IT Assets
A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.
How to Conduct a CVE Security Audit of Your IT Infrastructure
Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.
Best CVE Monitoring Tools in 2026: Full Comparison
A complete comparison of the best CVE management and monitoring tools in 2026: open-source solutions, SaaS platforms, scanners. Which tool is right for your context?
VMware vCenter & ESXi CVEs 2026: Top 8 Critical Flaws (Patch Now)
Critical VMware vCenter and ESXi CVEs exploited by ransomware gangs. Full list with CVE-2021-21985, CVE-2024-37085 — patches, IOCs and ESXiArgs protection.
Understanding the CVSS Score: How to Assess CVE Severity
The CVSS (Common Vulnerability Scoring System) score is the global standard for measuring vulnerability severity. Learn to read it in 5 minutes.
Spring4Shell CVE-2022-22965: Critical RCE in Spring Framework
Spring4Shell is a remote code execution vulnerability in Spring Framework. Analysis of CVE-2022-22965, exploitation conditions and how to protect Java applications.
ProxyLogon CVE-2021-26855: The Critical Microsoft Exchange Vulnerability
ProxyLogon is one of the most exploited Exchange vulnerabilities in history. Analysis of CVE-2021-26855, the full exploit chain and remediation steps.
PHP: Critical CVEs and Securing Your Web Applications
PHP, powering 80% of the web, concentrates critical vulnerabilities in the engine and its extensions. Analysis of major CVEs and security best practices.
Palo Alto PAN-OS: Critical CVEs and NGFW Firewall Security
PAN-OS, the operating system powering Palo Alto firewalls, is regularly hit by critical vulnerabilities. Overview of major CVEs and security best practices.
Nginx: Critical CVEs and Web Server Security
Nginx, the world's second most popular web server, is not without critical vulnerabilities. Analysis of major Nginx CVEs and a secure configuration guide.
MOVEit CVE-2023-34362: The SQL Injection That Compromised Thousands of Companies
CVE-2023-34362 is a critical SQL injection in MOVEit Transfer exploited by the Cl0p gang. Analysis of the attack, victims and security hardening measures.
Jenkins: Critical CVEs and Securing Your CI/CD Pipeline
Jenkins, the most widely used CI/CD tool, concentrates critical vulnerabilities enabling code execution and secrets access. Analysis of major CVEs and best practices.
Ivanti CVE-2024-21887: Auth Bypass + RCE Exploited by APT (Full Guide)
Complete guide to Ivanti's worst 2024 CVEs (CVE-2024-21887, CVE-2023-46805, CVE-2024-21893). Detection, IOCs, patching steps and APT exploitation timeline.
Heartbleed CVE-2014-0160: The OpenSSL Vulnerability That Shook the Internet
Heartbleed is the most famous OpenSSL vulnerability in history. Analysis of CVE-2014-0160, its impact on global HTTPS security and why it still matters today.
GitLab: Critical CVEs and Securing Your Self-Hosted Instance
Self-hosted GitLab concentrates critical vulnerabilities including RCE and account takeovers. Analysis of major CVEs and security best practices for your instance.
ProxyShell CVE-2021-34473: The Exchange RCE Chain of Summer 2021
ProxyShell is a chain of three CVEs in Microsoft Exchange enabling unauthenticated RCE. Analysis of CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 and protection.
EternalBlue and MS17-010: The Vulnerability Behind WannaCry
MS17-010, the SMB vulnerability exploited by EternalBlue, is behind WannaCry and NotPetya. Technical analysis, global impact and protection measures.
Docker and Kubernetes: Critical CVEs and Container Security
Docker and Kubernetes concentrate vulnerabilities enabling container escape and cluster compromise. Analysis of major CVEs and hardening your containerized infrastructure.
Citrix Bleed (CVE-2023-4966): MFA Bypass on NetScaler — Detection & Patch
Citrix Bleed lets attackers hijack NetScaler sessions and bypass MFA. CVE-2023-4966 exploitation, IOCs, mitigation steps and patch guide for Citrix ADC/Gateway.
Atlassian Confluence: Critical CVEs and Securing Your Wiki
Confluence concentrates critical RCE vulnerabilities that are regularly exploited. Analysis of major Atlassian Confluence CVEs and protection measures for your instance.
Apache HTTP Server: Critical CVEs and Web Server Security
Apache HTTP Server concentrates critical vulnerabilities regularly exploited. Analysis of major CVEs including CVE-2021-41773, CVE-2021-42013 and security best practices.
Top 10 Critical CVEs of 2024: Vulnerabilities That Defined the Year
A look back at the 10 most critical CVEs of 2024: RCE, privilege escalations, zero-days. What security teams need to remember.
Log4Shell (CVE-2021-44228): Anatomy of the Vulnerability That Shook the Internet
CVE-2021-44228, CVSS score 10.0. Log4Shell remains one of the most exploited vulnerabilities in history. Full analysis, impact and lessons learned.
WordPress CVE: How to Monitor and Secure Your Site
WordPress concentrates thousands of CVEs every year. A complete guide to identifying vulnerabilities that affect you and setting up effective security monitoring.
FortiOS and Fortinet: Major Vulnerabilities and Security Best Practices
Fortinet appliances are ubiquitous in enterprise networks. An overview of critical FortiOS CVEs and measures to secure your infrastructure.