Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
WordPress plugin vulnerabilities dominate Monday's disclosures, with four separate CVSS 9.8 flaws affecting MStore API, Plugin Download, TheCartPress, and a related OpenCart vulnerability of the same severity. Yesterday's volume was lighter overall, with 5 critical CVEs (down 37% from 8) and 21 high-priority issues (down 68% from 65). Notable critical entries include CVE-2021-47933 in WordPress MStore API, CVE-2021-47940 in WordPress Plugin Download, and CVE-2021-47923 in OpenCart, all rated CVSS 9.8. Three actively exploited vulnerabilities span ConnectWise ScreenConnect (CVE-2024-1708), Microsoft Windows (CVE-2026-32202), and the Linux Kernel (CVE-2026-31431), reflecting attacker interest in remote management tools and core operating system components. Patches are not yet broadly available across yesterday's disclosure set, so defenders should rely on compensating controls and vendor advisories while monitoring for updates.
WordPress plugin ecosystem accounts for four of the five CVSS 9.8 critical vulnerabilities disclosed
Critical CVEs declined 37% day-over-day (5 vs 8 prior)
High-priority CVEs declined 68% day-over-day (21 vs 65 prior)
Actively exploited issues span ConnectWise ScreenConnect, Windows, and the Linux Kernel
Patch availability sits at 0% for yesterday's disclosure set, requiring mitigations and monitoring
OpenCart joins WordPress in the CVSS 9.8 tier, signaling continued e-commerce platform exposure
Immediate action: Prioritize review of WordPress plugin inventories (MStore API, Plugin Download, TheCartPress) and OpenCart installations, alongside ConnectWise ScreenConnect, Windows, and Linux Kernel systems flagged for active exploitation. With no patches currently available for yesterday's disclosed CVEs, apply vendor-recommended mitigations, restrict exposed admin interfaces, and monitor vendor channels for upcoming fixes.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2024-1708
9.5π Late Disclosure
ConnectWiseScreenConnect
β° Federal Deadline:May 11, 2026(1 days remaining)
ConnectWise ScreenConnect Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-32202
9.5
MicrosoftWindows
β° Federal Deadline:May 11, 2026(1 days remaining)
Microsoft Windows Protection Mechanism Failure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-31431
9.5
LinuxKernel
β° Federal Deadline:May 14, 2026(4 days remaining)
Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2021-47933
9.8ππ Late Disclosure
WordPressMStore API
An arbitrary file upload vulnerability in the MStore API allows unauthenticated attackers to execute malicious code on the host server via the REST API.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47940
9.8ππ Late Disclosure
WordPressPlugin Download
An arbitrary file upload vulnerability in the Plugin Download WordPress plugin allows unauthenticated attackers to upload and execute malicious files via the admin-ajax.php endpoint.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47936
9.8ππ Late Disclosure
HPfiles disguised
A remote code execution vulnerability in OpenCATS allows unauthenticated attackers to execute arbitrary system commands by uploading malicious PHP files as resume attachments.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47932
9.8ππ Late Disclosure
WordPressTheCartPress
An unauthenticated privilege escalation vulnerability in TheCartPress WordPress plugin allows attackers to create new administrative accounts via the AJAX handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47923
9.8ππ Late Disclosure
OpenCartOpenCart
A session fixation vulnerability in OpenCart allows attackers to hijack user sessions by forcing the use of a known, malicious session identifier.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2021-47941
8.2ππ Late Disclosure
WordPresscookie parameter
A vulnerability in the WordPress Plugin Survey & Poll may allow unauthorized access through manipulation of the cookie parameter.
CVSS Base8.2
β
CRSSelect profile
CVE-2026-42605
8.8π
HPwebshell to
A critical security vulnerability has been identified in the AzuraCast web radio management suite.
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47937
8.8ππ Late Disclosure
HPendpoint that
A security vulnerability has been discovered in e107 CMS 2 that could permit unauthorized access or code execution.
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47938
8.8ππ Late Disclosure
HPcode by
A security vulnerability has been identified in ImpressCMS 1 that requires immediate investigation and patching.
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47939
8.8π Late Disclosure
HPcode into
Evolution CMS 3
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47943
8.8π Late Disclosure
HPfiles through
TextPattern CMS 4
CVSS Base8.8
β
CRSSelect profile
CVE-2022-50944
8.8π Late Disclosure
HPcode injection
Aero CMS 0
CVSS Base8.8
β
CRSSelect profile
CVE-2026-42562
8.3π
HPPlainpad
A security vulnerability has been identified in the self-hosted note-taking application Plainpad.
CVSS Base8.3
β
CRSSelect profile
CVE-2026-3828
7.2
sinceswitch products
Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation
CVSS Base7.2
β
CRSSelect profile
CVE-2026-8260
8.8
D-LinkDCS
A vulnerability was found in D-Link DCS-935L up to 1
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47928
8.2π Late Disclosure
VendorTMD Vendor
Opencart TMD Vendor System 3
CVSS Base8.2
β
CRSSelect profile
CVE-2021-47930
8.2ππ Late Disclosure
JoomlaForms Builder
A security flaw in the Balbooa Joomla Forms Builder may allow an attacker to exploit form submission processes.
CVSS Base8.2
β
CRSSelect profile
CVE-2026-8234
8.8π
EFMipTIME A8004T
A security vulnerability has been identified in the EFM ipTIME A8004T router, potentially allowing for unauthorized system impact.
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47935
8.8ππ Late Disclosure
SentrySentry
A vulnerability has been detected in Sentry 8, potentially impacting the monitoring and error-tracking capabilities of the platform.
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47949
8.8ππ Late Disclosure
CyberPanelCyberPanel
A vulnerability has been identified in CyberPanel 2 that could permit unauthorized system access.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-42606
8.1π
AzuraCastAzuraCast
A vulnerability has been identified in the AzuraCast web radio management suite that could allow for unauthorized access or system impact.
CVSS Base8.1
β
CRSSelect profile
CVE-2021-47945
7.8ππ Late Disclosure
SurveillanceSurveillance DVR
A security vulnerability has been discovered in the Argus Surveillance DVR, potentially allowing unauthorized access to video feeds or system settings.
CVSS Base7.8
β
CRSSelect profile
CVE-2026-42574
7.5π
Archapko
A vulnerability exists in the apko tool, which is used for building OCI container images from apk packages.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-42575
7.5π
Chainguardapko
A security vulnerability has been identified in apko, a tool used to build OCI container images from apk packages.
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47944
7.5ππ Late Disclosure
memonoNotepad
A security vulnerability has been identified in memono Notepad 4 that requires investigation and remediation.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-8216
7.3π
CaniasCanias ERP
A security vulnerability has been identified in IAS Canias ERP 8 that requires immediate attention from security administrators.