Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Sunday's disclosures center on WordPress plugin vulnerabilities, with multiple critical flaws affecting MStore API, Plugin Download, and TheCartPress carrying CVSS 9.8 ratings. The day brought 8 critical CVEs (down 71% from Saturday's 28) and 65 high-priority vulnerabilities (down 35% from 100). Notable disclosures include CVE-2021-47933 in WordPress MStore API, CVE-2021-47923 affecting OpenCart, and CVE-2026-44313 in Arch Linkwarden, all rated 9.1 or higher. Attack patterns concentrate on web application infrastructure and OAuth2 library implementations, with HP enterprise applications also represented. Patch availability sits at 0% across yesterday's disclosures, requiring defenders to rely on workarounds and compensating controls until vendor fixes arrive.
WordPress plugin ecosystem accounts for the majority of critical disclosures, with MStore API, Plugin Download, and TheCartPress all rated CVSS 9.8
Critical CVEs dropped 71% to 8 compared to Saturday's 28
High-priority CVEs decreased 35% to 65 from prior day's 100
OAuth2 library and OpenCart e-commerce platform vulnerabilities expand the web application attack surface beyond WordPress
Patch availability stands at 0% for yesterday's disclosures, leaving defenders dependent on mitigations
4 vulnerabilities have confirmed active exploitation, including BerriAI LiteLLM, ConnectWise ScreenConnect, Microsoft Windows, and Linux Kernel
Immediate action: Prioritize WordPress administrators reviewing affected plugins (MStore API, Plugin Download, TheCartPress) and consider disabling vulnerable extensions until patches are released. Organizations running ConnectWise ScreenConnect, BerriAI LiteLLM, or recent Linux Kernel and Windows builds should verify exposure given confirmed active exploitation, while OpenCart and Linkwarden operators should apply available compensating controls given the 0% patch availability.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-42208
9.5
BerriAILiteLLM
â° Federal Deadline:May 10, 2026(1 days remaining)
BerriAI LiteLLM SQL Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2024-1708
9.5đ Late Disclosure
ConnectWiseScreenConnect
â° Federal Deadline:May 11, 2026(2 days remaining)
ConnectWise ScreenConnect Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-32202
9.5
MicrosoftWindows
â° Federal Deadline:May 11, 2026(2 days remaining)
Microsoft Windows Protection Mechanism Failure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-31431
9.5
LinuxKernel
â° Federal Deadline:May 14, 2026(5 days remaining)
Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2021-47933
9.8đđ Late Disclosure
WordPressMStore API
An arbitrary file upload vulnerability in the MStore API allows unauthenticated attackers to execute malicious code on the host server via the REST API.
CVSS Base9.8
â
CRSSelect profile
CVE-2021-47940
9.8đđ Late Disclosure
WordPressPlugin Download
An arbitrary file upload vulnerability in the Plugin Download WordPress plugin allows unauthenticated attackers to upload and execute malicious files via the admin-ajax.php endpoint.
CVSS Base9.8
â
CRSSelect profile
CVE-2021-47936
9.8đđ Late Disclosure
HPfiles disguised
A remote code execution vulnerability in OpenCATS allows unauthenticated attackers to execute arbitrary system commands by uploading malicious PHP files as resume attachments.
CVSS Base9.8
â
CRSSelect profile
CVE-2021-47932
9.8đđ Late Disclosure
WordPressTheCartPress
An unauthenticated privilege escalation vulnerability in TheCartPress WordPress plugin allows attackers to create new administrative accounts via the AJAX handler.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-42569
9.4đ
HPapplication to
A critical vulnerability in phpVMS allows unauthenticated access to a legacy import feature, potentially exposing application data or functionality.
CVSS Base9.4
â
CRSSelect profile
CVE-2021-47923
9.8đđ Late Disclosure
OpenCartOpenCart
A session fixation vulnerability in OpenCart allows attackers to hijack user sessions by forcing the use of a known, malicious session identifier.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-44313
9.1đ
ArchLinkwarden
A Server-Side Request Forgery (SSRF) vulnerability in Linkwarden allows authenticated users to make unauthorized requests to internal services via insufficient URL validation.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-42560
9.1đ
OAuth2 Library Maintainersauth
A flaw in the Patreon OAuth provider mapping causes multiple distinct user accounts to be incorrectly merged into a single local identity, leading to potential account takeovers.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-34354
7.4
Trustand macOS
Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation
CVSS Base7.4
â
CRSSelect profile
CVE-2026-44339
8.6
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.6
â
CRSSelect profile
CVE-2026-44334
8.4
teamsrepo
PraisonAI is a multi-agent teams system
CVSS Base8.4
â
CRSSelect profile
CVE-2026-41496
8.1
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.1
â
CRSSelect profile
CVE-2026-41570
7.8
HPINI settings
PHPUnit is a testing framework for PHP
CVSS Base7.8
â
CRSSelect profile
CVE-2026-42224
7.6
HPprojects
ipl/web is a set of common web components for php projects
CVSS Base7.6
â
CRSSelect profile
CVE-2026-41311
7.5
templatePages compatible
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript
CVSS Base7.5
â
CRSSelect profile
CVE-2026-44338
7.3
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base7.3
â
CRSSelect profile
CVE-2021-47941
8.2đ Late Disclosure
WordPresscookie parameter
WordPress Plugin Survey & Poll 1
CVSS Base8.2
â
CRSSelect profile
CVE-2026-39816
8.8
ApacheNiFi
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-42605
8.8
HPwebshell to
AzuraCast is a self-hosted, all-in-one web radio management suite
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47937
8.8đ Late Disclosure
HPendpoint that
e107 CMS 2
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47938
8.8đ Late Disclosure
HPcode by
ImpressCMS 1
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47939
8.8đ Late Disclosure
HPcode into
Evolution CMS 3
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47943
8.8đ Late Disclosure
HPfiles through
TextPattern CMS 4
CVSS Base8.8
â
CRSSelect profile
CVE-2022-50944
8.8đ Late Disclosure
HPcode injection
Aero CMS 0
CVSS Base8.8
â
CRSSelect profile
CVE-2026-44340
7.5đ
teamsMulti-agent teams system
PraisonAI multi-agent teams system contains an unspecified security vulnerability requiring immediate investigation.
CVSS Base7.5
â
CRSSelect profile
CVE-2026-42352
8.6
PythonMultiple Products
pygeoapi is a Python server implementation of the OGC API suite of standards
CVSS Base8.6
â
CRSSelect profile
CVE-2026-42301
7.8
FedoraRPM spec
pyp2spec generates working Fedora RPM spec file for Python projects
CVSS Base7.8
â
CRSSelect profile
CVE-2026-42562
8.3
HPMultiple Products
Plainpad is a self hosted note taking app
CVSS Base8.3
â
CRSSelect profile
CVE-2026-42296
8.1đ
KubernetesWorkflows
Argo Workflows contains a high-severity vulnerability that could impact the security of container-native job orchestration on Kubernetes.
CVSS Base8.1
â
CRSSelect profile
CVE-2026-42351
7.5
PythonMultiple Products
pygeoapi is a Python server implementation of the OGC API suite of standards
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41576
7.1
HPMultiple Products
Brave CMS is an open-source CMS
CVSS Base7.1
â
CRSSelect profile
CVE-2026-42205
8.8đ
AvoAvo Framework
The Avo framework for Ruby on Rails admin panels contains a security vulnerability that could impact administrative access controls.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-3828
7.2
sinceswitch products
Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation
CVSS Base7.2
â
CRSSelect profile
CVE-2026-42452
8.1
basedMultiple Products
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities
CVSS Base8.1
â
CRSSelect profile
CVE-2026-42189
7.5
SSHMultiple Products
Russh is a Rust SSH client & server library
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47928
8.2đ Late Disclosure
VendorTMD Vendor
Opencart TMD Vendor System 3
CVSS Base8.2
â
CRSSelect profile
CVE-2021-47930
8.2đ Late Disclosure
JoomlaForms Builder
Balbooa Joomla Forms Builder 2
CVSS Base8.2
â
CRSSelect profile
CVE-2026-7807
8.1
priorMultiple Products
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary
CVSS Base8.1
â
CRSSelect profile
CVE-2026-41432
7.1đ
IntelNew API
New API, an LLM gateway and AI asset management system, contains an unspecified vulnerability that may impact system security.
CVSS Base7.1
â
CRSSelect profile
CVE-2026-42556
8.9đ
PostizAI social media scheduling tool
Postiz AI social media scheduling tool contains a security vulnerability that could lead to unauthorized access or service disruption.
CVSS Base8.9
â
CRSSelect profile
CVE-2026-29202
8.8đ
cPanelNova Plugin
Insufficient input validation in the cPanel Nova plugin's `create_user` function allows for arbitrary Perl code execution.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-29203
8.8đ
cPanelNova Plugin
A symlink vulnerability in the cPanel Nova plugin's `Cpanel::Nova::Connector` allows for unauthorized modification of system file permissions.
CVSS Base8.8
â
CRSSelect profile
CVE-2026-8234
8.8
UnknownMultiple Products
A security vulnerability has been detected in EFM ipTIME A8004T 14
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47935
8.8đ Late Disclosure
SentryMultiple Products
Sentry 8
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47949
8.8đ Late Disclosure
CyberPanelMultiple Products
CyberPanel 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-41524
8.7
BraveMultiple Products
Brave CMS is an open-source CMS
CVSS Base8.7
â
CRSSelect profile
CVE-2026-41683
8.6
UnknownMultiple Products
i18next-http-middleware is a middleware to be used with Node
CVSS Base8.6
â
CRSSelect profile
CVE-2026-41690
8.6
UnknownMultiple Products
18next-http-middleware is a middleware to be used with Node
CVSS Base8.6
â
CRSSelect profile
CVE-2026-41705
8.6
SpringMultiple Products
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs
CVSS Base8.6
â
CRSSelect profile
CVE-2026-29972
8.2
nanoMODBUSMultiple Products
nanoMODBUS through v1
CVSS Base8.2
â
CRSSelect profile
CVE-2026-41693
8.2
UnknownMultiple Products
i18next-fs-backend is a backend layer for i18next using in Node
CVSS Base8.2
â
CRSSelect profile
CVE-2026-42353
8.2
UnknownMultiple Products
i18next-http-middleware is a middleware to be used with Node
CVSS Base8.2
â
CRSSelect profile
CVE-2026-41491
8.1
UnknownMultiple Products
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge
CVSS Base8.1
â
CRSSelect profile
CVE-2026-41883
8.1
UnknownMultiple Products
OmniFaces is a utility library for Faces
CVSS Base8.1
â
CRSSelect profile
CVE-2026-8178
8.1
priorMultiple Products
An issue exists in Amazon Redshift JDBC Driver versions prior to 2
CVSS Base8.1
â
CRSSelect profile
CVE-2026-44400
8.1
EnterpriseMultiple Products
MailEnable Enterprise Premium 10
CVSS Base8.1
â
CRSSelect profile
CVE-2026-6665
8.1
PgBouncerMultiple Products
The SCRAM code in PgBouncer before 1
CVSS Base8.1
â
CRSSelect profile
CVE-2026-42606
8.1
UnknownMultiple Products
AzuraCast is a self-hosted, all-in-one web radio management suite
CVSS Base8.1
â
CRSSelect profile
CVE-2026-41520
7.9
UnknownMultiple Products
Cilium is a networking, observability, and security solution with an eBPF-based dataplane
CVSS Base7.9
â
CRSSelect profile
CVE-2021-47945
7.8đ Late Disclosure
SurveillanceMultiple Products
Argus Surveillance DVR 4
CVSS Base7.8
â
CRSSelect profile
CVE-2026-42345
7.7
UnknownMultiple Products
FastGPT is an AI Agent building platform
CVSS Base7.7
â
CRSSelect profile
CVE-2026-38361
7.5
UnknownMultiple Products
An issue in fohrloop dash-uploader v
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41584
7.5
UnknownMultiple Products
ZEBRA is a Zcash node written entirely in Rust
CVSS Base7.5
â
CRSSelect profile
CVE-2026-44498
7.5
UnknownMultiple Products
ZEBRA is a Zcash node written entirely in Rust
CVSS Base7.5
â
CRSSelect profile
CVE-2026-29974
7.5
kosmaMultiple Products
An issue was discovered in kosma minmea 0
CVSS Base7.5
â
CRSSelect profile
CVE-2026-29975
7.5
streamingMultiple Products
lwjson 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-41886
7.5
UnknownMultiple Products
locize is a localization platform that connects code and i18n setup
CVSS Base7.5
â
CRSSelect profile
CVE-2026-6659
7.5
versionsMultiple Products
Crypt::PasswdMD5 versions through 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-6664
7.5
PgBouncerMultiple Products
An integer overflow in network packet parsing code in PgBouncer before 1
CVSS Base7.5
â
CRSSelect profile
CVE-2026-42574
7.5
ArchMultiple Products
apko allows users to build and publish OCI container images built from apk packages
CVSS Base7.5
â
CRSSelect profile
CVE-2026-42575
7.5
UnknownMultiple Products
apko allows users to build and publish OCI container images built from apk packages
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47944
7.5đ Late Disclosure
memonoMultiple Products
memono Notepad 4
CVSS Base7.5
â
CRSSelect profile
CVE-2026-8216
7.3
CaniasMultiple Products
A vulnerability was identified in Industrial Application Software IAS Canias ERP 8