The CVE Watchtower: Weekly Threat Intelligence Briefing (May 11 – May 17, 2026)

Welcome to your weekly vulnerability digest. If your security dashboards have been flashing red, your telemetry is accurate. We are witnessing an alarming escalation in the volume and velocity of cyber threats. This week, the numbers broke new records, and threat actors are actively exploiting network controllers, enterprise mail servers, and even the analytical plugins running quietly in the background of your websites.

Between May 11 and May 17, 2026, an overwhelming 1,975 new vulnerabilities were disclosed. The sheer volume makes manual triage nearly impossible, requiring a ruthless focus on the threats currently being weaponized in the wild.

Here is the raw intelligence you need to harden your perimeter this week.

By the Numbers: The Week at a Glance

When dealing with nearly two thousand vulnerabilities, ruthless prioritization is the only path forward. Here is the severity breakdown for the week’s disclosures:

• Critical (CVSS 9.0–10.0): 156
• High (CVSS 7.0–8.9): 773
• Medium (CVSS 4.0–6.9): 683
• Low (CVSS 0.1–3.9): 69
• Unknown/Pending Analysis: 292

While 156 Critical flaws demand attention, 773 High-severity vulnerabilities represent a massive expansion of the viable attack surface. However, our immediate mandate is to address the six vulnerabilities that threat actors are actively exploiting right now.

The CISA KEV Hotlist: Core Infrastructure Compromised

The Cybersecurity and Infrastructure Security Agency (CISA) added two high-profile vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week. Both target fundamental components of enterprise infrastructure:

1. Cisco Catalyst SD-WAN Controller (CVE-2026-20182): This is a nightmare scenario for network engineers. Rated at a maximum CVSS 10.0, this peering authentication vulnerability affects the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Manager (vManage). An unauthenticated, remote attacker can bypass authentication entirely, gaining total administrative privileges over the affected system. If your SD-WAN backbone is exposed, assume breach and isolate immediately.

2. Microsoft Exchange Server (CVE-2026-42897): Threat actors are actively leveraging an improper input neutralization (Cross-Site Scripting) vulnerability (CVSS 8.1) in Microsoft Exchange. By sending a specially crafted email, attackers can trigger malicious scripts when the user opens the email in Outlook Web Access. This requires immediate patching, as it transforms a routine email interaction into an initial foothold.

In the Wild: Active Exploitation Radar

Beyond the CISA KEV list, our internal telemetry has flagged four additional severe threats currently marked as ACTIVE in the wild:

• GUARDIANWALL MailSuite (CVE-2026-32661-admin): A Critical (CVSS 9.8) stack-based buffer overflow vulnerability. Enterprise mail suites remain a favorite target for ransomware operators looking for a quiet entry point.
• Burst Statistics WordPress Plugin (CVE-2026-8181-admin): A massive CVSS 9.8 authentication bypass vulnerability in this popular “privacy-friendly” Google Analytics alternative allows attackers to completely take over WordPress websites. Marketing teams using this plugin must update it before the weekend.
• PraisonAI Flask API (CVE-2026-44338-admin): The relentless targeting of AI infrastructure continues. PraisonAI ships with a legacy Flask API server that inexplicably has authentication disabled by default in certain versions. Attackers are currently exploiting this (CVSS 7.3) to compromise multi-agent AI environments.

The Maximum Severity Flaws

A CVSS score of 10.0 means a vulnerability is trivial to exploit remotely, requires zero authentication, and results in catastrophic system compromise. This week’s absolute worst offenders include:

• The Return of the vm2 Sandbox Escape (CVE-2026-44006): Last week, we saw multiple escapes in the vm2 Node.js sandbox. This week, another method to reach BaseHandler.getPrototypeOf was discovered, allowing attackers to get arbitrary prototypes and execute host-level code. Software-based isolation for untrusted JavaScript remains highly volatile.
• ChurchCRM Incomplete Fix (CVE-2026-42288): A previous patch for a pre-authentication remote code execution flaw in this open-source management system was completely bypassed. Attackers are exploiting the incomplete fix to resume full system compromises.
• Dalfox Server Mode RCE (CVE-2026-45087): When Dalfox (a popular parameter analysis tool) is started in REST API server mode, an unauthenticated remote code execution vulnerability via the found-action parameter exposes the host server.
• SOCFortress CoPilot (CVE-2026-42869): A tool designed to consolidate security operations ironically shipped a critical vulnerability, exposing the exact teams it was meant to protect.

The Bottom Line

For the System Administrators and Engineers: Your immediate mandate is to secure your communications and network routing. Cisco Catalyst SD-WAN Controllers must be patched or firewalled off immediately. Next, deploy the Microsoft Exchange patches to stop the active web-access exploits, and audit your web servers for the Burst Statistics WordPress plugin.

For the CISOs and Security Directors: The discovery of CVE-2026-44338 in PraisonAI highlights a recurring, dangerous theme: the rapid deployment of AI orchestration tools is happening with legacy, unauthenticated APIs left wide open. You must enforce strict architectural reviews on all AI and Machine Learning deployments. If an AI agent has the power to act on behalf of your company, its underlying API must be defended with the same rigor as your primary banking portals.