The CVE Watchtower: Weekly Threat Intelligence Briefing (April 27 – May 3, 2026)
Do Son 
Welcome to your weekly vulnerability digest. As we transition from April to May, attackers are weaponizing critical infrastructure management tools, zeroing in on legacy communication protocols, and uncovering logic flaws in major application frameworks.
Between April 27 and May 3, 2026, the global cybersecurity community logged 1,134 new vulnerabilities. Let’s cut through the noise and look at the threats that require your immediate attention.
By the Numbers: The Week at a Glance
Effective triage demands context. Out of the 1,134 newly discovered vulnerabilities this week, here is the severity breakdown:
- Critical (CVSS 9.0–10.0): 94
- High (CVSS 7.0–8.9): 417
- Medium (CVSS 4.0–6.9): 406
- Low (CVSS 0.1–3.9): 29
- Unknown/Pending Analysis: 188
While the raw volume of vulnerabilities slightly decreased compared to the previous two weeks, the severity remains intense, with 94 critical flaws identified.
The CISA KEV Hotlist: Remote Management Under Fire
The Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week. The most significant additions target remote management and administrative panels:
- cPanel and WHM (CVE-2026-41940): A critical authentication bypass vulnerability (CVSS 9.8) affecting versions after 11.40 allows unauthenticated remote attackers to gain unauthorized access to the control panel. If you host infrastructure using cPanel/WHM, this represents a severe, immediate risk of total server compromise.
- ConnectWise ScreenConnect (CVE-2024-1708): Added to the KEV list due to active exploitation, this High-severity (CVSS 8.4) path-traversal vulnerability allows attackers to execute remote code or impact critical systems.
- Linux Kernel Crypto API (CVE-2026-31431): A High-severity flaw (CVSS 7.8) affecting
algif_aeadoperating out-of-place was flagged for active exploitation. - Windows Shell (CVE-2026-32202): A Medium-severity (CVSS 4.3) protection mechanism failure allowing spoofing attacks over a network is also seeing active use by threat actors.
In the Wild: Active Exploitation
Beyond the CISA KEV list, our internal Watchtower telemetry flagged three additional threats currently marked as ACTIVE in the wild:
-
Unauthenticated RCE via Case-Sensitive Routing (CVE-2026-4047): An exploit allowing unauthenticated remote code execution was detected. The root cause is a mismatch between authentication middleware using case-sensitive string matching (
/api/), while the underlying Express.js framework matches routes case-insensitively. -
Qinglong Command Injection (CVE-2026-3965): A Medium-severity (CVSS 5.3) protection mechanism failure in the API interface of the Qinglong task execution platform allows remote command injection.
-
Proxy API Key SQL Injection (CVE-2026-42208): A Critical-severity (CVSS 9.3) database query flaw where caller-supplied key values are concatenated directly into the query text rather than being properly parameterized, leading to SQL injection during proxy API key checks.
The Maximum Severity Flaw
Vulnerabilities achieving a CVSS score of 10.0 represent the absolute pinnacle of cyber risk: network-exploitable, requiring zero privileges, and resulting in total system compromise. This week’s notable CVSS 10.0 flaws include:
- Apache Camel CoAP (CVE-2026-33453): A flaw in the Apache Camel CoAP component allows an attacker to improperly control the modification of dynamically-determined object attributes.
- Open Vehicle Monitoring System 3 (CVE-2026-37541): A severe buffer overflow vulnerability exists in OVMS3 version 3.3.005. The parser fails to properly validate the length field in GVRET binary data, allowing remote attackers to cause a denial of service or execute arbitrary code via crafted frames.
- Workflow Global Prototype Pollution (CVE-2026-42232): An authenticated user with permissions to modify workflows could achieve global prototype pollution via an XML Node, leading to Remote Code Execution.
- Shopizer Path Traversal (CVE-2026-36767): A path traversal vulnerability in the
/content/images/addendpoint of shopizer v3.2.5 allows attackers to write arbitrary files to any writable path.
The Bottom Line
For the System Administrators and Engineers: If you are managing cPanel/WHM environments, patching CVE-2026-41940 is your top priority before the weekend ends. Additionally, verify that any deployments of ConnectWise ScreenConnect are updated to address ongoing path-traversal exploits.
For the CISOs and Security Directors: We are seeing a distinct trend of attackers exploiting fundamental architectural mismatches—such as the case-sensitivity bypass in Express.js routing (CVE-2026-4047-admin). Ensure your AppSec teams are conducting rigorous code reviews focusing on how middleware and underlying frameworks interact, particularly concerning authentication and routing logic.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
