Vulnerability Surge: 1,516 CVEs, 111 Critical, Router Command Injection Wave

Overview

During the reporting period of April 6-13, 2026, vuln.today data recorded 1,516 published CVEs, representing a 24% increase from the previous week (1,224 CVEs). Severity distribution: 111 CRITICAL, 512 HIGH, 656 MEDIUM, 46 LOW, and 191 UNKNOWN. Public exploits or proof-of-concept code exist for 184 vulnerabilities. Patches are available for 423 CVEs, while 441 CRITICAL or HIGH severity vulnerabilities remain unpatched. No CISA KEV entries were present in the dataset for this period.

Critical Threats

• CVE-2026-23696 (CRITICAL, CVSS 9.4): SQL injection in Windmill workflow orchestration platform versions 1.276.0 through 1.603.2 enables authenticated attackers to escalate privileges to administrator and achieve remote code execution. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Windmill deployments and document current versions in use. Within 7 days: Upgrade all affected instances to version 1.603.3 or later immediately-this is a mandatory secur
• CVE-2026-22679 (CRITICAL, CVSS 9.3): Remote code execution in Weaver E-cology 10.0 (pre-20260312) allows remote attackers to execute arbitrary system commands via exposed debug functionality at /papi/esearch/data/devops/dubboApi/debug/method. Public exploit code available. Confirmed actively exploited (CISA KEV). Action: Within 24 hours: Identify all Weaver E-cology 10.0 instances with versions prior to 20260312 in your environment; disable or firewall-restrict access to /papi/esearch/data/devops/dubboApi/debug/method
• CVE-2026-35022 (CRITICAL, CVSS 9.3): OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all systems running Claude Code CLI or Agent SDK for Python by scanning CI/CD configurations, deployment manifests, and development environments; isolate affected runners fro
• CVE-2026-39912 (CRITICAL, CVSS 9.1): Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables account takeover including admin privileges. When login_with_mail_link_enable is active, remote attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all V2Board and Xboard instances in production and verify affected versions. Within 7 days: Apply vendor-released patch to V2Board ≥1.7.5 and Xboard ≥0.2.0, or immediately di
• CVE-2026-6029 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via the User parameter in setVpnAccountCfg function at /cgi-bin/cstecgi.cgi endpoint. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolink A7100RU routers in your environment and isolate firmware version 7.4cu.2313_b20191024 devices from untrusted networks; check vendor (Totolik) security advisory fo
• CVE-2026-6026 (HIGH, CVSS 8.9): Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via the setPortalConfWeChat function within /cgi-bin/cstecgi.cgi, exploitable by manipulating the 'enable' parameter. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all Totolik A7100RU deployments and identify current firmware versions. Within 7 days: Contact Totolik support to determine patch availability timeline; if no patch is immin
• CVE-2026-6025 (HIGH, CVSS 8.9): Remote OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows arbitrary command execution via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Remote attackers exploit the 'enable' parameter to achieve full system compromise. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A7100RU devices on corporate networks and VPNs using network discovery tools; document current firmware versions. Within 7 days: Contact affected users and isolat
• CVE-2026-6116 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via crafted requests to the /cgi-bin/cstecgi.cgi endpoint. The vulnerability resides in the setDiagnosisCfg function's insufficient validation of the 'ip' parameter. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolink A7100RU devices on your network using firmware 7.4cu.2313_b20191024 via asset inventory or network scanning; isolate affected devices from production networks if
• CVE-2026-5995 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via malicious lan_info parameter to setMiniuiHomeInfoShow function in /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis.
• CVE-2026-6027 (HIGH, CVSS 8.9): OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables remote attackers to execute arbitrary system commands via the 'enable' parameter in the setUrlFilterRules function of /cgi-bin/cstecgi.cgi. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A7100RU devices in inventory and isolate affected units from production networks if running firmware 7.4cu.2313_b20191024 or earlier; document current firmware ve

Threat Landscape

WordPress leads affected vendors with 200 CVEs, followed by Google (76), D-Link (43), Apache (32), and Tenda (28). Authentication Bypass is the most prevalent attack technique (329 occurrences), followed by Information Disclosure (266), Buffer Overflow (198), XSS (180), and RCE (172). Of 1,516 total CVEs, 423 have patches available, leaving 441 CRITICAL or HIGH severity vulnerabilities unpatched. Four CVEs have linked threat intelligence: CVE-2025-13926, CVE-2025-14815, CVE-2025-14816 (all CRITICAL), and CVE-2026-4436 (HIGH).

Key Trends

The 24% week-over-week increase in CVE volume (from 1,224 to 1,516) reflects sustained disclosure activity. WordPress accounts for 13% of all published CVEs, indicating concentration in content management platforms. Authentication Bypass and Information Disclosure together represent 39% of documented attack techniques (595 of 1,516 CVEs). The patch availability rate of 28% (423 of 1,516) leaves 70% of the dataset without confirmed vendor fixes. Public exploit code exists for 12% of published CVEs (184 of 1,516), while 29% of CRITICAL/HIGH severity issues remain unpatched (441 of 1,516).

Recommendations

• Within 24 hours: Identify all Windmill deployments and document current versions in use. Within 7 days: Upgrade all affected instances to version 1.603.3 or later immediately-this is a mandatory secur
• Within 24 hours: Identify all Weaver E-cology 10.0 instances with versions prior to 20260312 in your environment; disable or firewall-restrict access to /papi/esearch/data/devops/dubboApi/debug/method
• Within 24 hours: Identify all systems running Claude Code CLI or Agent SDK for Python by scanning CI/CD configurations, deployment manifests, and development environments; isolate affected runners fro
• Within 24 hours: Identify all V2Board and Xboard instances in production and verify affected versions. Within 7 days: Review and apply the upstream fix after validation, or wait for vendor to release an official tagged version
• Within 24 hours: Identify all Totolink A7100RU routers in your environment and isolate firmware version 7.4cu.2313_b20191024 devices from untrusted networks; restrict WAN access or decommission affected units if end-of-life
• Prioritize the 184 CVEs with public exploit code for immediate risk assessment, particularly the 111 CRITICAL severity vulnerabilities.
• For the 441 unpatched CRITICAL/HIGH severity vulnerabilities, implement compensating controls including network segmentation, access restrictions, and enhanced monitoring until vendor patches become available.