Week 16/2026: 1,427 CVEs (+21%), 492 CRITICAL/HIGH, 146 POCs, 237 Unpatched

Overview

Vuln.today data for 2026-04-20 to 2026-04-27 reports 1,427 CVEs published, representing a 21% increase from the previous week (1,180 CVEs). Severity distribution: 123 CRITICAL, 369 HIGH, 597 MEDIUM, 71 LOW, and 267 UNKNOWN. Public exploit code is available for 146 CVEs. Patches are available for 795 CVEs, leaving 237 CRITICAL or HIGH severity vulnerabilities unpatched. Zero CISA KEV entries are present in the dataset for this period.

Critical Threats

• CVE-2026-6942 (CRITICAL, CVSS 9.3): radare2-mcp version 1.6.0 and earlier OS command injection vulnerability enables remote attackers to execute arbitrary commands via shell metacharacters in jsonrpc interface parameters. Public exploit code available. Patch available per vendor advisory.
• CVE-2026-23751 (CRITICAL, CVSS 9.3): Kofax Capture (Tungsten Capture) version 6.0.0.0 exposes unauthenticated .NET Remoting HTTP channel on port 2424, enabling remote attackers to exploit object unmarshalling for code execution. Public exploit code available. No vendor-released patch identified at time of analysis.
• CVE-2026-26210 (CRITICAL, CVSS 9.3): KTransformers through 0.5.3 unsafe deserialization in balance_serve backend allows remote attackers to execute arbitrary code via crafted pickle payload to exposed ZMQ socket. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed.
• CVE-2026-41468 (CRITICAL, CVSS 9.3): Beghelli Sicuro24 SicuroWeb template injection with AngularJS 1.5.2 sandbox escape enables arbitrary JavaScript execution in operator browsers, leading to session hijacking. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Beghelli Sicuro24 SicuroWeb deployments and verify TLS enforcement-disable HTTP access entirely and enforce HTTPS-only communication; audit logs for suspicious JavaScript.
• CVE-2026-39920 (CRITICAL, CVSS 9.3): BridgeHead FileStore pre-24A remote code execution via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Identify all BridgeHead FileStore instances running versions before 24A; isolate affected systems from production networks or restrict network access to the Axis2 admin console.
• CVE-2026-41179 (CRITICAL, CVSS 9.2): rclone remote control API command injection allows remote attackers to execute arbitrary commands through unprotected operations endpoint when RC API is enabled without global HTTP authentication. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Identify all rclone instances with RC API enabled using port scanning and configuration audits; immediately disable --rc or rclone rcd if not operationally critical, or restrict network access.
• CVE-2026-41176 (CRITICAL, CVSS 9.2): rclone RC API authentication bypass allows remote attackers to disable authorization checks via unauthenticated configuration mutation through the options/set endpoint. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Audit all rclone deployments to identify instances with RC endpoints exposed to untrusted networks and verify HTTP authentication status via rclone rc options/get and network exposure.
• CVE-2026-33656 (CRITICAL, CVSS 9.1): EspoCRM path traversal in formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server via attachment sourceId field manipulation. Public exploit code available. Patch available per vendor advisory. Action: Within 24 hours: Identify all EspoCRM instances in use and verify current versions; restrict administrative access to formula scripting features where possible and audit recent admin activities.
• CVE-2026-7037 (HIGH, CVSS 8.9, EPSS 0.9%): Totolink A8000RU firmware 7.1cu.643_b20200521 OS command injection via pptpPassThru parameter enables remote unauthenticated attackers to execute arbitrary system commands. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Totolik A8000RU devices in your environment using network scanning tools and asset management systems, prioritize internet-facing instances for immediate isolation.
• CVE-2026-41473 (HIGH, CVSS 8.8, EPSS 0.2%): CyberPanel prior to 2.4.4 authentication bypass in AI Scanner worker API endpoints allows unauthenticated remote attackers to write arbitrary data to the database. Public exploit code available. Upstream fix available (PR/commit); released patched version not independently confirmed.

Threat Landscape

Linux products represent the largest vendor share with 259 CVEs, followed by Oracle (103), WordPress (70), Mozilla (44), and Microsoft (26). Information Disclosure is the most prevalent attack technique (393 CVEs), followed by Authentication Bypass (274), Denial of Service (168), XSS (125), and Buffer Overflow (109). RCE affects 101 CVEs. Patch coverage is 55.7% across all severities (795 patched of 1,427 total). Five CRITICAL vulnerabilities have linked threat intelligence per MISP Galaxies, MITRE ATT&CK, or CISA attribution: CVE-2026-6074, CVE-2026-40630, CVE-2026-25775, CVE-2026-40620, and CVE-2026-35503.

Key Trends

Week-over-week CVE publication volume increased 21% from 1,180 to 1,427. CRITICAL and HIGH severity vulnerabilities total 492 (34.5% of all CVEs), with 237 remaining unpatched. Public exploit code is available for 146 CVEs (10.2% of the dataset), elevating exploitation risk for these vulnerabilities. Vendor concentration is notable, with the top 10 vendors accounting for 586 CVEs (41% of total volume). Authentication Bypass ranks as the second-most prevalent attack technique (274 CVEs), indicating continued focus on credential and access control weaknesses.

Recommendations

• Within 24 hours: Identify all Beghelli Sicuro24 SicuroWeb deployments and verify TLS enforcement-disable HTTP access entirely and enforce HTTPS-only communication; audit logs for suspicious JavaScript.
• Within 24 hours: Identify all BridgeHead FileStore instances running versions before 24A; isolate affected systems from production networks or restrict network access to the Axis2 admin console.
• Within 24 hours: Identify all rclone instances with RC API enabled using port scanning and configuration audits; immediately disable --rc or rclone rcd if not operationally critical, or restrict network access.
• Within 24 hours: Audit all rclone deployments to identify instances with RC endpoints exposed to untrusted networks and verify HTTP authentication status via rclone rc options/get and network exposure.
• Within 24 hours: Identify all EspoCRM instances in use and verify current versions; restrict administrative access to formula scripting features where possible and audit recent admin activities.
• Within 24 hours: Identify all Totolik A8000RU devices in your environment using network scanning tools and asset management systems, prioritize internet-facing instances for immediate isolation.
• Prioritize remediation for the 237 unpatched CRITICAL and HIGH severity vulnerabilities, focusing on network-accessible systems and those with public exploit code.
• Review the 146 CVEs with public exploit code for presence in the environment, as exploitation risk is elevated for these vulnerabilities.
• For CVE-2026-26210 and CVE-2026-41473, review and apply the upstream fixes after validation in non-production environments, or wait for an official tagged release if operational risk permits delay.