1,796 CVEs Published: 742 Critical/High, 3 KEV, 204 Unpatched

Overview

During the reporting period 2026-05-04 to 2026-05-11, vuln.today data identified 1,796 published CVEs, representing a +60% increase from the previous week (1,125 CVEs). Severity breakdown: 183 CRITICAL, 559 HIGH, 542 MEDIUM, 163 LOW, and 349 UNKNOWN. The dataset includes 3 CISA KEV entries, 160 vulnerabilities with public exploits/POCs, 1,277 with patches available, and 204 unpatched CRITICAL/HIGH severity vulnerabilities.

Critical Threats

• CVE-2026-0300 (CRITICAL, CVSS 9.3): Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls. Confirmed actively exploited (CISA KEV), public exploit code available, EPSS 14.9%. Vendor-released patch available. Action: WITHIN 24 HOURS: (1) Identify all PA-Series and VM-Series firewalls in your environment running PAN-OS versions vulnerable to CVE-2026-0300-contact Palo Alto Networks for affected version list if not.
• CVE-2026-6973 (HIGH, CVSS 7.2): Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allowing authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Confirmed actively exploited (CISA KEV), public exploit code available, EPSS 5.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all EPMM deployments and document current versions; audit and restrict EPMM administrator account access to principle of least privilege. Within 7 days: Upgrade all EPMM ins.
• CVE-2026-42208 (CRITICAL, CVSS 9.3): SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. Confirmed actively exploited (CISA KEV), public exploit code available, EPSS 0.1%. Vendor-released patch: version 1.83.7. Action: Within 24 hours: Identify all LiteLLM proxy instances running versions 1.81.16 through 1.83.6 using asset inventory and network scans. Within 7 days: Upgrade all affected instances to version 1.83.7 o.
• CVE-2026-24118 (CRITICAL, CVSS 9.8): Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. Public exploit code available, EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Audit all systems and applications using VM2 ≤3.10.4 (check package-lock.json and npm ls vm2). Immediately isolate or restrict network access to systems running vulnerable versions. W.
• CVE-2026-26956 (CRITICAL, CVSS 9.8): Full sandbox escape with arbitrary code execution in vm2's Node.js sandbox environment (version 3.10.4) allows remote attackers to break out and execute commands on the host system. Public exploit code available, EPSS 0.1%. Vendor-released patch: version 3.10.5. Action: Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate i.
• CVE-2026-24120 (CRITICAL, CVSS 9.8): Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. Represents an insufficient fix for CVE-2023-37466. Public exploit code available, EPSS 0.1%. Vendor-released patch: version 3.10.5. Action: Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; i.
• CVE-2026-41922 (CRITICAL, CVSS 9.3): Remote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers to execute arbitrary shell commands via OS command injection. Public exploit code available, EPSS 0.9%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WDR201A devices in your environment and isolate affected units from production networks if firmware update is unavailable. Within 7 days: Contact the device manufacturer.
• CVE-2026-41923 (CRITICAL, CVSS 9.3): OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrary shell commands via the gateway parameter in internet.cgi. Public exploit code available, EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WDR201A WiFi Extender devices on network; identify those with internet-facing gateway parameter access; isolate or air-gap affected units immediately. Within 7 days: Rem.
• CVE-2026-41925 (CRITICAL, CVSS 9.3): Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary OS commands via the adm.cgi binary's reboot_time parameter. Public exploit code available, EPSS 0.5%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WDR201A devices running firmware version 1.02 or earlier and isolate affected units from production networks. Within 7 days: Contact vendor for firmware updates or end-o.
• CVE-2026-41926 (CRITICAL, CVSS 9.3): Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitrary OS commands via five vulnerable firewall.cgi handlers. Injected commands persist in NVRAM and automatically re-execute, creating a self-sustaining backdoor. Public exploit code available, EPSS 0.4%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all WDR201A devices on network inventory and isolate any with firmware ≤1.02 from internet-facing network segments; verify management interfaces are not remotely accessible.

Threat Landscape

Linux products represent the largest vendor exposure with 441 CVEs, followed by Google (158), Microsoft (90), WordPress (59), and Apache (39). Attack technique distribution shows Information Disclosure as the most prevalent (634 occurrences), followed by Denial Of Service (284), Authentication Bypass (251), RCE (181), and Buffer Overflow (162). The dataset shows 1,277 CVEs with patches available versus 204 unpatched CRITICAL/HIGH severity vulnerabilities. One CVE (CVE-2026-0300) exhibits elevated EPSS probability of 14.9%. Two CVEs (CVE-2026-6411, CVE-2026-21661) have linked threat intelligence associations per MISP Galaxies, MITRE ATT&CK, or CISA data.

Key Trends

Week-over-week CVE publication volume increased 60% from 1,125 to 1,796 CVEs. Vendor concentration remains high with Linux (441 CVEs) representing approximately 25% of total volume. Information Disclosure (634 CVEs, 35% of total) dominates attack technique prevalence, exceeding Denial Of Service (284) by more than 2:1. Patch availability covers 71% of published CVEs (1,277 of 1,796), while 204 CRITICAL/HIGH severity vulnerabilities remain unpatched. Public exploits/POCs exist for 160 CVEs (9% of total dataset), with 3 CVEs confirmed in CISA KEV.

Recommendations

• WITHIN 24 HOURS: Identify all PA-Series and VM-Series firewalls in your environment running PAN-OS versions vulnerable to CVE-2026-0300-contact Palo Alto Networks for affected version list if not.
• Within 24 hours: Inventory all EPMM deployments and document current versions; audit and restrict EPMM administrator account access to principle of least privilege. Within 7 days: Upgrade all EPMM ins. (Note: CVE-2026-6973 remains unpatched; isolate affected systems and monitor for exploitation until vendor fix becomes available).
• Within 24 hours: Identify all LiteLLM proxy instances running versions 1.81.16 through 1.83.6 using asset inventory and network scans. Within 7 days: Upgrade all affected instances to version 1.83.7 o.
• Within 24 hours: Audit all systems and applications using VM2 ≤3.10.4 (check package-lock.json and npm ls vm2). Immediately isolate or restrict network access to systems running vulnerable versions. W. Review and apply the upstream fix after validation or wait for an official tagged release.
• Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate i.
• Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; i.
• Within 24 hours: Inventory all WDR201A devices in your environment and isolate affected units from production networks if firmware update is unavailable. Within 7 days: Contact the device manufacturer. (Note: CVE-2026-41922 remains unpatched; decommission if end-of-life or maintain network isolation until vendor fix becomes available).
• Within 24 hours: Inventory all WDR201A WiFi Extender devices on network; identify those with internet-facing gateway parameter access; isolate or air-gap affected units immediately. Within 7 days: Rem. (Note: CVE-2026-41923 remains unpatched; maintain isolation and monitor for vendor security advisories).
• Within 24 hours: Inventory all WDR201A devices running firmware version 1.02 or earlier and isolate affected units from production networks. Within 7 days: Contact vendor for firmware updates or end-o. (Note: CVE-2026-41925 remains unpatched; decommission if end-of-life or maintain network isolation).
• Within 24 hours: Identify all WDR201A devices on network inventory and isolate any with firmware ≤1.02 from internet-facing network segments; verify management interfaces are not remotely accessible. (Note: CVE-2026-41926 remains unpatched; maintain strict network segmentation and monitor for vendor advisories).
• Prioritize remediation for the 3 CISA KEV entries confirmed as actively exploited in production environments.
• Address the 160 CVEs with public exploit code available, as exploitation risk is elevated for these vulnerabilities.
• Focus patching efforts on the 204 unpatched CRITICAL/HIGH severity vulnerabilities, implementing compensating controls where vendor fixes are unavailable.
• Review vendor security advisories for Linux (441 CVEs), Google (158 CVEs), and Microsoft (90 CVEs) products to ensure comprehensive coverage of organizational exposure.