Weekly Vulnerability Briefing: 1510 CVEs, 128 Critical, 2 KEV Entries
Executive Summary
Overview
Per vuln.today data for 2026-05-11 to 2026-05-18, 1510 CVEs were published, representing a -14% week-over-week change from the previous week's 1760 CVEs. Severity distribution: 128 CRITICAL, 689 HIGH, 548 MEDIUM, 117 LOW, and 28 UNKNOWN. The dataset includes 2 CISA KEV entries, 82 public exploits/POCs, 898 patches available, and 285 unpatched CRITICAL/HIGH vulnerabilities.
Critical Threats
- CVE-2026-42897 (HIGH, CVSS 8.1) - Microsoft Exchange Server. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.2%. Patch available per vendor advisory. Action: Within 24 hours: Identify all Microsoft Exchange Server instances (2016 CU23, 2019 CU14/CU15, and Subscription Edition) and document web-facing deployments. Within 7 days: Apply vendor-released patch.
- CVE-2026-20182 (CRITICAL, CVSS 10.0) - Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage). Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 1.6%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Cisco Catalyst vSmart Controllers and vManage instances in production. Within 7 days: Implement network-level access controls to restrict NETCONF traffic.
- CVE-2026-45185 (CRITICAL, CVSS 9.8) - Exim before 4.99.3 (Use After Free, Memory Corruption). Public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis.
- CVE-2026-44643 (CRITICAL, CVSS 9.3) - angular-expressions ≤1.5.1. Public exploit code available; EPSS 0.1%. Patch available per vendor advisory. Action: Within 24 hours: Inventory all applications and dependencies using angular-expressions ≤1.5.1 and restrict network access to affected systems. Within 7 days: Upgrade angular-expressions to version 1.5.2.
- CVE-2026-45091 (CRITICAL, CVSS 9.1) - sealed-env (Java, Node.js). Public exploit code available; EPSS 0.0%. Patch available per vendor advisory. Action: Within 24 hours: Identify all sealed-env deployments and audit version numbers to determine exposure scope; immediately isolate or quarantine affected systems. Within 7 days: Upgrade to sealed-env.
- CVE-2026-43639 (HIGH, CVSS 8.9) - Bitwarden Server Cloud. Public exploit code available; EPSS 0.0%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all Bitwarden Cloud provider service users and audit recent API activity to the POST /providers/{providerId}/clients/existing endpoint for unauthorized organization additions.
- CVE-2026-43640 (HIGH, CVSS 8.6) - Bitwarden Server versions prior to 2026.4.1. Public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Inventory all Bitwarden Server deployments and identify current versions; disable or restrict SCIM provisioning integrations if version <2026.4.1 is confirmed. Within 7 days: Apply vendor fix.
- CVE-2026-43983 (HIGH, CVSS 8.5) - Pocket ID OIDC provider, all versions prior to 2.6.0. Public exploit code available; EPSS 0.0%. Patch available per vendor advisory. Action: Within 24 hours: Inventory all Pocket ID OIDC provider deployments and document current versions; alert security and application teams of the authorization bypass risk. Within 7 days: Upgrade all Pocket ID.
- CVE-2026-45369 (HIGH, CVSS 8.3) - python-utcp (Microsoft, Python). Public exploit code available; EPSS 0.0%. Patch available per vendor advisory. Action: Within 24 hours: Identify all systems and applications using python-utcp and document current versions in use. Within 7 days: Upgrade python-utcp to version 1.1.2 or later across all affected systems.
- CVE-2026-46300 (HIGH, CVSS 7.8) - Linux kernel XFRM ESP-in-TCP subsystem. Public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Linux systems running XFRM-enabled kernels (check: cat /boot/config-* | grep CONFIG_XFRM) and document current kernel versions. Within 7 days: Implement access controls.
Threat intelligence linkage (MISP Galaxies, MITRE ATT&CK, CISA) is recorded for CVE-2026-26289 (HIGH), CVE-2026-8108 (HIGH), CVE-2026-41551 (CRITICAL), CVE-2026-25787 (CRITICAL), and CVE-2026-25786 (CRITICAL).
Threat Landscape
Top vendors affected this period: Microsoft (165), Google (102), Apple (95), WordPress (84), Intel (23), AMD (21), Linux (20), Adobe (17), SUSE (17), and SAP (14). Top attack techniques observed: Information Disclosure (363), Authentication Bypass (280), Denial of Service (213), RCE (207), Buffer Overflow (184), XSS (141), Command Injection (82), Privilege Escalation (77), Path Traversal (66), and Code Injection (58). Of 1510 published CVEs, 898 have patches available and 285 CRITICAL/HIGH remain unpatched.
Key Trends
- Publication volume declined -14% week-over-week (1510 vs. 1760 prior week).
- Vendor concentration is led by Microsoft (165), with Google (102) and Apple (95) rounding out the top tier.
- Information Disclosure (363) and Authentication Bypass (280) dominate the attack technique distribution.
- Patch coverage stands at 898 of 1510 CVEs; 285 CRITICAL/HIGH entries remain without a patch.
- 2 CISA KEV entries and 82 public exploit/POC entries are present in this period's dataset.
Recommendations
- CVE-2026-42897: Within 24 hours: Identify all Microsoft Exchange Server instances (2016 CU23, 2019 CU14/CU15, and Subscription Edition) and document web-facing deployments. Within 7 days: Apply vendor-released patch.
- CVE-2026-20182: Within 24 hours: Identify and inventory all Cisco Catalyst vSmart Controllers and vManage instances in production. Within 7 days: Implement network-level access controls to restrict NETCONF traffic.
- CVE-2026-44643: Within 24 hours: Inventory all applications and dependencies using angular-expressions ≤1.5.1 and restrict network access to affected systems. Within 7 days: Upgrade angular-expressions to version 1.5.2.
- CVE-2026-45091: Within 24 hours: Identify all sealed-env deployments and audit version numbers to determine exposure scope; immediately isolate or quarantine affected systems. Within 7 days: Upgrade to sealed-env.
- CVE-2026-43639: Within 24 hours: Identify all Bitwarden Cloud provider service users and audit recent API activity to the POST /providers/{providerId}/clients/existing endpoint for unauthorized organization additions. Review and apply the upstream fix after validation.
- CVE-2026-43640: Within 24 hours: Inventory all Bitwarden Server deployments and identify current versions; disable or restrict SCIM provisioning integrations if version <2026.4.1 is confirmed. Within 7 days: Apply vendor fix. Review and apply the upstream fix after validation.
- CVE-2026-43983: Within 24 hours: Inventory all Pocket ID OIDC provider deployments and document current versions; alert security and application teams of the authorization bypass risk. Within 7 days: Upgrade all Pocket ID.
- CVE-2026-45369: Within 24 hours: Identify all systems and applications using python-utcp and document current versions in use. Within 7 days: Upgrade python-utcp to version 1.1.2 or later across all affected systems.
- CVE-2026-46300: Within 24 hours: Identify all Linux systems running XFRM-enabled kernels (check: cat /boot/config-* | grep CONFIG_XFRM) and document current kernel versions. Within 7 days: Implement access controls. As no vendor-released patch is identified, monitor for vendor fix availability.
- CVE-2026-45185: No vendor-released patch identified at time of analysis; monitor for vendor fix availability and restrict exposure of affected Exim instances.
- Dataset-level: Prioritize the 2 CISA KEV entries and the 82 CVEs with public exploit/POC code. Address the 285 unpatched CRITICAL/HIGH entries through mitigations or compensating controls while monitoring for vendor fixes; apply the 898 available patches according to internal change management.
Top 10 Priority CVEs
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.
Plaintext TOTP secret exposure in sealed-env enterprise mode allows remote unauthenticated attackers to extract operator authentication credentials from base64-decoded JWS tokens. Versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embed literal TOTP secrets in every minted unseal token's JWS payload without encryption, enabling credential harvesting from CI logs, container environments, monitoring tools, and log aggregators. Fixed in version 0.1.0-alpha.4. CVSS 9.1 (Critical) with network vector and no authentication required. No CISA KEV listing or public exploit code identified at time of analysis, but exploitation requires only base64 decoding of observable tokens.
{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. Public exploit code exists, and vendor patch v2026.4.1 addresses the issue via GitHub PR #7403.
Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.
Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.
Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.