Skip to main content

Weekly CVE Briefing: 1648 Disclosures, +57% WoW, 1 KEV, 87 POCs

May 25 - Jun 01, 2026
Total CVEs
1648
Critical + High
757
KEV
1
Public Exploits
87

Executive Summary

Overview

Per vuln.today data for the period 2026-05-25 to 2026-06-01, 1648 CVEs were published, comprising 144 CRITICAL, 613 HIGH, 457 MEDIUM, 91 LOW, and 343 UNKNOWN severity entries. The dataset includes 1 CISA KEV entry, 87 public exploits/POCs, 1026 patches available, and 291 unpatched CRITICAL/HIGH CVEs. Volume rose 57% week-over-week from 1049 CVEs the prior week.

Critical Threats

  • CVE-2026-48027 (CRITICAL, CVSS 9.3) - Nx Console editor extension for Nx and Lerna, version 18.95.0; confirmed actively exploited (CISA KEV); public exploit code available; EPSS 26.8%; linked threat intelligence. No vendor-released patch identified at time of analysis.
  • CVE-2026-24444 (CRITICAL, CVSS 9.3) - SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Scan all networks to identify SDMC NE6037 devices running firmware 7.1.6.0.25 or 7.1.6.1.9_B9; document inventory and network placement. Within 7 days: Restrict access to mgmt.php and
  • CVE-2026-10187 (HIGH, CVSS 8.9) - Totolink N300RH router, firmware 6.1c.1353_B20190305; public exploit code available. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Conduct inventory of all Totolink N300RH routers in operation and identify firmware versions. Within 7 days: Disable public internet access to the web management interface and impleme
  • CVE-2026-32847 (HIGH, CVSS 8.7) - new_ui/backend/main.py component; public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Audit and restrict external network access to new_ui/backend services via firewall rules or security groups. Within 7 days: Deploy WAF signatures to block exploitation attempts using
  • CVE-2026-7862 (HIGH, CVSS 8.6) - Eupago Gateway for WooCommerce WordPress plugin before 4.7.2; public exploit code available; EPSS 0.0%. Vendor-released patch: 4.7.2. Action: Within 24 hours: Immediately update Eupago Gateway for WooCommerce to version 4.7.2 or later; if immediate patching is not possible, disable the plugin and switch to an alternative payment processor.
  • CVE-2026-49489 (HIGH, CVSS 8.4) - OpenCATS through version 0.9.7.4; public exploit code available. No vendor-released patch identified at time of analysis. Action: 24 hours: Inventory all OpenCATS deployments and identify installations running version 0.9.7.4 or earlier; restrict creation of new low-privilege user accounts; enable database transaction and query
  • CVE-2026-10044 (HIGH, CVSS 8.2) - affected application endpoint referenced via ai-goofish-monitor PR #489; public exploit code available; EPSS 0.0%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: Within 24 hours: Identify all systems running the affected application endpoint and review security logs for exploitation attempts. Within 7 days: Apply vendor patch to all affected systems following
  • CVE-2026-10160 (HIGH, CVSS 7.4) - TRENDnet TEW-432BRP wireless router, firmware 3.10B20 (vendor-confirmed end-of-life since 2009); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: 24 hours: Conduct network inventory to identify any deployed TRENDnet TEW-432BRP units (v3.10B20 or earlier). 7 days: Initiate procurement and deployment plan for replacement access points and schedul
  • CVE-2026-10161 (HIGH, CVSS 7.4) - TRENDnet TEW-432BRP router, firmware 3.10B20 (vendor-confirmed end-of-life since 2009); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all TRENDnet TEW-432BRP routers on your network and restrict administrative access to trusted networks only; disable remote management capabilities. Within 7 days: Implement
  • CVE-2026-10162 (HIGH, CVSS 7.4) - TRENDnet TEW-432BRP router, firmware 3.10B20 (vendor-confirmed end-of-life since 2009); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: 24 hours: Inventory all TRENDnet TEW-432BRP 3.10B20 instances and restrict administrative access to trusted networks only. 7 days: Procure replacement routers from actively supported vendors and initi

Threat Landscape

Top affected vendors per vuln.today: Linux (420), Suse (304), Red Hat (282), Google (161), WordPress (128), Microsoft (48), Apache (32), IBM (30), Oracle (29), Apple (23). Top attack techniques observed: Information Disclosure (537), Authentication Bypass (267), Denial Of Service (223), Buffer Overflow (157), RCE (140), XSS (129), Memory Corruption (86), SQLi (85), Use After Free (66), Privilege Escalation (59). Patch coverage stands at 1026 of 1648 CVEs, with 291 CRITICAL/HIGH entries reported as unpatched. Threat-intelligence linkage was provided for CVE-2026-48027, CVE-2026-9037, CVE-2026-9038, CVE-2026-9039, and CVE-2026-7786.

Key Trends

  • Week-over-week CVE volume rose 57% (1049 → 1648).
  • Vendor concentration in the top-10 list is dominated by Linux-ecosystem entries: Linux (420), Suse (304), and Red Hat (282).
  • Information Disclosure (537) leads attack technique counts, followed by Authentication Bypass (267) and Denial Of Service (223).
  • Patched entries account for 1026 of 1648 CVEs (approximately 62%); 291 CRITICAL/HIGH remain unpatched.
  • KEV proportion is 1 of 1648 entries; public exploits/POCs cover 87 of 1648 entries.

Recommendations

Per-CVE actions (reproduced verbatim from vuln.today input):

  • CVE-2026-24444: Within 24 hours: Scan all networks to identify SDMC NE6037 devices running firmware 7.1.6.0.25 or 7.1.6.1.9_B9; document inventory and network placement. Within 7 days: Restrict access to mgmt.php and
  • CVE-2026-10187: Within 24 hours: Conduct inventory of all Totolink N300RH routers in operation and identify firmware versions. Within 7 days: Disable public internet access to the web management interface and impleme
  • CVE-2026-32847: Within 24 hours: Audit and restrict external network access to new_ui/backend services via firewall rules or security groups. Within 7 days: Deploy WAF signatures to block exploitation attempts using
  • CVE-2026-7862: Within 24 hours: Immediately update Eupago Gateway for WooCommerce to version 4.7.2 or later; if immediate patching is not possible, disable the plugin and switch to an alternative payment processor.
  • CVE-2026-49489: 24 hours: Inventory all OpenCATS deployments and identify installations running version 0.9.7.4 or earlier; restrict creation of new low-privilege user accounts; enable database transaction and query
  • CVE-2026-10044: Within 24 hours: Identify all systems running the affected application endpoint and review security logs for exploitation attempts. Within 7 days: Apply vendor patch to all affected systems following
  • CVE-2026-10160: 24 hours: Conduct network inventory to identify any deployed TRENDnet TEW-432BRP units (v3.10B20 or earlier). 7 days: Initiate procurement and deployment plan for replacement access points and schedul
  • CVE-2026-10161: Within 24 hours: Identify all TRENDnet TEW-432BRP routers on your network and restrict administrative access to trusted networks only; disable remote management capabilities. Within 7 days: Implement
  • CVE-2026-10162: 24 hours: Inventory all TRENDnet TEW-432BRP 3.10B20 instances and restrict administrative access to trusted networks only. 7 days: Procure replacement routers from actively supported vendors and initi

Dataset-level guidance:

  • Prioritize the 1 CISA KEV entry (CVE-2026-48027), which also carries the highest EPSS score (26.8%) and linked threat intelligence; given UNPATCHED status, rely on compensating controls until a vendor fix is published.
  • Triage the 87 entries with public exploits/POCs ahead of routine patching cycles.
  • For the 291 unpatched CRITICAL/HIGH CVEs, apply network-access restrictions, monitoring, or decommissioning where vendors have declined to issue a fix, pending vendor remediation.
  • For CVE-2026-10044, review and apply the upstream fix after validation, or wait for an official tagged release.

Top 10 Priority CVEs

116
CVE-2026-48027 CRITICAL KEV POC

Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.
67
CVE-2026-24444 CRITICAL POC

Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.
65
CVE-2026-10187 HIGH POC

Stack-based buffer overflow in the Totolink N300RH router (firmware 6.1c.1353_B20190305) allows remote attackers to corrupt memory via the KeyStr argument processed by the setWiFiBasicConfig function in wireless.so, reachable through the Web Management Interface. Publicly available exploit code exists, and the CVSS 4.0 vector indicates network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability. No CISA KEV listing has been published, so exploitation is not confirmed in the wild despite the public PoC.
64
CVE-2026-32847 HIGH POC

{full_path:path} in new_ui/backend/main.py. Publicly available exploit code exists (referenced in HKUDS/DeepCode issue #126 and a VulnCheck advisory), making opportunistic exploitation realistic against exposed instances. No CISA KEV listing or EPSS data was provided, but the combination of no authentication, low complexity, and a single-request exploit places this at a high operational priority for any exposed deployment.
63
CVE-2026-7862 HIGH POC

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.
62
CVE-2026-49489 HIGH POC

SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.
61
CVE-2026-10044 HIGH POC

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows paths or backslash traversal bypass it entirely. Publicly available exploit code exists and a vendor patch has been released; this issue was reported by VulnCheck.
57
CVE-2026-10160 HIGH POC

Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 wireless router allows authenticated remote attackers to corrupt memory via the start_wizard parameter in the /goform/formSetEnableWizard endpoint. Publicly available exploit code exists, and the vendor has confirmed they will not issue a fix because the device has been end-of-life since 2009. EPSS data was not provided, and the CVE is not listed in CISA KEV, but the combination of trivial exploitability and no forthcoming patch makes this a permanent risk for any still-deployed units.
57
CVE-2026-10161 HIGH POC

Stack-based buffer overflow in TRENDnet TEW-432BRP router (firmware 3.10B20) allows authenticated remote attackers to corrupt memory via the status_statistic parameter in the /goform/formResetStatistic endpoint, potentially leading to code execution or device compromise. Publicly available exploit code exists on GitHub, and the vendor has confirmed the product is end-of-life (EOL since 2009) and will not be patched. No CISA KEV listing or EPSS data is provided in the input, so widespread exploitation status is unconfirmed.
57
CVE-2026-10162 HIGH POC

Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 router firmware allows authenticated remote attackers to corrupt memory via the webpage parameter in the formSetPassword handler at /goform/formSetPassword, with publicly available exploit code increasing risk. The vendor has formally declined to patch this end-of-life device (EOL since 2009), making any deployment permanently vulnerable. CVSS 4.0 rates this 7.4 (High) with proven exploit maturity, though no CISA KEV listing exists at this time.
Previous Week

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy