Report Date: 2026-05-02
New KEVs: 4Critical CVEs: 5Ransomware Victims: 315
4 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Connectwise products show the strongest concentration of risk signals this week. Ransomware activity is elevated with 315 new victims posted to leak sites over the last 7 days, with Apt73 posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 | PoC Available
CISA deadline: 2026-05-03 (1d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2024-1708 – ConnectWise ScreenConnect | CVSS 8.4 | PoC Available
CISA deadline: 2026-05-12 (10d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-32202 – Microsoft Windows | CVSS 4.3
CISA deadline: 2026-05-12 (10d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 28.4% / 96th pct | Ransomware Use: No | PoC Available
- CVE-2024-1708 – ConnectWise ScreenConnect | CVSS 8.4 (HIGH) | AV: Network | EPSS 84.9% / 99th pct | Ransomware Use: No | PoC Available
- CVE-2026-31431 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 2.3% / 85th pct | Ransomware Use: No | PoC Available
- CVE-2026-32202 – Microsoft Windows | CVSS 4.3 (MEDIUM) | AV: Network | EPSS 7.2% / 92th pct | Ransomware Use: No
Major CVEs
Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.
- CVE-2026-26015 – arc53 Docsgpt | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.2% / 44th pct | Published: 3 days ago | PoC Available
DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload byp… - CVE-2026-7567 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: yesterday
The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to… - CVE-2026-42482 – hashcat Hashcat | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 22th pct | Published: yesterday | PoC Available
A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule fil… - CVE-2026-42483 – hashcat Hashcat | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 23th pct | Published: yesterday | PoC Available
A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_has… - CVE-2026-41873 – apache Pony Mail | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 30th pct | Published: 4 days ago
** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover.This issue affects all versions of the Lua i…
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 2 days ago – ABB Ability OPTIMAX
View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. The f… - CISA ICS AdvisoryAdvisory · 2 days ago – ABB AWIN Gateways
View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details. T… - CISA ICS AdvisoryAdvisory · 2 days ago – ABB Edgenius Management Portal
View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applicatio… - Unit 42Research · today – The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) a… - Unit 42Research · 8 days ago – TGR-STA-1030: New Activity in Central and South America
Unit 42 research reports that TGR-STA-1030 remains an active threat, particularly in Central and South America. The post TGR-STA-1030: New Activity in Central and South America appeared first on Unit 42 . - Sophos X-OpsResearch · 3 days ago – 'Mini Shai-Hulud' supply chain attack targets SAP npm packages
Categories: Threat Research Tags: advisory, NPM, SAP - Sophos X-OpsResearch · 8 days ago – Supply chain attacks hit Checkmarx and Bitwarden developer tools
<p>Two supply chain attacks, same day, same command-and-control domain</p> Categories: Threat Research Tags: Supply chain, Sophos X-Ops, pipeline, Bitwarden, Checkmarx - The RecordNews · yesterday – Senate Judiciary advances bill that would bar minors from interacting with AI companions
The bill, known as the GUARD Act, also requires that AI companions advise users of all ages that they are not human and lack professional credentials. It also makes it a crime for AI companions to knowingly ask kids for … - The RecordIncident · yesterday – Federal agencies must patch cPanel bug by Sunday, CISA says
Incident responders at Rapid7 said successful exploitation of CVE-2026-41940 âgrants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.â - Security Affairs (APT)News · 5 days ago – Italy moves to extradite Chinese national to the U.S. over hacking charges
Italy plans to extradite Xu Zewei to the U.S. over alleged hacks on COVID-19 research tied to state-backed operations. Italy is moving to extradite Xu Zewei, the Chinese national arrested in 2025 at the request of U.S. a… - Security Affairs (APT)News · 6 days ago – GopherWhisper: new China-linked APT targets Mongolia with Go-based malware
ESET found a new China-linked APT, tracked as GopherWhisper, targeting Mongolia using Go-based malware, loaders, and backdoors. ESET researchers uncovered a new China-aligned APT group called GopherWhisper, targeting gov… - Security Affairs (Cybercrime)News · today – Two US cybersecurity experts sentenced in ransomware case, third awaits July ruling
Two US security experts were sentenced to 4 years for helping ransomware attacks. A third accomplice pleaded guilty and awaits sentencing. Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentence… - Security Affairs (Cybercrime)Incident · today – New Deep#Door RAT uses stealth and persistence to target Windows
Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel. Security researchers at Securonix uncovered a sophist… - Bleeping ComputerNews · today – ConsentFix v3 attacks target Azure with automated OAuth abuse
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential. […] - The Hacker NewsIncident · today – Trellix Confirms Source Code Breach With Unauthorized Repository Access
Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and …
Ransomware Activity
Victim counts posted to ransomware group leak sites over the last 7 days — use this to gauge which groups are most active and which sectors and regions are being targeted.
315 new victims reported via Ransomware.live.
Most Active Groups
Most Targeted Sectors
Top Countries
US (125), GB (24), DE (16), IT (12), CA (11)
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Informed
Subscribe to ThreatPodium
Get CVE exploit alerts and daily threat intelligence reports the moment they publish — no account required.