Report Date: 2026-05-05
New KEVs: 2Critical CVEs: 5Ransomware Victims: 214
2 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period, of which 1 is linked to active ransomware campaigns. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Linux products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Salt Typhoon (China) and Akira. Ransomware activity is moderate with 214 new victims posted to leak sites over the last 7 days, with Qilin posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 | ⚠ Ransomware | PoC Available
CISA deadline: 2026-05-03 (overdue by 2d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-31431 – Linux Kernel | CVSS 7.8 | PoC Available
CISA deadline: 2026-05-15 (10d remaining) — "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 26.6% / 96th pct | Ransomware Use: Yes | PoC Available
- CVE-2026-31431 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 1.2% / 79th pct | Ransomware Use: No | PoC Available
Major CVEs
Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are. 3 new today.
- CVE-2026-26015 – arc53 Docsgpt | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.3% / 52th pct | Published: 6 days ago | PoC Available
DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload byp… - CVE-2026-5722New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 42th pct | Published: today
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verificat… - CVE-2025-13618New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 21th pct | Published: today
The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mento… - CVE-2026-5294New – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 41th pct | Published: today
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a pl… - CVE-2025-14320 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 14th pct | Published: yesterday
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.Th…
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
Threat Actors Mentioned
Salt Typhoon (China)Akira
- CISA ICS AdvisoryAdvisory · today – ABB B&R PVI
View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exp… - CISA ICS AdvisoryAdvisory · today – Hitachi Energy PCM600
View CSAF Summary Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of… - CISA ICS AdvisoryAdvisory · today – ABB B&R Automation Studio
View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that resolves a vulnerability. Successful exploitation of this vulnerability may enab… - Unit 42Incident · 3 days ago – The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) a… - Unit 42Research · 11 days ago – TGR-STA-1030: New Activity in Central and South America
Unit 42 research reports that TGR-STA-1030 remains an active threat, particularly in Central and South America. The post TGR-STA-1030: New Activity in Central and South America appeared first on Unit 42 . - Sophos X-OpsResearch · 4 days ago – Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)
Categories: Threat Research Tags: advisory, Linux, Copy Fail - Sophos X-OpsIncident · 6 days ago – 'Mini Shai-Hulud' supply chain attack targets SAP npm packages
Categories: Threat Research Tags: advisory, NPM, SAP - The RecordNews · today – Conti, Akira ransomware affiliate given 8-year sentence
Deniss Zolotarjovs pleaded guilty in July 2025 to money laundering and wire fraud charges after being arrested in the country of Georgia. - The RecordIncident · today – Australia launches cyber review board modeled on version disbanded in US
The Cyber Incident Review Board will carry out no-fault, post-incident reviews of significant cyberattacks on Australian government and industry, focusing on systemic lessons rather than individual or corporate culpabili… - Security Affairs (APT)Incident · 2 days ago – Salt Typhoon breach IBM subsidiary in Italy: a warning for Europe’s digital defenses
April 2026 breach at Sistemi Informativi (IBM Italy) raises concerns over Chinese-linked cyber ops in Europe, including Salt Typhoon. In late April 2026, the Italian cybersecurity landscape was shaken by a significant br… - Security Affairs (APT)News · 8 days ago – Italy moves to extradite Chinese national to the U.S. over hacking charges
Italy plans to extradite Xu Zewei to the U.S. over alleged hacks on COVID-19 research tied to state-backed operations. Italy is moving to extradite Xu Zewei, the Chinese national arrested in 2025 at the request of U.S. a… - Security Affairs (Cybercrime)News · today – U.S. court sentences Karakurt ransomware negotiator to 8.5 years
Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware. Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been se… - Security Affairs (Cybercrime)Incident · today – Vimeo confirms breach via third-party vendor impacts 119K users
Hackers stole data of 119,000 Vimeo users in April. The breach, linked to a third‑party vendor, exposed personal details. Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 us… - Bleeping ComputerIncident · today – Instructure hacker claims data theft from 8,800 schools, universities
The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million data records for students and staff from 8,809 colleges, school districts, and online education platforms. […] - The Hacker NewsAdvisory · today – Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RC…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
36 new victims posted today
7-day total: 214 via Ransomware.live
Infostealer Exposure: 656 employee credentials and 288,292 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
- Fulcrumsec — FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured clo…
- Medusalocker — Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
- M3Rx — M3rx is a small ransomware group first observed in 2025, using AES-CTR/AES-GCM encryption and targeting organizations in England, the US, Australia, Germany, Italy, and Switzerland, with around eight …
- Braincipher — Brain Cipher emerged in July 2024. Both Windows and Linux variants are available. Brain Cipher using the leaked build of LockBit Black for their operations. The group suspected to have exploited CVE-2…
Most Targeted Sectors
Top Countries
US (94), GB (16), CA (12), DE (10), IT (9)
Notable Incidents
- Instructure Holdings, Inc. (Canva LMS, instructure.com) (Education · US) — claimed by Shinyhunters. Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and oth… Press coverage →
- Standard-Examiner (Public Sector · US) — claimed by Qilin. N/A Press coverage →
- youX / Drive IQ (Technology · AU) — claimed by Fulcrumsec. [AI generated] youX, formerly known as Drive IQ, is an Australian technology company specializing in connected vehicle data and mobility intelligence. The company collects and analyzes telematics and driving behavior dat… Press coverage →
- Winona County (Public Sector · US) — claimed by Interlock. Winona County is located in the Mississippi River blufflands of southeastern Minnesota. They have been negligent regarding security and the data they store, which has resulted in a breach and the public disclosure of all… Press coverage →
- Woundtech (Healthcare · US) — claimed by Fulcrumsec. [AI generated] Woundtech is a US-based healthcare company specializing in advanced wound care management services. It provides in-home and facility-based wound care treatment to patients, primarily serving Medicare and M… Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: