Report Date: 2026-05-03
New KEVs: 4Critical CVEs: 5Ransomware Victims: 312
4 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Linux products show the strongest concentration of risk signals this week. Ransomware activity is elevated with 312 new victims posted to leak sites over the last 7 days, with Apt73 posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 | PoC Available
CISA deadline: 2026-05-03 (0d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2024-1708 – ConnectWise ScreenConnect | CVSS 8.4 | PoC Available
CISA deadline: 2026-05-12 (9d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-32202 – Microsoft Windows | CVSS 4.3
CISA deadline: 2026-05-12 (9d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-41940 – WebPros cPanel & WHM and WP2 (WordPress Squared) | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 28.4% / 96th pct | Ransomware Use: No | PoC Available
- CVE-2024-1708 – ConnectWise ScreenConnect | CVSS 8.4 (HIGH) | AV: Network | EPSS 84.9% / 99th pct | Ransomware Use: No | PoC Available
- CVE-2026-31431 – Linux Kernel | CVSS 7.8 (HIGH) | AV: Local | EPSS 4.0% / 88th pct | Ransomware Use: No | PoC Available
- CVE-2026-32202 – Microsoft Windows | CVSS 4.3 (MEDIUM) | AV: Network | EPSS 7.2% / 92th pct | Ransomware Use: No
Major CVEs
Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.
- CVE-2026-26015 – arc53 Docsgpt | CVSS 10.0 (CRITICAL) | AV: Network | EPSS 0.2% / 44th pct | Published: 4 days ago | PoC Available
DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload byp… - CVE-2026-4882 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: yesterday
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.… - CVE-2026-7567 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 20th pct | Published: 2 days ago
The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to… - CVE-2026-42482 – hashcat Hashcat | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 22th pct | Published: 2 days ago | PoC Available
A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule fil… - CVE-2026-42483 – hashcat Hashcat | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 23th pct | Published: 2 days ago | PoC Available
A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_has…
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 3 days ago – ABB Ability OPTIMAX
View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. The f… - CISA ICS AdvisoryAdvisory · 3 days ago – ABB AWIN Gateways
View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details. T… - CISA ICS AdvisoryAdvisory · 3 days ago – ABB Edgenius Management Portal
View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applicatio… - Unit 42Incident · yesterday – The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) a… - Unit 42Research · 9 days ago – TGR-STA-1030: New Activity in Central and South America
Unit 42 research reports that TGR-STA-1030 remains an active threat, particularly in Central and South America. The post TGR-STA-1030: New Activity in Central and South America appeared first on Unit 42 . - Sophos X-OpsResearch · 2 days ago – Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)
Categories: Threat Research Tags: advisory, Linux, Copy Fail - Sophos X-OpsIncident · 4 days ago – 'Mini Shai-Hulud' supply chain attack targets SAP npm packages
Categories: Threat Research Tags: advisory, NPM, SAP - The RecordNews · 2 days ago – Senate Judiciary advances bill that would bar minors from interacting with AI companions
The bill, known as the GUARD Act, also requires that AI companions advise users of all ages that they are not human and lack professional credentials. It also makes it a crime for AI companions to knowingly ask kids for … - The RecordIncident · 2 days ago – Federal agencies must patch cPanel bug by Sunday, CISA says
Incident responders at Rapid7 said successful exploitation of CVE-2026-41940 âgrants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.â - Security Affairs (APT)News · 6 days ago – Italy moves to extradite Chinese national to the U.S. over hacking charges
Italy plans to extradite Xu Zewei to the U.S. over alleged hacks on COVID-19 research tied to state-backed operations. Italy is moving to extradite Xu Zewei, the Chinese national arrested in 2025 at the request of U.S. a… - Security Affairs (APT)News · 7 days ago – GopherWhisper: new China-linked APT targets Mongolia with Go-based malware
ESET found a new China-linked APT, tracked as GopherWhisper, targeting Mongolia using Go-based malware, loaders, and backdoors. ESET researchers uncovered a new China-aligned APT group called GopherWhisper, targeting gov… - Security Affairs (Cybercrime)News · yesterday – Two US cybersecurity experts sentenced in ransomware case, third awaits July ruling
Two US security experts were sentenced to 4 years for helping ransomware attacks. A third accomplice pleaded guilty and awaits sentencing. Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentence… - Security Affairs (Cybercrime)Incident · yesterday – New Deep#Door RAT uses stealth and persistence to target Windows
Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel. Security researchers at Securonix uncovered a sophist… - Bleeping ComputerAdvisory · today – Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. […] - The Hacker NewsAdvisory · today – CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evide…
Ransomware Activity
Victim counts posted to ransomware group leak sites over the last 7 days — use this to gauge which groups are most active and which sectors and regions are being targeted.
312 new victims reported via Ransomware.live.
Most Active Groups
Most Targeted Sectors
Top Countries
US (129), GB (24), DE (15), CA (12), IT (11)
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: