CISA Adds Actively Exploited cPanel Flaw to KEV

CISA has officially added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies. This critical authentication bypass vulnerability in cPanel and WHM versions after 11.40 has been under active exploitation for months, with reports linking the flaw to mass-exploitation campaigns by the "Sorry" ransomware group. The vulnerability resides in the control panel's login flow, allowing unauthenticated remote attackers to gain unauthorized access to administrative interfaces. Given the widespread use of cPanel in hosting environments, the potential for large-scale infrastructure compromise is severe. Organizations should prioritize patching immediately, as the flaw has been weaponized in the wild for a significant period.

A critical supply chain incident has impacted the Bitwarden CLI, specifically affecting versions distributed via npm between April 22, 2026, and April 22, 2026. Identified as CVE-2026-42994, this vulnerability involves the inclusion of malicious code within the package, stemming from a broader supply chain compromise linked to Checkmarx. Security teams should audit their development and deployment pipelines to ensure that any instances of the Bitwarden CLI pulled from npm during this window are identified and remediated. This incident highlights the ongoing risks associated with third-party package repositories and the necessity of verifying integrity in automated build processes.

Several critical vulnerabilities affecting network appliances and enterprise software require urgent attention due to their potential for remote code execution. Progress Software MOVEit Automation is impacted by CVE-2026-4670, an authentication bypass flaw that affects multiple versions, including 2025.0.x and 2024.0.x. Similarly, Weaver E-office (versions prior to 10.0_20221201) is vulnerable to unauthenticated arbitrary file uploads via CVE-2022-50993, while Synway SMG Gateway Management Software (CVE-2025-71284) suffers from OS command injection in its RADIUS configuration endpoint. These vulnerabilities allow for significant lateral movement and system compromise, necessitating immediate updates or the implementation of strict network access controls to mitigate exposure.

Multiple vulnerabilities in small office/home office (SOHO) routers and web-based management platforms present high risks for remote exploitation. Totolink devices are particularly affected, with CVE-2026-7538 and CVE-2026-7546 impacting the A8000RU and NR1800X models respectively, leading to OS command injection and stack-based buffer overflows. Additionally, UTT HiPER 1200GW routers are susceptible to remote buffer overflows via CVE-2026-7513 and CVE-2026-7512. These flaws typically stem from improper input validation in CGI handlers or management functions. Given the public availability of exploit vectors for these types of devices, administrators should ensure firmware is updated to the latest available versions and restrict management interfaces from public internet access.

Application-level vulnerabilities continue to pose risks in web environments, including path traversal and authentication bypass issues. Shopizer Ecommerce (v3.2.5) is affected by CVE-2026-36767, allowing arbitrary file writes, while JeeSite (v5.15.1) contains a similar path traversal flaw via CVE-2026-36760. WordPress environments are also under pressure, with the Temporary Login plugin (up to 1.0.0) vulnerable to authentication bypass (CVE-2026-7567) and the WP Editor plugin (up to 1.2.9.2) suffering from CSRF issues (CVE-2026-3772). Furthermore, Google Chrome users should update to version 147.0.7727.138 or later to address a critical use-after-free vulnerability (CVE-2026-7333) that could facilitate sandbox escapes. Organizations should audit their web application stacks and apply available patches to prevent unauthorized access and potential data exfiltration.