Trending vulnerabilities

What: Linux kernel crypto/algif_aead in-place operation flaw allowing local privilege escalation (CVE-2026-31431, CVSS 7.8 HIGH, EPSS 0.8%).

Why it matters: KEV-listed as of 2026-05-01. Multiple distros patching urgently (Arch 6.19.12-1, AlmaLinux, Ubuntu). Public PoC circulating with "732-byte exploit" narrative. Kernel crypto subsystem affects all local users; privilege escalation to root confirmed in chatter.

Where it's seen: Cross-distro security advisories (Arch, AlmaLinux, Alpine, Ubuntu, Rocky, CentOS); Medium writeups; Spanish/multilingual coverage; community noting "clickbait" framing but confirming real LPE impact.

What: Use-after-free in Exim <4.99.3 BDAT body parsing under GnuTLS, triggered by TLS close_notify mid-transfer; unauthenticated RCE via heap corruption.

Why it matters: Published 1 day ago; social chatter highlights active researcher interest (XBOW team publicizing discovery). No KEV-listing yet but NVD confirms unauthenticated RCE. Heavy FOFA scanning signal (6M+ instances tracked). Exim is widely deployed in mail infrastructure; patch availability status unclear from posts.

Where it's seen: FOFA threat-intel alerts, Dead Letter research blog posts, Hacker News discussion, security researcher commentary on RCE discovery mechanics. No confirmed in-the-wild exploitation or defender triage reports visible yet.

What: Burst Statistics WordPress plugin (versions 3.4.0–3.4.1.1) authentication bypass via incorrect return-value handling in is_mainwp_authenticated(), allowing unauthenticated attackers to impersonate administrators with any Basic Auth password. CVSS 9.8 (CRITICAL).

Why it matters: Published today; affects 200k+ WordPress sites; allows admin impersonation and privilege escalation. Not yet KEV-listed, but high-engagement chatter from DFIR and security vendors signals urgent awareness. Patch (3.4.2) is available; defenders are triaging immediately.

Where it's seen: Breaking advisory chatter across Twitter and Bluesky from DFIR teams, security firms, and vulnerability aggregators. Posts emphasize immediate patching; one vendor flagged "5,000+ attacks blocked," though no public PoC or in-the-wild exploitation confirmed yet.

What: Heap-based buffer overflow in Microsoft Windows DNS Client allowing unauthenticated remote code execution (CVSS 9.8 Critical). Affects Windows 11 and Windows Server 2022/2025.

Why it matters: Microsoft patched this on May 12, 2026 Patch Tuesday alongside 136 other vulnerabilities (31 critical). Social chatter shows defenders actively hunting in logs and incident response teams prioritizing patching. No KEV listing yet and no public PoC reported, but critical CVSS and immediate patching signal severity. No active in-the-wild exploitation mentioned.

Where it's seen: Patch Tuesday advisories, Advanced Hunting queries circulating among blue teams, cross-vulnerability roundup posts lumping it with other critical RCEs (Netlogon CVE-2026-41089). Practitioners discussing patch prioritization and detection logic.

What: Career Section WordPress plugin vulnerable to unauthenticated arbitrary file upload leading to remote code execution in all versions ≤1.7 (CVSS 9.8 CRITICAL).

Why it matters: Published today with CVSS 9.8 and no patch available. Affects unauthenticated attackers uploading executable files via CV handler. Not yet KEV-listed, but social chatter is immediate and widespread. No confirmed PoC or in-the-wild exploitation reported yet.

Where it's seen: Security researchers and automated CVE feeds posting advisory summaries within hours of NVD publication. One vendor security account flagging "no patch yet." Mostly retweets of the same disclosure across Bluesky and Twitter.

What: Linux kernel local privilege escalation (LPE) in rxrpc and ESP4/ESP6 networking modules allowing unprivileged-to-root escalation; part of "Dirty Frag" vulnerability chain (CVE-2026-43284 + CVE-2026-43500).

Why it matters: Multiple major distributions (AlmaLinux, Debian, Gentoo, RedHat, Unraid) have issued urgent security advisories and kernel patches within days of disclosure. Social chatter explicitly cites active in-the-wild exploitation. Defenders are triaging mitigation steps (module removal, cache drops). No PoC code linked in supplied posts, but vendor response velocity and exploit-in-wild claims suggest operational risk.

Where it's seen: Coordinated French-language technical writeup generating engagement; vendor security advisories across distros; system administrators discussing immediate patching and module-disable workarounds; security practitioners sharing detection/mitigation steps.

What: Arbitrary file deletion vulnerability in Motors WordPress plugin (versions ≤1.4.107) allowing authenticated subscribers to delete arbitrary server files via path traversal in logo upload. CVSS 8.1 (HIGH).

Why it matters: Published today with high CVSS score and clear attack vector (authenticated, subscriber+), but not yet KEV-listed. No public PoC, vendor patch status, or confirmed in-the-wild exploitation mentioned in social chatter. Chatter is purely automated CVE feed republishing with no defender triage signals.

Where it's seen: Generic CVE aggregator posts and vendor security alerts (Patchstack, The Hacker Wire, Kaitan) spreading the NVD description verbatim across Bluesky and Twitter. No tactical discussion, no patch confirmation, no affected site reports.

What: Authenticated Remote Code Execution in OPNsense core <26.1.8 allowing root command execution via input validation bypass in user synchronization; CVSS 9.1 CRITICAL.

Why it matters: Public PoC disclosed within 24 hours of CVE publication; affects firewall/routing appliance with user-management privileges required; patch (26.1.8) available same day. Not KEV-listed yet, but active researcher/defender chatter indicates immediate triage priority for OPNsense deployments.

Where it's seen: Vulnerability feeds (Vulmon, OffSeq) aggregating CVE details; security researchers posting PoC links; advisor tweets pushing immediate patching; no mass exploitation signal yet but high-value target (firewall) + working PoC = rapid weaponization risk.

What: InfusedWoo Pro WordPress plugin (≤5.1.2) privilege escalation via missing nonce/authorization in AJAX handler, enabling unauthenticated admin account takeover. CVSS 9.8 CRITICAL.

Why it matters: Published today with CVSS 9.8 and no vendor patch yet. Social chatter emphasizes immediate remediation risk: unpatched WordPress sites running the plugin face direct admin authentication bypass. Not yet KEV-listed, but early-stage coverage across security platforms signals awareness.

Where it's seen: Same-day syndication across Bluesky and X from security vendors and threat intelligence feeds; posts recommend immediate plugin disablement pending patch. No public PoC observed yet, but urgency framing suggests defenders are triaging now.

What: Linux kernel ESP-in-UDP packet handling flaw allowing in-place decryption of shared socket buffer fragments, affecting local privilege escalation via "Dirty Frag" attack (CVSS n/a; EPSS 0.0001).

Why it matters: PoC public on GitHub; Unraid OS issued urgent patch (v7.2.6); social chatter references "actively exploited in the wild" claims and mitigation instructions (rmmod esp4/esp6). However, no KEV listing yet, EPSS near-zero, and claims of active wild exploitation lack corroboration from trusted advisories.

Where it's seen: Unraid official announcement, GitHub PoC (V4bel/dirtyfrag), security researcher posts with remediation steps (module blacklist, cache drop), Twitter/Bluesky amplification mixing vendor advisory with unverified exploitation claims.

What: Stored XSS in ManageWP Worker WordPress plugin (≤v4.9.31) via unsanitized 'MWP-Key-Name' HTTP header; CVSS 7.2 (HIGH).

Why it matters: Published today with no KEV listing yet. Social chatter is heavy but appears to be automated NVD syndication and vendor alerting rather than exploitation reports or working PoCs. No defender triage signals or urgent patching advisories observed. Stored XSS requires admin interaction on a specific page, limiting immediate risk scope.

Where it's seen: Real-time NVD mirroring across Bluesky and X; security hashtag amplification; no PoC repositories, exploit code, or in-the-wild reports yet.

What: Memory corruption in MongoDB Server time-series collections (v5.0–8.3) allows authenticated write-privileged users to trigger out-of-bounds memory writes, potentially enabling arbitrary code execution. CVSS 8.8 (HIGH).

Why it matters: Published 24 hours ago with patches available for all affected versions (5.0.33, 6.0.28, 7.0.34, 8.0.23, 8.2.9, 8.3.2). Requires authentication and write privileges, narrowing real-world attack surface. Not yet KEV-listed; no public PoC or in-the-wild exploitation reported. Social chatter is amplified vendor advisory recycling and FUD ("server takeover," "millions of records").

Where it's seen: Security news outlets, threat-intelligence aggregators, and infosec social accounts cross-posting vendor advisory language. No defender questions, no PoC discussion, no scanning signals.

What: Incorrect privilege management and insufficient path filtering in cPanel's cpdavd attachment download endpoints allow unauthenticated arbitrary file read (CVSS 8.6).

Why it matters: Published yesterday; researchers withheld PoC pending complete patch, noting cPanel's initial fix (11.134.0.26) is incomplete. High CVSS and pre-auth nature drive urgent patching. Not yet KEV-listed but active vendor iteration signals real exploitation risk.

Where it's seen: Vendor advisory circulation, researcher posts flagging incomplete patches, hosting providers amplifying urgency, multilingual security feeds republishing NVD data. One misattribution claiming Apache Cassandra (false).

What: InfusedWoo Pro WordPress plugin ≤5.1.2 allows unauthenticated attackers to delete posts, pages, products, orders, and modify post status via authorization bypass (CVSS 9.1 CRITICAL).

Why it matters: Published today with critical severity; no patch available yet. Social chatter emphasizes immediate risk to WordPress sites running affected versions. No KEV listing or confirmed in-the-wild exploitation reported, but high CVSS and lack of fix drive defender urgency.

Where it's seen: Cybersecurity news aggregators and threat feeds (OffSeq, TheHackerWire) republishing NVD entry same-day. Security practitioners sharing mitigation guidance (disable/restrict plugin, monitor for patches). No PoC or active exploitation claims visible yet.

What: Authentication bypass in cPanel/WHM versions after 11.40 allowing unauthenticated remote root access (CVSS 9.8 CRITICAL, EPSS 0.96).

Why it matters: KEV-listed 2026-04-30. Active in-the-wild exploitation confirmed within 24 hours of disclosure. Censys reports 80% of new malicious hosts linked to cPanel; Shadowserver observed 44K+ compromised IPs scanning honeypots. Mirai variants and ".sorry" ransomware campaigns already active. ~1.5M cPanel instances exposed online.

Where it's seen: Security research teams (Censys, Shadowserver, DFIR analysts) publishing mass-compromise metrics and botnet/ransomware attribution. Hosting providers (Hostao) taking services offline. Global CERT advisories issued. Patch available since 2026-04-28.

What: Authorization bypass via user-controlled keys in Akilli Commerce E-Commerce Website <4.5.001, enabling session hijacking. CVSS 9.8 CRITICAL.

Why it matters: Published today with CRITICAL severity and CVSS 9.8, but not yet KEV-listed. No public PoC confirmed in chatter. Posts are minimal and mostly automated feeds/news aggregators repeating the NVD description. No vendor patch advisory or defender triage reports visible. Early signal only.

Where it's seen: Bluesky posts linking to threat intelligence feeds and security news sites, all timestamp-matched to NVD publication (2–4 hours ago). No independent researcher commentary, no PoC repository activity, no vendor statement.

What: OPNsense firewall remote code execution via unsanitized DHCP configuration input processed by shell script, allowing unauthenticated root RCE prior to version 26.1.8. CVSS 9.1 CRITICAL.

Why it matters: Published 2026-05-13; public PoC disclosed within hours; affects widely-deployed open-source firewall appliances. Vendor patch (26.1.8) available same day. Active social chatter confirms PoC availability and urgent upgrade messaging from security community.

Where it's seen: Multiple security news aggregators and threat intel platforms reporting; social media amplifying patch urgency; public PoC repositories cited; no KEV listing yet but rapid defender awareness.

What: SQL injection in SAP S/4HANA Enterprise Search for ABAP (CVSS 9.6 CRITICAL) allowing authenticated attackers to inject malicious SQL and exfiltrate database contents or crash the application.

Why it matters: Published today with CVSS 9.6 and high impact to confidentiality/availability. Not yet KEV-listed and no public PoC confirmed in chatter, but social posts emphasize immediate patching and note no patch currently available. Affects SAP_BASIS 751-816. Initial triage posts from security vendors and practitioners suggest rapid awareness.

Where it's seen: Bulk CVE list posts, vendor advisories (Patchstack, OffSeq, OrizonCyber), and practitioner alerts on Bluesky and X urging immediate access restriction and monitoring for suspicious SQL activity pending patch availability.

What: InfusedWoo Pro WordPress plugin privilege escalation (versions ≤5.1.2) allows authenticated subscribers to escalate to admin via missing authorization checks in the infusedwoo_gdpr_upddata() function. CVSS 8.8 HIGH.

Why it matters: Published today with high CVSS score; affects WordPress sites running vulnerable plugin versions. No KEV listing or public PoC evident yet, but vulnerability is straightforward (missing capability checks on user meta update). Vendors likely preparing patches. Early-stage advisory chatter suggests awareness spreading rapidly among WordPress security practitioners.

Where it's seen: Bluesky and X posts broadcasting NVD entry; Hacker Wire coverage; security accounts amplifying CVSS rating and affected versions. No working exploit code or in-the-wild reports visible yet—primarily feed-driven disclosure noise.

What: Insecure Direct Object Reference (IDOR) in Fluent Forms WordPress plugin ≤6.2.0 allows authenticated manager-level users to bypass access controls and export unauthorized form submissions and database tables (CVSS 8.2).

Why it matters: Published today; HIGH severity IDOR enabling data exfiltration and enumeration for authenticated attackers with elevated plugin permissions. Not yet KEV-listed and no public PoC confirmed in posts, but CVSS 8.2 and direct database access risk warrant immediate triage by WordPress site operators running this plugin.

Where it's seen: Coordinated same-day posts on Bluesky and X from security feed aggregators and vulnerability intelligence vendors; no active exploit discussion, researcher analysis, or vendor emergency patch notes visible yet.

What: Use-after-free in Microsoft Office Word and Outlook allows local code execution (CVSS 8.4 HIGH). Affects enterprise mail and document processing.

Why it matters: Microsoft released a patch on 2026-05-12, two days before social chatter peaked. Posts describe zero-click triggering via email preview in Outlook's shared rendering engine. A researcher claims discovery in Q1 2026. CTI team reports targeting activity. No KEV listing yet, but urgent patching and defender concern signal real exploitation risk.

Where it's seen: Microsoft Security Response Center advisory cited across Bluesky and X. Researcher claims discoverer credit. Cybersecurity news outlets and VulDB flagging "critical 0-click" angle. Chatter emphasizes enterprise inbox risk and cross-product impact (Word/Outlook).

What: Authenticated Server-Side Template Injection (SSTI) in CubeCart <6.7.0 via Smarty template engine allows admin RCE; CVSS 9.1 CRITICAL.

Why it matters: Published May 13, 2026 with no KEV listing or public PoC yet. Impact is high (RCE) but gated behind admin auth. Vendor patch (6.7.0) exists. Social chatter is fast-follow aggregation of NVD/vendor advisory rather than exploitation signal.

Where it's seen: Vuln feed aggregators (VulmonFeeds, TheHackerWire, OffSeq) reposting CVE metadata and urging upgrades. No defender triage requests, PoC code, or in-the-wild reports visible.