Week 2026-04-27 – 2026-05-03 · Up to 3 high-risk CVEs per stream for this week.
General stream — our standard high-risk CVE mix from the prior week. CVEs in this section are ordered by threat for the week: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-37541
CVSS: 10.0
Risk level: CRITICAL
Affected versions: Open Vehicle Monitoring System 3 (OVMS3) 3.3.005
Summary: This vulnerability occurs due to missing validation of the length field in GVRET binary data processed by OVMS3. A remote attacker can send a crafted GVRET frame to trigger a buffer overflow. Successful exploitation may lead to denial of service or remote arbitrary code execution on affected systems.
Remediation: Apply the latest official security patch from the Open Vehicle Monitoring System project. Organizations running affected versions should restrict untrusted network access to the OVMS3 service until remediation is completed.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-41409
CVSS: 9.8
Risk level: CRITICAL
Affected versions: Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, 2.2.0 <= 2.2.5
Summary: The prior fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer was incomplete. The classname allowlist check is applied after static class initializers can execute, leaving the system vulnerable to deserialization attacks. Attackers can exploit this flaw to execute arbitrary code on vulnerable servers.
Remediation: Upgrade Apache MINA to the latest patched releases 2.0.28, 2.1.11, or 2.2.6 to apply the allowlist check before any untrusted code execution. Audit all deployed applications using Apache MINA to ensure they are running supported, patched versions.
Exploit info: No public exploit found yet.
ᵉ‣ᵉCVE: CVE-2026-41635
CVSS: 9.8
Risk level: CRITICAL
Affected versions: Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, 2.2.0 <= 2.2.5
Summary: The resolveClass() method in Apache MINA AbstractIoBuffer lacks proper class validation for static classes and primitive types, allowing attackers to bypass the existing classname allowlist. This flaw enables arbitrary code execution when an application uses the vulnerable IoBuffer.getObject() method. All unpatched affected versions are exposed to remote exploitation by malicious actors.
Remediation: Upgrade Apache MINA to the patched versions 2.0.28, 2.1.11, or 2.2.6 immediately. If an immediate upgrade is not possible, restrict access to applications that call IoBuffer.getObject() and block untrusted input to vulnerable endpoints.
Exploit info: No public exploit found yet.
Public-exploit stream — CVEs with CISA KEV / exploit signals from the prior week. CVEs in this section are ordered by threat for the week: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-26015
CVSS: 10.0
EPSS: 0.3% probability · 50.3th percentile (via first.org)
Risk level: CRITICAL
Affected versions: DocsGPT versions from 0.15.0 to before 0.16.0
Summary: DocsGPT is a popular GPT-powered chat application for documentation. This vulnerability allows remote attackers to craft malicious payloads that bypass MCP validation checks in vulnerable deployments. Successful exploitation leads to full arbitrary remote code execution on the hosting server.
Remediation: Upgrade DocsGPT to the official patched version 0.16.0 or later immediately. Revoke public access to any vulnerable DocsGPT deployment until the patch is applied.
Exploit info: This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
ʳ·ʳCVE: CVE-2026-41940
CVSS: 9.3
EPSS: 67.0% probability · 98.6th percentile (via first.org)
Risk level: CRITICAL
Affected versions: All unpatched versions of WebPros cPanel & WHM and WP2 (WordPress Squared)
Summary: This vulnerability enables unauthenticated remote attackers to bypass authentication in the login flow of cPanel & WHM and WP2. Attackers can gain full unauthorized access to the system control panel without valid credentials. The issue is confirmed known exploited and is officially listed in the CISA KEV catalog.
Remediation: Immediately apply the latest official security patches from WebPros for affected products. Restrict public access to the control panel from untrusted networks until patching is fully completed. Follow any additional guidance provided by CISA for known exploited vulnerabilities.
Exploit info: This exploit has been recorded in <strong>CISA KEV</strong> (CISA Known Exploited Vulnerabilities catalog, dateAdded 2026-04-30). You may check Exploit-DB or GitHub for potential exploit details.
ᵉ‣ᵉCVE: CVE-2026-7080
CVSS: 8.7
EPSS: <0.1% probability · 23.3th percentile (via first.org)
Risk level: HIGH
Affected versions: Tenda F456 1.0.0.5
Summary: This is a remotely exploitable buffer overflow vulnerability affecting the httpd service of Tenda F456 firmware 1.0.0.5. The issue exists in the fromPPTPUserSetting function that processes requests to the /goform/PPTPUserSetting endpoint. Malicious manipulation of the delno input argument triggers an out-of-bounds buffer overflow.
Remediation: No official security patch is currently available from Tenda for this flaw. Limit network access to the affected device's management interface to trusted parties only. Watch for official security updates from the vendor and apply updates immediately if they are released.
Exploit info: This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
IoT / OT / Automotive stream — embedded, industrial, and vehicle-related high-risk CVEs from the prior week. CVEs in this section are ordered by threat for the week: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-37541
CVSS: 10.0
Risk level: CRITICAL
Affected versions: OVMS3 3.3.005
Summary: This buffer overflow vulnerability impacts the GVRET frame processing of OVMS3, a connected vehicle telematics platform. The length field of incoming GVRET binary data is not properly validated. Remote attackers can exploit this via crafted frames to cause denial of service or execute arbitrary code on affected vehicle systems.
Remediation: Monitor the OVMS project for an official security patch. Until a patch is released, restrict network access to OVMS3 instances to only trusted IP addresses. Do not expose OVMS3 services directly to the public internet.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-4882
CVSS: 9.8
Risk level: CRITICAL
Affected versions: All versions <= 1.6.20
Summary: This vulnerability occurs due to missing file type validation in the upload function of the User Registration Advanced Fields WordPress plugin. Unauthenticated attackers can upload arbitrary malicious files to the affected server, enabling full remote code execution. Exploitation only requires that a Profile Picture field is added to a registration form on the target site.
Remediation: Update the User Registration Advanced Fields plugin to a version patched after 1.6.20 immediately. Remove unused Profile Picture fields from public registration forms as a temporary mitigation. Scan the server for unauthorized files after patching to confirm no compromise occurred.
Exploit info: No public exploit found yet.
ᵉ‣ᵉCVE: CVE-2026-41386
CVSS: 9.1
Risk level: CRITICAL
Affected versions: OpenClaw before 2026.3.22
Summary: This vulnerability impacts the initial device pairing process for OpenClaw connected IoT devices. Bootstrap setup codes are not properly bound to intended device roles and permission scopes. Attackers that interact with a device during first-use pairing can escalate privileges to gain unauthorized elevated access.
Remediation: Update OpenClaw to version 2026.3.22 or later immediately. For already paired devices, re-validate assigned device roles and reset permissions to remove any unauthorized access. Restrict public access to pairing interfaces until the update is applied.
Exploit info: No public exploit found yet.
Cloud Infrastructure stream — container and cluster-related high-risk CVEs from the prior week. CVEs in this section are ordered by threat for the week: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-31415
CVSS: 9.1
Risk level: CRITICAL
Affected versions: Unpatched Linux kernel versions with vulnerable IPv6 implementation
Summary: This vulnerability exists in the IPv6 networking stack of the Linux kernel, specifically in the ip6_datagram_send_ctl function. The issue arises when multiple IPV6_DSTOPTS control messages are processed, leading to a possible overflow of the 16-bit opt_flen length accumulator. A local attacker can trigger this flaw to cause a kernel panic, resulting in local denial of service. The vulnerability has been resolved in the latest upstream kernel security patch.
Remediation: Apply the latest Linux kernel security updates from your operating system distribution to resolve this flaw. For Kubernetes and container platforms, update all worker and control plane node kernels and reboot to activate the patched version. If immediate patching is not possible, restrict unprivileged local access to nodes as a temporary mitigation. Verify that all container base images use patched kernels if running kernel-level components inside containers.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-39858
CVSS: 7.8
Risk level: CRITICAL
Affected versions: Traefik < 2.11.43, < 3.6.14, 3.7.0-rc.1 and earlier
Summary: This vulnerability affects the widely used Traefik reverse proxy and Kubernetes ingress controller. It allows unauthenticated attackers to bypass authentication on protected routes by injecting spoofed forwarded headers using underscore aliases that are not sanitized by Traefik. When the authentication backend normalizes underscore and dash header names equivalently, attackers gain access to protected resources without valid credentials.
Remediation: Upgrade Traefik to the patched versions 2.11.43, 3.6.14, or 3.7.0-rc.2 immediately. If an immediate upgrade is not possible, block all incoming underscore-prefixed forwarded headers at the edge network before they reach Traefik.
Exploit info: No public exploit found yet.
ᵉ‣ᵉCVE: CVE-2026-35469
CVSS: 8.7
Risk level: HIGH
Affected versions: spdystream versions 0.5.0 and below
Summary: This vulnerability impacts the open source Go spdystream library for multiplexing streams over SPDY connections. The SPDY/3 frame parser does not validate attacker-controlled frame counts and lengths before allocating memory, affecting three distinct code paths. A small compressed on-the-wire payload can decompress into extremely large attacker-controlled allocation sizes, leading to process out-of-memory crashes. A remote unauthenticated attacker can trigger this denial of service with a single crafted SPDY frame.
Remediation: Upgrade the spdystream library to version 0.5.1 or later, which fixes this issue. Audit application dependencies to confirm the patched version is pulled into your build and runtime environments. If immediate upgrade is not possible, restrict access to SPDY endpoints to only trusted peers.
Exploit info: No public exploit found yet.
AI / LLM stream — model-stack and framework-related high-risk CVEs from the prior week. CVEs in this section are ordered by threat for the week: severity (Critical before High), then CVSS, then EPSS.
CVE: CVE-2026-26015
CVSS: 10.0
Risk level: CRITICAL
Affected versions: DocsGPT 0.15.0 to before 0.16.0
Summary: This vulnerability impacts the open-source DocsGPT GPT-powered documentation chat tool. A design flaw in MCP test functionality allows attackers to craft malicious payloads that bypass access controls. Successful exploitation results in arbitrary remote code execution on both public and local affected DocsGPT deployments.
Remediation: Upgrade DocsGPT to the patched version 0.16.0 immediately to resolve the vulnerability. Restrict public access to any unpatched DocsGPT deployments until the update is completed. Audit system access logs to identify any potential unauthorized activity that may have occurred prior to patching.
Exploit info: No public exploit found yet.
ʳ·ʳCVE: CVE-2026-42249
CVSS: 7.7
Risk level: HIGH
Affected versions: Ollama for Windows 0.12.10 to 0.17.5; other versions may also be vulnerable
Summary: This vulnerability exists in the update mechanism of popular open-source model serving tool Ollama for Windows. It stems from improper validation of attacker-controlled HTTP response headers when constructing file paths for downloaded updates, allowing path traversal to write arbitrary files outside the intended update directory. When chained with CVE-2026-42248, it enables automatic persistent remote code execution without user awareness.
Remediation: Until an official patch is released, disable automatic updates for Ollama on Windows systems. Avoid running Ollama on untrusted public networks that expose update requests to interception. Regularly monitor the Windows Startup directory and system for unauthorized executables.
Exploit info: No public exploit found yet.
ᵉ‣ᵉCVE: CVE-2026-42248
CVSS: 7.7
Risk level: HIGH
Affected versions: Ollama for Windows 0.12.10 to 0.17.5; other versions may also be vulnerable
Summary: This vulnerability affects the update workflow of Ollama for Windows. The platform's update verification routine unconditionally returns success, skipping all integrity and authenticity checks for downloaded update payloads. Any malicious executable supplied by an attacker during a man-in-the-middle update attack will be accepted and executed automatically due to Ollama's default silent automatic update behavior.
Remediation: Disable automatic updates for Ollama on Windows until an official patched version is released. Only manually download updates from the official Ollama GitHub repository if an update is required. Always verify the checksum of manually downloaded installation files before execution.
Exploit info: No public exploit found yet.
This digest is for your personal use only. Please do not share or forward. Unauthorized distribution may result in account termination.