Welcome to vFeed May 2026 edition of Cybersecurity and Vulnerability Newsletter.
Key Highlights during the Month
- CVE Volume Shattered All Records: May 2026 recorded 6,612 new CVEs — up 16.7% from April’s 5,664, and the highest single-month total vFeed has ever tracked. The quarter tells the story: February (3,073) → March (5,983) → April (5,664) → May (6,612). At ~213 CVEs per day, the attack surface across software, cloud, and hardware ecosystems is expanding faster than most organizations can triage. Year-to-date, vFeed has correlated 27,643 vulnerabilities, tracking 37.9% ahead of the same period in 2025 (20,052). 2026 is firmly on pace to become the most active year in recorded history.
- Critical Vulnerabilities Remained Elevated at 595: Critical vulnerabilities (CVSS 9.0+) hit 595 in May — down from March’s peak of 819 and April’s 667, but still well above February’s 489. The declining critical ratio (from 13.7% in March to 9.0% in May) against surging total volume suggests the explosion is driven by medium- and high-severity disclosures. The month recorded 36 perfect 10.0 CVSS scores (up from 30 in March and 32 in April), spanning Node.js sandbox escapes (vm2), Cisco SD-WAN authentication bypasses, Microsoft Azure privilege escalations, 5G core network authentication failures, and WordPress plugin file upload flaws.
- Linux Kernel: Four Named Vulnerabilities in a Single Month: “Copy Fail” (CVE-2026-31431), “Dirty Frag,” “Fragnesia” (CVE-2026-46300), and “ssh-keysign-pwn” (CVE-2026-46333) all landed within weeks of each other. Copy Fail is already on CISA’s Known Exploited Vulnerabilities catalog. vFeed tracked 1,037 Linux kernel CVEs in May alone — the chaining potential across cloud VMs, CI/CD runners, and container hosts is what keeps defenders up at night.
- WordPress Plugin Exploits Reached Staggering Scale: vFeed tracked 521 WordPress-related CVEs in May (~6.85% of total), with 453 carrying known public exploits. The Avada Builder unauthenticated RCE (CVE-2026-6279, 1M+ installs) and Divi Form Builder privilege escalation (CVE-2026-5118) represent the ongoing dominance of authentication bypass and file upload weaknesses in the plugin ecosystem.
- Microsoft’s May Patch Tuesday — Massive Volume, Two Wormable Bugs: Microsoft addressed 262 CVEs including 28 rated Critical. Two wormable bugs demand immediate action: CVE-2026-41096 (DNS Client heap overflow — unauthenticated RCE on every Windows machine) and CVE-2026-41089 (Netlogon stack overflow — unauthenticated RCE on domain controllers, CVSS 9.8).
Vulnerability Trends in May
| Metric | Feb ’26 | Mar ’26 | Apr ’26 | May ’26 | MoM (Apr→May) |
|---|---|---|---|---|---|
| New CVEs | 3,073 | 5,983 | 5,664 | 6,612 | ▲ +16.7% |
| Modified CVEs | 3,331 | 4,551 | 48,648 | 13,013 | ▼ -73.3% |
| Critical (CVSS 9.0+) | 489 | 819 | 667 | 595 | ▼ -10.8% |
| Perfect 10.0 scores | 25 | 30 | 32 | 36 | ▲ +12.5% |
| CVSS4 scores recorded | 1,286 | 2,199 | 2,107 | 2,062 | ▼ -2.1% |
| EPSS > 50th percentile | 45 | 303 | 360 | 324 | ▼ -10.0% |
Two signals demand attention. First, the EPSS high-risk count jumped from 45 in February to 303+ in every subsequent month (peaking at 360 in April, settling to 324 in May) — a structural shift indicating a far larger share of published CVEs now carry meaningful real-world exploitation probability. Second, April’s anomalous 48,648 modified CVEs — a 10.7x spike over March — reflects massive retroactive rescoring and re-analysis by NVD, likely driven by CVSS4 migration and backfill efforts. May’s 13,013 modifications remain elevated but signal a return toward normal cadence.
vFeed’s continued adoption of CVSS4 scoring shows a clear inflection: adoption nearly doubled from February (1,286) to March (2,199), then plateaued around ~2,100 per month through April and May — suggesting that major scoring authorities have largely completed their initial CVSS4 migration wave and the new framework is now standard operating procedure.
Vulnerability Landscape
vFeed’s threat intelligence dataset now tracks over 93K known exploits reported from sources including GitHub, Metasploit, ExploitDB, and PacketStorm. In May, 359 unique CVEs out of 6,612 (~5.4%) were published with one or more exploit proof-of-concepts available — a metric that directly translates to weaponization risk.
The top exploit sources for May:
| Exploit Source | Unique CVEs Covered |
|---|---|
| ExploitDB | 193 |
| GitHub PoC | 166 |
| Metasploit | 7 |
| Talos | 5 |
| Saint | 1 |
The dominance of ExploitDB and GitHub PoC repositories underscores how rapidly exploit code becomes publicly available. The 7 Metasploit modules indicate active weaponization of the highest-value targets — including Cisco SD-WAN (CVE-2026-20182) and LibreNMS RCE (CVE-2024-51092).
Platform Impacts
Microsoft — 262 CVEs, Two Wormable, Zero (Reported) In-the-Wild
| Severity | Count |
|---|---|
| Critical | 28 |
| High | 161 |
| Medium | 70 |
| Low | 3 |
May’s Patch Tuesday was one of the largest in Microsoft’s history. The most urgent patches:
- CVE-2026-41096 — DNS Client RCE (CVSS 9.8). Heap buffer overflow triggered by a malicious DNS response. No authentication, no user interaction, runs on every Windows machine. Wormable.
- CVE-2026-41089 — Netlogon RCE (CVSS 9.8). Stack overflow allows unauthenticated code execution on domain controllers. A compromised DC is a compromised domain. Wormable.
- CVE-2026-42898 — Dynamics 365 On-Prem RCE (CVSS 9.9 with scope change). Any authenticated user can break out of the vulnerable component boundary.
- CVE-2026-40402 — Hyper-V EoP (CVSS 9.3). Guest-to-host escape via use-after-free, compromising the hypervisor trust boundary.
- CVE-2026-35435 — Azure AI Foundry M365 (CVSS 10.0). Improper access control allows unauthenticated privilege escalation over the network.
- CVE-2026-42901 — Microsoft Entra ID (CVSS 10.0). Origin validation error enabling unauthenticated privilege escalation.
Linux Kernel — An Unprecedented Month
vFeed tracked 1,037 Linux kernel CVEs in May. Four distinct named vulnerabilities made this month historic:
| Name | CVE | Subsystem | Type | Key Risk |
|---|---|---|---|---|
| Copy Fail | CVE-2026-31431 | AF_ALG / Crypto API | Page cache write | CISA KEV listed; cloud-wide LPE |
| Dirty Frag | CVE-2026-43284 | XFRM ESP-in-UDP | Shared frag decrypt | Splice-loopback memory corruption |
| Fragnesia | CVE-2026-46300 | XFRM ESP-in-TCP | Privilege escalation | No race condition required |
| ssh-keysign-pwn | CVE-2026-46333 | ptrace | Dumpability bypass | Chain-ready with any RCE |
Each of these alone delivers local privilege escalation to root. When chained with any initial-access vector — a compromised web application, an exposed SSH service, a malicious CI job — the result is full system compromise across cloud VMs, container hosts, and Kubernetes nodes.
WordPress — Authentication Bypass Dominates
521 CVEs in May, with 453 carrying known exploits — an exploit-to-disclosure ratio of 87%, far exceeding any other platform. Critical highlights:
- CVE-2026-6279 — Avada Builder unauthenticated RCE via PHP Function Injection (1M+ installs). Attacker-controlled values passed to
call_user_func()through a publicly exposed nonce. - CVE-2026-5118 — Divi Form Builder privilege escalation. Unvalidated
roleparameter during registration allows admin account creation. - CVE-2026-4883 — Piotnet Forms arbitrary file upload. Incomplete extension blacklist allows
.pharand.phtmluploads. - CVE-2026-5229 — Form Notify authentication bypass. Plugin trusts user-controlled cookie data for LINE OAuth, allowing account takeover of any user including administrators.
Cloud Vulnerabilities and Attack Chains
vFeed tracked 251 cloud-specific CVEs in May across Azure, AWS, GCP, Kubernetes, and container technologies. Notable disclosures:
- CVE-2026-35435 — Azure AI Foundry M365 (CVSS 10.0). Unauthenticated privilege escalation in published agents.
- CVE-2026-42822 — Azure Local Disconnected Operations (CVSS 10.0). Improper authentication enabling network-based privilege escalation.
- CVE-2026-33109 — Azure Managed Instance for Apache Cassandra (CVSS 9.9). Authorized attacker achieves code execution.
- CVE-2026-2264 — Google Cloud Apigee SSRF. Service account token exfiltration through SetIntegrationRequest policy.
- CVE-2026-42880 — Argo CD (CVSS 9.6). Missing authorization in ServerSideDiff endpoint allows read-only users to extract plaintext Kubernetes Secret data.
The repeating attack chain pattern in May: initial access through a web-facing vulnerability (SSRF, command injection, authentication bypass) → lateral movement via cloud metadata services or IAM escalation → persistence through modified container images. The Linux kernel LPE cluster adds a devastating local-escalation stage to chains that previously relied on IAM misconfigurations alone.
Top Weaknesses
Overall — All May CVEs
| CWE | Weakness | Count | % of Total |
|---|---|---|---|
| CWE-79 | Cross-Site Scripting | 551 | 8.33% |
| CWE-89 | SQL Injection | 323 | 4.89% |
| CWE-862 | Missing Authorization | 270 | 4.08% |
| CWE-416 | Use After Free | 240 | 3.63% |
| CWE-22 | Path Traversal | 210 | 3.18% |
| CWE-78 | OS Command Injection | 184 | 2.78% |
| CWE-94 | Code Injection | 182 | 2.75% |
| CWE-77 | Command Injection | 176 | 2.66% |
| CWE-20 | Improper Input Validation | 165 | 2.50% |
| CWE-918 | Server-Side Request Forgery | 164 | 2.48% |
Critical Only (CVSS 9.0+)
| CWE | Weakness | Critical Count |
|---|---|---|
| CWE-78 | OS Command Injection | 59 |
| CWE-94 | Code Injection | 57 |
| CWE-77 | Command Injection | 42 |
| CWE-306 | Missing Authentication | 29 |
| CWE-89 | SQL Injection | 29 |
| CWE-502 | Deserialization of Untrusted Data | 27 |
| CWE-862 | Missing Authorization | 24 |
| CWE-20 | Improper Input Validation | 23 |
| CWE-22 | Path Traversal | 23 |
| CWE-287 | Improper Authentication | 23 |
A critical finding: OS command injection (CWE-78) and code injection (CWE-94) dominate the critical tier at 59 and 57 respectively, yet XSS (CWE-79) leads overall volume. This divergence tells teams exactly where to focus remediation — command/code injection is where the severity concentrates, while XSS is where the volume lives.
Hardware / IoT / Firmware
vFeed tracked 1,334 hardware, IoT, and firmware CVEs in May — a significant portion of the month’s total. Standout entries:
- CVE-2026-42369 — GeoVision GV-VMS V20 (CVSS 10.0). Stack overflow in the HTTP authorization handler allows unauthenticated RCE as SYSTEM. Compiled without ASLR.
- CVE-2026-37541 — Open Vehicle Monitoring System (OVMS3) buffer overflow (CVSS 10.0). Unvalidated GVRET frame length enables remote code execution.
- CVE-2026-42368 — GeoVision LPC2011 privilege escalation (CVSS 9.9).
- CVE-2026-9037 — Charging controller firmware update without signature validation. Arbitrary code execution with high privileges on EV infrastructure.
- CVE-2026-8979 — Mennekes Amtron EV charger authentication bypass. Unauthenticated password change via crafted POST request.
The convergence of IoT, automotive, and EV charging infrastructure vulnerabilities signals a broadening of the physical attack surface that traditional IT vulnerability management programs must now encompass.
Critical Exploitable Vulnerabilities — May 2026
Pay attention to these critical vulnerabilities with known exploits and high EPSS scores.
| CVE | Target | CVSS | EPSS %ile | Exploit | CWE |
|---|---|---|---|---|---|
| CVE-2026-20182 | Cisco SD-WAN Controller auth bypass | 10.0 | 99.0% | Metasploit + GitHub | CWE-287 |
| CVE-2026-42208 | LiteLLM proxy SQL injection | 9.8 | 98.1% | GitHub | CWE-89 |
| CVE-2026-9082 | Drupal Core SQL injection | 9.8 | 97.1% | — | CWE-89 |
| CVE-2026-36356 | MeiG Smart FORGE SLT711 OS cmd injection | 9.1 | 90.6% | ExploitDB + GitHub | CWE-78 |
| CVE-2026-44590 | Sherlock CI runner command injection | 9.3 | 75.2% | GitHub | CWE-78 |
| CVE-2026-44262 | Scramble Laravel code execution | 9.4 | 72.8% | ExploitDB + GitHub | CWE-94 |
| CVE-2026-42607 | Grav CMS RCE via ZIP upload | 9.1 | 64.1% | ExploitDB | CWE-434 |
| CVE-2026-42208 | LiteLLM AI Gateway SQLi | 9.8 | 98.1% | GitHub | CWE-89 |
| CVE-2026-41096 | Windows DNS Client RCE (wormable) | 9.8 | — | — | CWE-122 |
| CVE-2026-41089 | Windows Netlogon RCE (wormable) | 9.8 | — | — | CWE-121 |
| CVE-2026-42898 | Dynamics 365 On-Prem RCE (scope change) | 9.9 | — | — | CWE-94 |
| CVE-2026-31431 | Linux Copy Fail kernel LPE (CISA KEV) | 7.8 | — | Yes | CWE-119 |
Actionable Recommendations
1. Patch the wormable Microsoft bugs immediately. CVE-2026-41096 (DNS Client) and CVE-2026-41089 (Netlogon) require zero authentication and zero interaction. The DNS Client runs on every Windows machine; Netlogon targets domain controllers. If you patch nothing else this month, patch these.
2. Audit your Linux kernel versions across every environment. Four named privilege-escalation vulnerabilities in one month means your cloud VMs, container hosts, CI runners, and Kubernetes nodes all need kernel updates. Verify whether the AF_ALG, XFRM, and ptrace modules are loaded on exposed systems.
3. Automate WordPress plugin scanning. With 453 exploitable WordPress CVEs in a single month, manual tracking is no longer viable. Run automated scans weekly against installed plugin versions and prioritize authentication-bypass and file-upload flaws.
4. Reassess cloud SDK and managed service exposure. Six Azure CVEs scored CVSS 9.0+ or higher, including two perfect 10.0s (AI Foundry, Azure Local). These are not misconfigurations — they are code-level flaws in platform services.
5. Model attack chains, not isolated CVEs. The May data screams chaining: a WordPress authentication bypass gives initial access → a container escape reaches the host → a kernel LPE (Copy Fail, Fragnesia) delivers root. Prioritize based on chain completeness and EPSS exploitation probability, not individual CVSS scores alone.
vFeed threat intelligence data feeds continue to embrace NIST NVD 2.0 schema, CISA schemas, CVSS4, and EPSS4 scoring. Our correlated database tracks over 930K affected packages and 93K known exploits — providing the context defenders need to prioritize what matters.
Click here to schedule your demo with vFeed Threat Intel today!