Bastion Codex – Weekly Defender Brief (2026-05-11)

This weekly defender brief summarizes vulnerability movement observed over the past 7 and 30 days.

The goal is simple: highlight signal that matters to frontline defenders — patch workload pressure, severity shifts, and KEV movement.

Bastion Codex – Weekly Defender Brief

Week of 2026-05-11

Executive Snapshot

  • 1614 CVEs observed in the last 7 days
  • 123 Critical
  • 500 High
  • 5 KEV-listed vulnerabilities in last 30 days

Week-over-Week Movement

  • Total CVEs: 545 (from 1069 to 1614, 51.0%)
  • Critical: 40 (from 83 to 123, 48.2%)
  • High: 126 (from 374 to 500, 33.7%)
  • Medium: 76 (from 400 to 476, 19.0%)
  • Low: 32 (from 36 to 68, 88.9%)
  • Unknown: 271 (from 176 to 447, 154.0%)

Defender Takeaways

  • Elevated volume of Critical vulnerabilities this week. Prioritize external-facing asset review.
  • Recently added KEV vulnerabilities detected. Review CISA remediation timelines.
  • High severity volume suggests increased patch workload. Focus on internet-exposed services first.

Severity Breakdown (7 Days)

  • Critical: 123
  • High: 500
  • Medium: 476
  • Low: 68
  • Unknown: 447

Top Vendors (30 Days)

  • BerriAI: 1
  • Ivanti: 1
  • Linux: 1
  • Palo Alto Networks: 1
  • WebPros: 1

Top Products (30 Days)

  • Endpoint Manager Mobile (EPMM): 1
  • Kernel: 1
  • LiteLLM: 1
  • PAN-OS: 1
  • cPanel & WHM and WP2 (WordPress Squared): 1

Priority Watchlist (Top 10)

  • CVE-2026-41940 | CVSS: 9.8 | KEV: True | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote atta
  • CVE-2026-0300 | CVSS: 9.8 | KEV: True | A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software all
  • CVE-2026-42208 | CVSS: 9.8 | KEV: True | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a datab
  • CVE-2025-54236 | CVSS: 9.1 | KEV: True | Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Vali
  • CVE-2026-31431 | CVSS: 7.8 | KEV: True | In the Linux kernel, the following vulnerability has been resolved:

crypto: algif_aead - Revert to operating out-of-place

This mostly reve

  • CVE-2026-6973 | CVSS: 7.2 | KEV: True | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with admin
  • CVE-2025-42599 | CVSS: None | KEV: True | Qualitia Active! Mail contains a stack-based buffer overflow vulnerability that allows a remote, unauthenticated attacker to execute arbitra
  • CVE-2025-47729 | CVSS: None | KEV: True | TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM
  • CVE-2019-10758 | CVSS: None | KEV: True | mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the toBSON method.
  • CVE-2023-41179 | CVSS: None | KEV: True | Trend Micro Apex One and Worry-Free Business Security contain an unspecified vulnerability in the third-party anti-virus uninstaller that co

Generated via Bastion Codex pipeline at 2026-05-11T20:21:39.410582+00:00