Patch Priority: Top 10 Critical Vulnerabilities to Watch
1. CVE-2026-9082 — Drupal Core SQL Injection (PostgreSQL)
CVSS: 6.5 (NVD) / Drupal-rated 20/25 “Highly Critical” | Affected: Drupal 10.x and 11.x on PostgreSQL | Patch Status: Patched (SA-CORE-2026-004, May 20, 2026). An unauthenticated SQL injection in Drupal’s database abstraction API (PostgreSQL EntityQuery condition handler). Allows remote attackers to bypass authentication, exfiltrate user credentials, and in some configurations achieve RCE. CISA added to KEV catalog with active exploitation confirmed — over 15,000 attempts against ~6,000 sites.
Source: Tenable / Akamai — https://www.tenable.com/blog/cve-2026-9082-highly-critical-sql-injection-vulnerability-in-drupal-core-sa-core-2026-004
2. CVE-2026-41089 — Windows Netlogon Remote Code Execution
CVSS: 9.8 (Critical) | Affected: Windows 11, Windows Server 2022, 2025 | Patch Status: Patched (May 2026 Patch Tuesday). A stack-based buffer overflow in the Netlogon component allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Rated wormable with no credentials or user interaction required — patching domain controllers must be treated as the highest priority.
Source: Zero Day Initiative / Arctic Wolf — https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review
3. CVE-2026-42898 — Microsoft Dynamics 365 On-Premises RCE
CVSS: 9.9 (Critical) | Affected: Microsoft Dynamics 365 On-Premises | Patch Status: Patched (KB5078943, May 2026 Patch Tuesday). The highest CVSS score in this month’s update — a code injection flaw in Dynamics 365 allowing any authenticated user to execute code with a scope change, breaking out of the vulnerable component to affect adjacent resources. Organizations running on-premises Dynamics 365 must apply this patch immediately.
Source: Zero Day Initiative / Arctic Wolf — https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-may-2026/
4. CVE-2026-41096 — Windows DNS Client Remote Code Execution
CVSS: Critical (heap-based buffer overflow) | Affected: Virtually all Windows systems | Patch Status: Patched (May 2026 Patch Tuesday). A malicious DNS response can trigger memory corruption in the Windows DNS Client, allowing unauthenticated RCE. Since the DNS Client runs on every Windows machine, the attack surface is enormous; an attacker with a rogue DNS server can exploit this without authentication or user interaction.
Source: Belgium CCB / Lansweeper — https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102
5. CVE-2026-41091 & CVE-2026-45498 — Microsoft Defender Zero-Days (RedSun & UnDefend)
CVSS: 7.8 and 4.0 respectively | Affected: Windows 10, 11, Server 2016–2025 | Patch Status: Patched May 20, 2026 (Defender platform 4.18.26040.7). Actively exploited zero-days: RedSun (CVE-2026-41091) allows SYSTEM-level privilege escalation via Defender’s cloud file rollback mechanism; UnDefend (CVE-2026-45498) silently blocks Defender signature updates, leaving systems unprotected while reporting healthy status. Federal agencies must patch by June 3.
Source: SecurityWeek / Picus Security — https://www.securityweek.com/microsoft-patches-exploited-undefend-and-redsun-defender-zero-days/
6. CVE-2026-41103 — Microsoft SSO Plugin for Atlassian Jira/Confluence (EoP)
CVSS: 9.1 (Critical) | Affected: Microsoft SSO plugin for Atlassian Jira and Confluence | Patch Status: Patched (May 2026 Patch Tuesday). A network-exploitable elevation of privilege flaw requiring no privileges and no user interaction. An unauthenticated attacker can gain elevated access to Jira or Confluence environments by sending a crafted SSO response. Microsoft flagged this as “Exploitation More Likely.”
Source: Lansweeper — https://www.lansweeper.com/blog/patch-tuesday/microsoft-patch-tuesday-may-2026/
7. CVE-2026-7359 — Chrome ANGLE Use-After-Free (Sandbox Escape)
CVSS: High | Affected: Chrome versions prior to 147.0.7727.138 | Patch Status: Patched (Chrome 147.0.7727.138). A use-after-free vulnerability in ANGLE (Chrome’s WebGPU backend) that allows a remote attacker who has already compromised the renderer process to escape the sandbox via a crafted HTML page. Chromium rates this High severity and exploitation requires a prior renderer compromise.
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/
8. CVE-2024-9643 — Four-Faith F3x36 Industrial Router Auth Bypass
CVSS: Critical | Affected: Four-Faith F3x36 industrial cellular routers | Patch Status: Exploited in wild; mass exploitation since mid-May 2026. An authentication bypass flaw stemming from hardcoded administrative credentials in Four-Faith industrial routers. CrowdSec tracked a surge in exploitation since late April 2026, with compromised devices being folded into botnets for further campaigns. Critical infrastructure operators using these routers are at immediate risk.
Source: SecurityWeek — https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/
9. CVE-2026-40365 — Microsoft SharePoint Server RCE
CVSS: Critical | Affected: Microsoft SharePoint Server | Patch Status: Patched (May 2026 Patch Tuesday). An authenticated attacker can exploit this vulnerability over a network to execute code remotely on a vulnerable SharePoint server. Given the widespread enterprise deployment of SharePoint, particularly internet-facing instances, organizations should prioritize this patch alongside Netlogon and Dynamics 365.
Source: LinkedIn / Microsoft — https://www.linkedin.com/pulse/microsoft-may-2026-patch-tuesday-fixes-120-vulnerabilities-qpgse
10. CVE-2026-22745 / CVE-2026-22740 / CVE-2026-22741 — Spring Framework DoS & Cache Poisoning
CVSS: Medium | Affected: Spring MVC, Spring WebFlux applications | Patch Status: Patched by VMware/Spring. Three Spring Framework vulnerabilities affecting web applications: CVE-2026-22745 enables DoS via resource exhaustion on Windows systems; CVE-2026-22740 causes disk exhaustion via undeleted temp files; CVE-2026-22741 allows cache poisoning when static resource caching is misconfigured. Organizations running Java-based web applications should review Spring version usage immediately.
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/