Weekly Threat Digest — Week 20, 2026

197 threats tracked this week · 29 critical · 155 high severity · 0 CISA KEV · Powered by OpenCTI

Severity Trend

    <text x="0" y="49" font-size="11" fill="#6b7280">High</text>
    <rect x="65" y="37" width="100" height="12" rx="2" fill="#ea580c" opacity="0.9"/>
    <text x="170" y="48" font-size="9" fill="#ea580c">155</text>
    <rect x="200" y="37" width="100" height="12" rx="2" fill="#ea580c" opacity="0.4"/>
    <text x="305" y="48" font-size="9" fill="#9ca3af">155</text>
    <text x="320" y="48" font-size="10" fill="#9ca3af" font-weight="bold">—</text>
    
    <text x="0" y="84" font-size="11" fill="#6b7280">Medium</text>
    <rect x="65" y="72" width="8" height="12" rx="2" fill="#ca8a04" opacity="0.9"/>
    <text x="78" y="83" font-size="9" fill="#ca8a04">13</text>
    <rect x="200" y="72" width="8" height="12" rx="2" fill="#ca8a04" opacity="0.4"/>
    <text x="213" y="83" font-size="9" fill="#9ca3af">13</text>
    <text x="320" y="83" font-size="10" fill="#9ca3af" font-weight="bold">—</text>
    
    <text x="0" y="119" font-size="11" fill="#6b7280">Low</text>
    <rect x="65" y="107" width="0" height="12" rx="2" fill="#22c55e" opacity="0.9"/>
    <text x="70" y="118" font-size="9" fill="#22c55e">0</text>
    <rect x="200" y="107" width="0" height="12" rx="2" fill="#22c55e" opacity="0.4"/>
    <text x="205" y="118" font-size="9" fill="#9ca3af">0</text>
    <text x="320" y="118" font-size="10" fill="#9ca3af" font-weight="bold">—</text>
    </g>
    </svg>

Weekly Threat Digest — May 11, 2026

Executive Summary

This week’s threat landscape is dominated by a new critical vulnerability in Gotenberg (CVE-2026-40281, CVSS 10) that enables unauthenticated remote code execution in a widely used document generation API. Alongside this, four older CVEs (all CVSS 10) remain actively exploited, and a surge of WordPress plugin vulnerabilities underscores persistent supply-chain risk. Overall risk posture is elevated, with multiple zero-click attack vectors that directly threaten business continuity and data integrity — key concerns for cyber insurers.

Critical Threats

1. 🆕 CVE-2026-40281 (Gotenberg, CVSS 10, Risk 100)
   A metadata write endpoint flaw in Gotenberg ≤8.30.1 allows unauthenticated attackers to inject arbitrary commands via crafted PDF metadata. Gotenberg is commonly used in enterprise document processing pipelines. Successful exploitation grants full container access, enabling data exfiltration, ransomware deployment, or lateral movement.

2. CVE-2023-34992 (Fortinet, CVSS 10, Risk 100)
   OS command injection vulnerability in multiple Fortinet products remains under active exploitation. Attackers can execute unauthorized OS commands remotely. As Fortinet firewalls and VPNs often sit at network perimeter, this provides a direct entry point for ransomware gangs.

3. CVE-2023-34976 (QNAP Video Station, CVSS 10, Risk 100)
   SQL injection in QNAP’s Video Station allows authenticated attackers to inject malicious SQL. While authentication is required, many QNAP devices are exposed to the internet with weak credentials. Exploitation can lead to full database compromise and pivot into NAS storage.

4. CVE-2023-25960 (Zendrop WordPress Plugin, CVSS 10, Risk 100)
   SQL injection in the Zendrop dropshipping plugin enables unauthenticated attackers to extract sensitive data (customer PII, order details) from WooCommerce databases. The plugin’s widespread use in e‑commerce makes this a high‑volume claims driver.

5. CVE-2023-4994 (Allow PHP in Posts and Pages WordPress Plugin, CVSS 9.9, Risk 99)
   Remote Code Execution via the [php] shortcode. Authenticated users with subscriber-level access can execute arbitrary PHP. Given WordPress’s dominance, this vulnerability enables privilege escalation and site takeover.

Other noteworthy threats:

• 🆕 CVE-2026-43575 / CVE-2026-44109 (OpenClaw, CVSS 9.8 each) – Authentication bypass vulnerabilities exposing interactive browser session credentials and Feishu webhook command execution. OpenClaw is used for cloud sandboxing; bypass could lead to full environment compromise.
• Multiple WordPress plugin flaws (CVE-2023-5201, CVE-2023-5199, CVE-2023-4634, CVE-2020-36706, CVE-2023-4488, CVE-2023-3277) all enable RCE or file inclusion, often without authentication.
• TSplus Remote Access (CVE-2023-31068, CVE-2023-31069) – Full control permissions and cleartext credentials in a remote access product used by many SMBs.

Trend Analysis

• WordPress plug‑in ecosystem is the biggest attack surface this week: 10 of the top 20 threats involve WordPress plugins, covering SQLi, RCE, LFI, and file upload flaws. Many are unauthenticated or require only subscriber access. This pattern is consistent with the broader shift toward exploiting third‑party dependencies in web applications.
• Old CVEs remain active: Four vulnerabilities from 2023 (CVE‑2023‑34992, ‑34976, ‑25960, ‑4994) still carry a Risk score of 100 or 99, indicating widespread scanning and exploitation. Insurers should treat these as “known exploited” regardless of age.
• Authentication bypass is the dominant vector for new CVEs: Both Gotenberg (CVE‑2026‑40281) and OpenClaw (CVE‑2026‑43575, ‑44109) allow unauthenticated access. This signals a trend in modern cloud‑native applications where sandboxing and API authentication are misconfigured.
• E‑commerce and remote access remain verticals of concern: QNAP, Zendrop, TSplus, and Fortinet all serve critical business functions (storage, e‑commerce, remote workforce). Breaches in these sectors historically lead to high‑severity claims.

Insurance Impact

*EPSS scores were not provided in the intelligence feed; insurers should cross‑reference with EPSS datasets for prioritization.

Additional underwriting signals:

• CVE‑2026‑43575 / CVE‑2026‑44109 (OpenClaw) – Any insured using OpenClaw sandboxing should be asked to confirm they have applied the patch (≥2026.4.15). Authentication bypass in cloud infrastructure could lead to catastrophic cloud‑native breaches.
• WordPress plugin volume – Over 60% of this week’s threats target WordPress. Brokers should push for automated plugin patching and least‑privilege user roles as standard requirements.
• RCE concentration – 7 of the top 20 threats are RCE or allow RCE via LFI. RCE events are the most expensive single‑incident type, driving both first‑party and third‑party claims.

Risk Recommendations

1. Patch Gotenberg immediately. For any policyholder using Gotenberg to generate PDFs, mandate an update to version >8.30.1 (or disable the metadata endpoint). This single action removes the most critical new threat.

2. Audit WordPress plugin inventory. Require insureds to list all active plugins and verify that the following are either removed or updated: “Allow PHP in Posts and Pages”, “OpenHook”, “PHP to Page”, “Media Library Assistant”, “MStore API”, “Dropbox Folder Share”, “ChatBot”, and “Zendrop”. Also check “Simple:Press” and “tinyfiledialogs” if applicable.

3. Validate Fortinet and QNAP patching. For any policy covering a Fortinet or QNAP device, confirm that firmware is at minimum versions that include fixes for CVE‑2023‑34992 and CVE‑2023‑34976. Unpatched devices should trigger a coverage exclusion or mandatory patching clause.

4. Enforce multi‑factor authentication and network segmentation. Given the number of authenticated vulnerabilities (SQLi in QNAP, RCE in WordPress), MFA reduces the risk of credential‑based exploitation. For NAS and remote access devices, segment them behind a VPN with strict access controls.

5. Monitor for exploitation in the wild. Recommend that risk managers subscribe to CISA’s Known Exploited Vulnerabilities catalog and set up automated alerts for CVE‑2026‑40281, CVE‑2026‑43575, and the 2023 CVEs listed above. Early detection reduces dwell time and claim severity.

Bottom Line

This week’s digest highlights a dangerous convergence of new and old critical vulnerabilities — especially in Gotenberg and WordPress plugins — that are being actively exploited. For insurers, the biggest underwriting signal is the prevalence of publicly exposed API endpoints and unmanaged plugin ecosystems. Immediate patching and credential hardening are the most effective loss‑prevention measures.

Data sourced from OpenCTI with 5 active connectors (CVE, MITRE ATT&CK, CISA KEV, AlienVault OTX, ThreatFox). View the full feed at resiliently.ai/threat-intel.

Get next week’s digest in your inbox →