blog

Focus Friday: TPRM Insights On Critical Vulnerabilities In cPanel & WHM, Redis, and Ivanti EPMM

Published

May 8, 2026

Introduction

Welcome to another edition of Focus Friday. This week highlights security risks across three critical areas of enterprise infrastructure: web hosting management, high-performance data storage, and mobile device management.

The featured vulnerabilities affect cPanel & WHM, Redis, and Ivanti Endpoint Manager Mobile (EPMM), each representing a different layer of vendor technology exposure. From internet-facing administrative panels to backend data stores and mobile endpoint management systems, these issues show how third-party risk can emerge from both visible and deeply embedded infrastructure components.

For Third-Party Risk Management (TPRM) teams, this week’s disclosures reinforce the need to continuously identify exposed technologies across vendor ecosystems and prioritize remediation based on business impact, exploitability, and asset criticality.

Filtered view of vendors with cPanel & WHM FocusTag® on the Black Kite platform.

cPanel & WHM (CVE-2026-41940)

What Is the cPanel & WHM Authentication Bypass Vulnerability?

CVE-2026-41940 is a Critical-severity authentication bypass vulnerability affecting all currently supported versions of cPanel & WHM. With a CVSS score of 9.8 and an EPSS score of 16.52%, this flaw resides in the session loading and saving mechanism of the cPanel & WHM login flow. The vulnerability allows an unauthenticated remote attacker to bypass the authentication process entirely, gaining unauthorized access to the WebHost Manager (WHM) interface — which provides root-level control over the managed server — or to individual cPanel hosting accounts without valid credentials.

The vulnerability has been confirmed as exploited in the wild as a zero-day against a significant portion of the internet's hosting management infrastructure. A public Proof-of-Concept (PoC) exploit is available, lowering the technical barrier for broad exploitation by additional threat actors. CVE-2026-41940 was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 30, 2026, and is listed in the European Union's Vulnerability Database under the identifier EUVD-2026-26246. The vulnerability affects cPanel & WHM versions after 11.40 through all currently supported release tracks. Patched versions have been released across all active branches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5.

Why Should TPRM Professionals Care About the cPanel & WHM Vulnerability?

cPanel & WHM is the dominant server management platform used by web hosting providers and managed service vendors globally. It controls the entire administrative plane of hosted infrastructure — domain configurations, DNS records, email services, databases, SSL certificates, and user account management. When this control plane is compromised, every hosted service and every customer of the affected hosting environment is simultaneously at risk.

For TPRM professionals, a vendor relying on a hosting provider that runs unpatched cPanel & WHM faces an indirect but severe exposure. An attacker with root-level WHM access can modify DNS records to redirect traffic, access and exfiltrate database credentials, install persistent backdoors across all hosted accounts, or silently harvest SSL private keys. The fact that this vulnerability is already being exploited in the wild as a zero-day — and that a public PoC is now broadly available — means that unpatched instances are actively being targeted and the window for undetected compromise may already be closing for some organizations. For vendors operating their own hosting infrastructure directly on cPanel & WHM, the risk is even more immediate and direct.

What Questions Should TPRM Professionals Ask Vendors About the cPanel & WHM Vulnerability?

To assess how your third-party partners are addressing this actively exploited authentication bypass vulnerability, consider asking the following technical questions:

Have you confirmed that all cPanel & WHM instances have been upgraded to the patched versions — 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 — to fully remediate CVE-2026-41940?
As an interim measure, have you restricted network-level access to the WHM and cPanel management interfaces to only trusted IP addresses using firewall ACLs, reducing exposure while patches are applied across your hosting infrastructure?
Have you reviewed server access logs and session logs for any indicators of unauthorized access to WHM or cPanel accounts — including unexpected logins, session creation events without corresponding authentication events, or anomalous administrative actions taken prior to the patch being applied?
Have you conducted a full audit of DNS records, SSL certificates, and hosting account configurations to verify that no unauthorized modifications were made during any potential window of exploitation?
If your organization's data or services are hosted by a third-party provider running cPanel & WHM, have you contacted that provider to confirm their patch status and obtain written confirmation of remediation?

Remediation Recommendations for Vendors Subject to This Risk

The following recommendations are drawn directly from cPanel's official security advisory published at support.cpanel.net (WP2 Security Update 04-28-2026) and the watchTowr Labs disclosure of CVE-2026-41940.

Apply Official Security Updates Immediately: Upgrade all cPanel & WHM installations to the patched build for the relevant release track: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. This is the definitive remediation.
Restrict Management Interface Access: Until patching is confirmed, apply firewall rules to limit HTTP/HTTPS access to WHM (port 2087) and cPanel (port 2083) management interfaces exclusively to trusted administrative IP addresses.
Review Logs for Active Exploitation: Audit web server and cPanel session logs for anomalous session creation events, unexpected logins from unfamiliar IPs, or administrative changes made without corresponding authenticated activity.
Conduct Post-Incident Configuration Audit: Verify the integrity of all DNS records, SSL certificates, database configurations, and hosted account files to detect unauthorized modifications that may have occurred before patching.
Inventory All cPanel & WHM Instances: Perform a comprehensive audit of all cPanel & WHM deployments across your infrastructure and supply chain, verifying each version against the patched build list to ensure complete coverage.

Black Kite's cPanel & WHM FocusTag® details critical insights on the event for TPRM professionals.

Redis - May2026 (CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23479, CVE-2026-23631)

What Are the Redis May 2026 Vulnerabilities?

Five significant vulnerabilities have been identified in Redis, the widely deployed open-source in-memory data structure store used as a caching layer, session store, message broker, and real-time analytics engine across enterprise environments. The vulnerabilities span two distinct classes — invalid memory access in the RESTORE command and its module-level implementations, and Use-After-Free (UAF) conditions in client management and scripting subsystems — all of which can lead to Remote Code Execution (RCE) with the privileges of the Redis server process. No public Proof-of-Concept exploit is available, and none of these vulnerabilities are listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog. Redis Cloud customers have been automatically protected; administrators of self-managed instances must act immediately.

CVE-2026-25243 (CVSS 7.7) is a High-severity invalid memory access vulnerability in the core Redis RESTORE command. An authenticated attacker can supply a specially crafted serialized payload to trigger invalid memory access, potentially achieving RCE against the core Redis engine. CVE-2026-25588 (CVSS 7.7) and CVE-2026-25589 (CVSS 7.7) mirror this mechanism in the RedisTimeSeries and RedisBloom modules respectively — each exploitable via a malicious RESTORE payload in environments where those modules are loaded, with identical RCE potential. CVE-2026-23479 (CVSS 7.7) is a High-severity Use-After-Free vulnerability in the Unblock Client Flow: when a blocked client is evicted while simultaneously re-executing a command, the internal processCommandAndResetClient function fails to handle error return values, leaving a dangling memory pointer that can be leveraged for RCE. CVE-2026-23631 (CVSS 6.1) is a Medium-severity UAF in the Lua scripting engine triggered via the master-replica synchronization mechanism, affecting all Redis deployments where replica-read-only is disabled.

All five vulnerabilities require authenticated access. Affected versions include Redis OSS and Community Edition prior to 6.2.22, 7.2.14, 7.4.9, and 8.2.6; RedisTimeSeries prior to 1.12.14, 1.10.24, and 1.8.23; and RedisBloom prior to 2.8.20, 2.6.28, and 2.4.23. These vulnerabilities are listed in the EU Vulnerability Database under identifiers EUVD-2026-27410, EUVD-2026-27413, EUVD-2026-27414, EUVD-2026-27396, and EUVD-2026-27398. Approximately 57,312 Redis instances are discoverable on Shodan.

Why Should TPRM Professionals Care About the Redis Vulnerabilities?

Redis is not an optional component in modern enterprise architectures — it is the performance and reliability backbone of web applications, microservices, and real-time data platforms. The same properties that make Redis indispensable — its speed and central placement within application stacks — make a compromised Redis instance an exceptionally valuable target for attackers. A Redis server typically holds live session tokens, authentication credentials, API keys cached for performance, and sensitive business data queued for processing.

For TPRM professionals, the critical concern is not just whether a vendor runs Redis, but where it sits in their architecture and how it is configured. While exploitation requires authentication, Redis instances are frequently deployed in misconfigured environments with weak or absent authentication — substantially lowering the real-world barrier. The UAF conditions in CVE-2026-23479 and CVE-2026-23631 are particularly concerning: memory corruption of this nature can be leveraged by skilled threat actors for reliable exploit development, enabling full server compromise, lateral movement into connected systems, and large-scale data exfiltration. The breadth of affected components — spanning the core engine and the widely deployed RedisTimeSeries and RedisBloom modules — means that a significant portion of the approximately 57,312 discoverable instances carry multiple overlapping exposures.

What Questions Should TPRM Professionals Ask Vendors About the Redis Vulnerabilities?

To evaluate how your third-party partners are securing their Redis deployments against these high-severity flaws, consider asking the following technical questions:

Have you upgraded all self-managed Redis OSS and Community Edition instances to the patched versions — 6.2.22, 7.2.14, 7.4.9, or 8.2.6 — and updated RedisTimeSeries and RedisBloom modules to their respective patched releases to fully remediate all five CVEs?
Is Redis authentication enabled on all instances via the requirepass directive, and are ACL rules enforced to restrict access to potentially dangerous commands — particularly RESTORE, EVAL, and DEBUG — for non-administrative users?
Are all Redis instances bound to trusted internal interfaces only, with public internet access blocked at both the operating system and network firewall levels?
If your deployments include RedisTimeSeries or RedisBloom modules that are not actively required, have you disabled or unloaded those modules to eliminate the CVE-2026-25588 and CVE-2026-25589 attack surface?
Is replica-read-only enabled across all Redis replica configurations to reduce the exploitability of CVE-2026-23631 until the patch is applied?

Remediation Recommendations for Vendors Subject to This Risk

The following recommendations are drawn directly from the Redis security advisory GHSA-93m2-935m-8rj3 published on GitHub and the securityonline.info analysis of these vulnerabilities.

Immediate Software Upgrade: Update all self-managed Redis OSS, Community Edition, and Software instances to patched versions: 6.2.22, 7.2.14, 7.4.9, or 8.2.6 for core Redis; 1.12.14, 1.10.24, or 1.8.23 for RedisTimeSeries; and 2.8.20, 2.6.28, or 2.4.23 for RedisBloom. Redis Cloud instances have been automatically protected.
Restrict Network Access: Use firewalls and network segmentation to ensure only authorized internal systems can reach Redis instances. Bind the Redis listener to trusted internal interfaces only — Redis should never be directly accessible from the public internet.
Enforce Strong Authentication and ACLs: Enable protected-mode, set strong randomly generated passwords via requirepass, and implement Redis ACL rules to restrict access to RESTORE, EVAL, and DEBUG commands for non-administrative users.
Disable Unused Modules: If RedisTimeSeries or RedisBloom are not required in a given deployment, unload or disable them to eliminate the CVE-2026-25588 and CVE-2026-25589 attack surface entirely.
Enable Replica Read-Only: Ensure replica-read-only is enabled on all replica instances to reduce the exploitability of the CVE-2026-23631 Lua scripting UAF condition pending the full software upgrade.

Black Kite's Redis - May2026 FocusTag® details critical insights on the event for TPRM professionals.

Ivanti EPMM - May2026 (CVE-2026-6973, CVE-2026-7821)

What Are the Ivanti EPMM Vulnerabilities?

Two significant vulnerabilities affect Ivanti Endpoint Manager Mobile (EPMM): CVE-2026-6973 and CVE-2026-7821. Both vulnerabilities impact on-premises Ivanti EPMM deployments prior to versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti has stated that these flaws only affect the on-premises EPMM product and do not affect Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.

CVE-2026-6973 is an improper input validation vulnerability that allows a remotely authenticated user with administrative privileges to achieve remote code execution. Ivanti has confirmed exploitation of this vulnerability against a very limited number of customers. CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog on May 7, 2026, with a federal remediation deadline of May 10, 2026.

CVE-2026-7821 is an improper certificate validation vulnerability. It allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices. Successful exploitation may result in information disclosure about the EPMM appliance and can impact the integrity of the newly enrolled device identity. CVE-2026-7821 is not currently listed in CISA’s KEV Catalog.

Ivanti assesses with high confidence that the administrative credentials used to exploit CVE-2026-6973 originated from previous exploitation of earlier Ivanti EPMM vulnerabilities disclosed in January 2026. As a result, organizations are advised not only to patch affected systems, but also to review administrative accounts and rotate credentials where necessary.

Public Proof-of-Concept exploits have been reported. Both vulnerabilities are listed in the European Union’s Vulnerability Database under the identifiers EUVD-2026-28396 and EUVD-2026-28397. Black Kite’s product identification confidence for this tag is very high, and approximately 430 Ivanti EPMM instances were identified across relevant Shodan queries for exposed product/version combinations.

Why Should TPRM Professionals Care About the Ivanti EPMM Vulnerabilities?

Ivanti EPMM is used to manage mobile devices, enforce enterprise mobility policies, control device enrollment, and support access governance for corporate mobile endpoints. A vulnerability in this layer is not simply a server-side software issue; it can directly affect the trust model organizations use to manage mobile devices, enforce policy, and protect access to enterprise resources.

For TPRM teams, the most urgent concern is CVE-2026-6973 because it has confirmed exploitation in the wild and can lead to remote code execution when an attacker has administrative access. The fact that Ivanti believes the credentials used in exploitation may have originated from earlier exploitation activity is especially important. It means that patching alone may not fully address the risk if administrative credentials were already compromised during prior Ivanti EPMM incidents.

CVE-2026-7821 introduces a different but still meaningful risk: unauthorized enrollment of a restricted set of unenrolled devices. In a mobile device management context, device enrollment is a core trust boundary. If an attacker can manipulate that process, they may gain visibility into appliance information and undermine the integrity of device identity within the managed environment.

From a supply chain perspective, vendors operating vulnerable on-premises EPMM appliances may expose customers to risks involving mobile endpoint management, administrative compromise, unauthorized device enrollment, and post-exploitation persistence. Vendors that previously experienced exploitation of earlier Ivanti EPMM vulnerabilities should be treated with higher scrutiny because compromised credentials may still be reusable unless properly rotated.

What Questions Should TPRM Professionals Ask Vendors About the Ivanti EPMM Vulnerabilities?

To evaluate how your third-party partners are addressing these Ivanti EPMM vulnerabilities, consider asking the following technical questions:

Have you confirmed whether your organization uses on-premises Ivanti Endpoint Manager Mobile, and if so, have all affected instances been upgraded to 12.6.1.1, 12.7.0.1, or 12.8.0.1?
Have you verified that Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products are not being incorrectly treated as affected when scoping remediation for these specific CVEs?
Have you reviewed all administrative accounts on EPMM appliances and rotated credentials where necessary, especially if your environment may have been exposed to January 2026 Ivanti EPMM vulnerabilities?
Have you investigated EPMM logs for signs of suspicious administrative activity, unexpected command execution, abnormal appliance behavior, or unauthorized device enrollment attempts?
Have you reviewed device enrollment records to identify restricted or previously unenrolled devices that may have been enrolled unexpectedly?
Have you restricted administrative access to EPMM management interfaces using network controls, VPN access, trusted IP allowlists, and strong multi-factor authentication?
Have you increased monitoring and detection coverage around Ivanti EPMM appliances to identify suspicious activity related to credential misuse, device enrollment abuse, or post-exploitation behavior?

Remediation Recommendations for Vendors Subject to This Risk

The following recommendations are based on Ivanti’s May 2026 EPMM advisory, the Centre for Cybersecurity Belgium guidance, and Black Kite’s FocusTag intelligence.

Apply Ivanti’s Security Updates Immediately: Upgrade all affected on-premises Ivanti EPMM instances to patched versions 12.6.1.1, 12.7.0.1, or 12.8.0.1. These versions address both CVE-2026-6973 and CVE-2026-7821.
Prioritize Actively Exploited Exposure: Treat CVE-2026-6973 as an urgent remediation item because exploitation has been confirmed in the wild and the vulnerability is listed in CISA’s KEV Catalog.
Review and Rotate Administrative Credentials: Because Ivanti assesses that credentials used in exploitation may have originated from prior January 2026 exploitation activity, organizations should review all administrative accounts and rotate credentials where necessary.
Audit Device Enrollment Activity: Review enrollment logs for unexpected enrollments, restricted device enrollment anomalies, or newly enrolled identities that do not align with normal business activity.
Restrict Administrative Interface Exposure: Limit access to EPMM administrative interfaces to trusted networks, enforce MFA where supported, and ensure that management access is not broadly exposed to the internet.
Increase Monitoring and Detection: Upscale monitoring around EPMM appliances, administrative authentication events, suspicious enrollment behavior, and indicators of post-exploitation activity.
Confirm Product Scope: Validate that remediation is focused on on-premises Ivanti EPMM. According to the provided advisory details, Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, and other Ivanti products are not affected by these two vulnerabilities.

Black Kite's Ivanti EPMM - May2026 FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

This week's vulnerability landscape spans three foundational infrastructure layers — hosting control plane management, in-memory data persistence, and mobile device management — requiring TPRM professionals to track exposure across diverse vendor technology stacks. Black Kite addresses this challenge through its FocusTags® intelligence framework, which translates complex vulnerability data into precise, vendor-specific risk signals.

This week, Black Kite's threat intelligence team published the cPanel & WHM FocusTag® on May 1, 2026, the Redis - May2026 FocusTag® on May 7, 2026, and the Ivanti EPMM - May2026 FocusTag® on May 8, 2026.

TPRM teams can operationalize these tags to immediately filter their entire vendor portfolio, identifying the exact organizations running unpatched cPanel & WHM instances that have been confirmed as actively exploited, Redis deployments carrying one or more memory corruption and UAF vulnerabilities, or Ivanti EPMM appliances affected by actively exploited remote code execution and certificate validation flaws.

Rather than waiting for vendor self-reporting through questionnaire cycles that can take weeks, analysts can use Black Kite's platform to drive an evidence-based response — prioritizing outreach to vendors where exploitation would have the highest business impact. This includes hosting providers managing shared infrastructure, vendors where Redis sits in the critical path of sensitive data processing, and organizations operating vulnerable Ivanti EPMM appliances that may manage corporate mobile device enrollment and administrative access controls.

A defining capability of Black Kite's intelligence is the provision of specific, actionable asset detail. When the cPanel & WHM FocusTag® identifies a vendor as exposed, the platform surfaces the precise IP addresses and subdomains hosting the vulnerable management interface. The same granularity applies to Redis and Ivanti EPMM exposure: TPRM teams can identify which specific vendor assets appear exposed or affected, enabling targeted remediation requests that go far beyond generic patching advisories.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

As threat actors continue targeting hosting management platforms, backend data stores, and enterprise management systems, traditional point-in-time assessments cannot provide the continuous visibility that modern third-party risk programs require. Black Kite's FocusTags® are designed to transform the volume and complexity of weekly vulnerability disclosures into a focused, defensible action plan.

When managing the breadth of this week's disclosures, Black Kite's FocusTags® empower your team through:

Immediate Threat Visibility: Instantly identify which vendors are running vulnerable cPanel & WHM instances subject to active zero-day exploitation, Redis deployments carrying high-severity memory corruption flaws, or Ivanti EPMM appliances affected by an actively exploited RCE vulnerability and certificate validation weakness.
Contextual Risk Triage: Evaluate each vendor's exposure against their role in your ecosystem. A hosting provider managing customer-facing infrastructure under a vulnerable WHM interface, a vendor processing sensitive session data through Redis, and a supplier managing corporate mobile endpoints through Ivanti EPMM each represent different but urgent risk scenarios.
Evidence-Based Vendor Collaboration: Move past broad questionnaires. Provide risk teams with the exact IP addresses, subdomains, and asset-level evidence identified as running vulnerable cPanel & WHM, Redis, or Ivanti EPMM services, enabling precise, verifiable remediation discussions grounded in technical evidence.
Credential and Post-Exploitation Awareness: For Ivanti EPMM specifically, FocusTags® help TPRM teams move beyond patch validation and ask the right follow-up questions about administrative credential rotation, prior exploitation exposure, and suspicious device enrollment activity.
Resilient Supply Chain Defense: Maintain a continuous view of your extended attack surface — including hosting control planes, in-memory data stores, mobile device management appliances, and other infrastructure now central to vendor operations — so your organization can adapt its security posture in real time as new vulnerabilities emerge.

By transforming raw cyber threat data into precise, actionable intelligence, Black Kite's FocusTags® provide TPRM professionals with the exact tools needed to efficiently and effectively secure the digital supply chain against today's most sophisticated attacks.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

cPanel & WHM : CVE-2026-41940, Critical Authentication Bypass Vulnerability actively exploited as a zero-day in the wild, allowing unauthenticated attackers to gain root-level access to WHM management interfaces and individual cPanel hosting accounts. Added to CISA KEV on April 30, 2026.
Redis - May2026 : CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23479, CVE-2026-23631, Five High-Severity Invalid Memory Access and Use-After-Free Vulnerabilities in Redis core, RedisTimeSeries, and RedisBloom modules enabling potential Remote Code Execution via the RESTORE command and client management subsystems.
Ivanti EPMM - May2026: CVE-2026-6973, CVE-2026-7821, Improper Input Validation Vulnerability, Remote Code Execution Vulnerability Improper Certificate Validation Vulnerability, Authentication Bypass Vulnerability, Information Disclosure Vulnerability, Data Integrity Failure Vulnerability in Ivanti EPMM.
Ollama : CVE-2026-5757, Critical Zero-Day Information Disclosure, Out-of-Bounds Read, and Memory Corruption Vulnerability allowing unauthenticated heap memory exfiltration via malicious GGUF model uploads. Status: Unpatched.
Langflow - Apr2026 : CVE-2026-42048, Critical Path Traversal Vulnerability in the Knowledge Bases API allowing authenticated users to permanently delete arbitrary server directories via the bulk delete endpoint.
SonicWall SonicOS - Apr2026 : CVE-2026-0204, CVE-2026-0205, CVE-2026-0206, High-Severity Improper Access Control, Post-Authentication Path Traversal, and Stack-Based Buffer Overflow Vulnerabilities in SonicWall Gen 6, Gen 7, and Gen 8 firewalls allowing unauthorized management access and Denial of Service.
n8n - Apr2026 : CVE-2026-42231, CVE-2026-42232, Critical Prototype Pollution Vulnerabilities via XML parsing in the Webhook body parser and XML node, chainable to full Remote Code Execution on the host server.
ActiveMQ - Apr2026 : CVE-2026-34197, High-Severity Code Injection Vulnerability allowing arbitrary code execution via the Jolokia JMX-HTTP bridge.
Zimbra - Apr2026 : CVE-2025-48700, Critical Cross-Site Scripting (XSS) Vulnerability actively exploited in the wild allowing for session hijacking and sensitive information disclosure.
Exchange Server - Apr2026 : CVE-2023-21529, Critical Remote Code Execution Vulnerability due to insecure deserialization allowing full system compromise.
SharePoint - Apr2026 : CVE-2026-32201, CVE-2026-20945, Medium-Severity Improper Input Validation and Spoofing Vulnerabilities allowing network spoofing and deceptive content delivery.
MSSQL - Apr2026 : CVE-2026-32167, CVE-2026-32176, CVE-2026-33120, High-Severity Untrusted Pointer Dereference and SQL Injection vulnerabilities allowing privilege escalation and Remote Code Execution.