By SAFE Threat Research Team
This week’s strongest signals cluster around internet-facing platforms, including webmail systems, CMS deployments, plugins, extensions, and application components. From Roundcube exploitation linked to espionage to large-scale webshell campaigns targeting the WordPress and Joomla ecosystems, attackers are prioritizing systems that sit close to users, credentials, and public access paths.
For security teams, the focus should be on CVEs with evidence of real exploitation, KEV status, public exploit activity, or exposure across business-critical assets. The priority is not the newest vulnerability. It is the one that attackers can actually reach and use.
Vulnerability Landscape

Trending Vulnerabilities
The real focus is on CVEs with confirmed exploitation activity, not just newly disclosed ones. 29 CVEs showed real-world exploitation signals, split between two newly published vulnerabilities and 27 older issues that remain useful to attackers. That split matters because older CVEs often stay active when they affect exposed systems, widely deployed platforms, or assets that are difficult to patch quickly.
Top CVEs to Watch
Roundcube Webmail CVE-2024-42009, CVE-2025-49113: Active Exploitation in Espionage Campaigns
CVE-2024-42009 and CVE-2025-49113 are actively exploited vulnerabilities affecting Roundcube Webmail, enabling attackers to conduct cross-site scripting (XSS) attacks that can compromise user sessions and facilitate the theft of sensitive emails.
The vulnerabilities have been linked to cyber espionage activity by the China-aligned UNK_MassTraction threat group, which has targeted physics and engineering departments at major universities in the United States and Canada. The campaign uses phishing emails to deliver malicious JavaScript payloads, followed by credential theft and the deployment of webshells such as SquareShell and VShell to establish persistent access. The vulnerabilities affect Roundcube versions up to 1.5.7 and 1.6.0–1.6.7. Organizations should upgrade to versions 1.5.8 or 1.6.8 and implement vendor-recommended security measures to mitigate the risk of compromise.
WordPress, Craft CMS, and Joomla CVE-2026-3844, CVE-2025-32432: Large-Scale CMS Exploitation Campaign
A large-scale exploitation campaign is targeting internet-facing content management systems (CMS), with the Australian Cyber Security Centre (ACSC) warning that organizations, including numerous small and medium-sized businesses across Australia, have been affected.
The campaign exploits vulnerabilities across WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla, including CVE-2026-3844, CVE-2025-32432, CVE-2020-36847, CVE-2025-12057, CVE-2025-7443, CVE-2025-7852, CVE-2026-0740, CVE-2026-1969, CVE-2026-31843, CVE-2025-13486, CVE-2025-6389, CVE-2026-1357, CVE-2025-12352, CVE-2024-9234, CVE-2026-3395, CVE-2026-29014, and CVE-2026-48907. These flaws
enable webshell deployment through techniques including unauthenticated file upload, remote code execution, authentication bypass, insecure deserialization, and server-side request forgery (SSRF), allowing attackers to gain persistent access, steal sensitive data, and use compromised web servers as entry points for broader network compromise. Organizations should immediately apply vendor security updates and monitor internet-facing CMS deployments for indicators of compromise.
WP-SHELLSTORM CVE-2026-3844, CVE-2026-48907: WordPress and Joomla Under Active Exploitation
The WP-SHELLSTORM campaign is actively exploiting vulnerabilities affecting WordPress and Joomla to deploy webshells and establish persistent access across internet-facing websites. The campaign primarily leverages CVE-2026-3844, CVE-2026-48907, and CVE-2021-29441 to target vulnerable plugins and extensions via automated scanning. Analysis of an exposed attacker server revealed exploit scripts, webshells, command histories, and target lists covering more than 1.4 million websites, with evidence of thousands of successful compromises. Attackers deploy BestShell-derived webshells, SNOWLIGHT, and the VShell backdoor to enable remote command execution, credential theft, and long-term access to compromised servers. Organizations should immediately update affected WordPress plugins and Joomla extensions and monitor public-facing web servers for unauthorized file uploads, webshell activity, and indicators of compromise.
Balbooa Forms CVE-2026-56291: Arbitrary File Upload Under Active Exploitation
CVE-2026-56291 is a critical vulnerability affecting Balbooa Forms for Joomla (versions 1.0–2.4.0) that allows unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE) on vulnerable servers.
The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation, making it a high-priority remediation target. Successful exploitation can provide attackers with persistent access, enable the deployment of malicious payloads, and facilitate the broader compromise of affected environments. Organizations using affected Joomla installations should immediately apply vendor-recommended patches and mitigations in accordance with CISA Binding Operational Directive (BOD) 26-04.
JoomShaper SP Page Builder CVE-2026-48908: Unrestricted File Upload Enables Remote Code Execution
CVE-2026-48908 is a critical unrestricted file upload vulnerability affecting JoomShaper SP Page Builder for Joomla, allowing unauthenticated attackers to upload arbitrary files and execute malicious PHP code on vulnerable servers.
The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation, making it a high-priority remediation target. Successful exploitation can enable webshell deployment, remote code execution, and persistent access to compromised systems. Organizations should immediately apply vendor-recommended patches, follow the guidance in CISA Binding Operational Directive (BOD) 26-04, and closely monitor affected Joomla deployments for indicators of compromise.
iCagenda CVE-2026-48939: Unrestricted File Upload Enables Remote Code Execution
CVE-2026-48939 is a critical unrestricted file upload vulnerability affecting the iCagenda Joomla extension (versions 3.2.1–4.0.7), allowing unauthenticated attackers to upload arbitrary PHP files and execute malicious code on vulnerable servers. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation, making it a high-priority remediation target. Successful exploitation can enable webshell deployment, remote code execution, and persistent access to compromised environments. Organizations should immediately upgrade to iCagenda 3.9.15 or 4.0.8, apply vendor-recommended mitigations, and follow CISA Binding Operational Directive (BOD) 26-04 guidance while monitoring affected Joomla deployments for indicators of compromise.
Joomla Page Builder CK CVE-2026-56290: Unauthenticated File Upload Enables Remote Code Execution
CVE-2026-56290 is a critical unauthenticated file-upload vulnerability affecting the JoomlaCK Page Builder CK extension, allowing attackers to upload arbitrary executable files and execute remote code on vulnerable Joomla servers. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation, making it a high-priority remediation target. Successful exploitation can enable webshell deployment, persistent access, and full compromise of affected systems. Organizations should immediately apply the latest vendor patches, implement recommended mitigations, and follow the guidance in CISA Binding Operational Directive (BOD) 26-04 to reduce the risk of exploitation.
Turning Vulnerability Intelligence into Action
This week’s exploitation activity reinforces a practical reality: attackers prioritize exposed systems that can deliver access, persistence, and scale. Webmail platforms, CMS deployments, plugins, AI applications, and network infrastructure remain attractive because successful exploitation can lead to remote code execution, webshell deployment, credential theft, and long-term access.
Security teams should prioritize action where exploitation risk and business impact intersect:
- Prioritize internet-facing Roundcube Webmail, WordPress, Joomla, Craft CMS, Cisco IOS, and Langflow deployments, especially where exploitation is confirmed or a CISA KEV listing applies.
- Address vulnerabilities that enable remote code execution, arbitrary file upload, authorization bypass, credential theft, or persistent access before lower-risk issues.
- Monitor exposed applications and administrative interfaces for webshell activity, unauthorized uploads, suspicious authentication attempts, and persistence mechanisms.
- Apply compensating controls, such as network segmentation, MFA, restricted administrative access, and enhanced logging, when immediate patching is not possible.
- Rank remediation by exploitability, internet exposure, asset criticality, and business impact.
Effective vulnerability management is about identifying which vulnerabilities attackers can reach, exploit, and use to impact the business.
SAFE CTEM helps organizations connect exploitation intelligence, asset exposure, control effectiveness, and business context so remediation is focused where it reduces the most risk.