CRITICAL 3 min read 30 Apr 2026

Microsoft Windows CVE-2026-32202, LiteLLM CVE-2026-42208, and cPanel/WHM WID-SEC-2026-1310: Active Exploitation and Emergency Patching

CISA has added Windows CVE-2026-32202 to KEV, LiteLLM CVE-2026-42208 now has active exploitation reporting, and cPanel/WHM has an emergency security-bypass patch. The immediate work is patch verification across Windows endpoints, AI gateways, and hosting administration surfaces.

Key findings
01
Finding: Windows CVE-2026-32202 Enters CISA KEV
HIGH
[High] CISA added CVE-2026-32202 to the Known Exploited Vulnerabilities catalogue based on evidence of active exploitation. MSRC lists the vendor advisory for a Windows Shell spoofing and protection mechanism failure.
CVE-2026-32202
02
Finding: LiteLLM CVE-2026-42208 Shows Active Exploitation
HIGH
[High] BSI CERT-Bund lists LiteLLM WID-SEC-2026-1288 as a high-severity advisory, and BleepingComputer reports active exploitation of CVE-2026-42208, a critical pre-authentication SQL injection.
CVE-2026-42208
03
Finding: NSA GRASSMARLIN CVE-2026-6807 Needs Applicability Review
HIGH
[High] CISA published ICSA-26-118-01 for NSA GRASSMARLIN, tracking CVE-2026-6807. The advisory describes an XML External Entity weakness in GRASSMARLIN v3.2.1 that can expose sensitive information from crafted session data, with CVSS 5.5 and no known public exploitation reported by CISA.
CVE-2026-6807
04
Finding: cPanel/WHM WID-SEC-2026-1310 Requires Hosting Fleet Triage
MEDIUM
[Medium] BSI CERT-Bund added WID-SEC-2026-1310 for a cPanel/WHM security-bypass condition. Technical reporting indicates an emergency update for an authentication login exploit, with fixed builds listed as 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, and 11.134.0.20.
05
Finding: Ubuntu USN-8223-1 Patches Roundcube Webmail Issues
LOW
[Low] Ubuntu published USN-8223-1 for Roundcube Webmail fixes, including CVE-2019-15237, CVE-2024-38356, CVE-2024-38357, and CVE-2024-42008. The covered issues include homograph and cross-site scripting problems in rendered mail and webmail handling.
CVE-2019-15237

Microsoft Windows CVE-2026-32202, LiteLLM CVE-2026-42208, and cPanel/WHM WID-SEC-2026-1310: Active Exploitation and Emergency Patching

Finding: Windows CVE-2026-32202 Enters CISA KEV

Confidence: High

CISA added CVE-2026-32202 to the Known Exploited Vulnerabilities catalogue based on evidence of active exploitation. MSRC lists the vendor advisory for a Windows Shell spoofing and protection mechanism failure.

This should move into emergency compliance checks, not ordinary monthly patch review. Prioritise privileged endpoints first, especially jump hosts, administrator workstations, developer systems, and any Windows device used to reach sensitive management planes.

Finding: LiteLLM CVE-2026-42208 Shows Active Exploitation

Confidence: High

BSI CERT-Bund lists LiteLLM WID-SEC-2026-1288 as a high-severity advisory, and BleepingComputer reports active exploitation of CVE-2026-42208, a critical pre-authentication SQL injection. The reported issue matters because LiteLLM can sit in AI gateway paths where it may hold routing data, credentials, model access configuration, or database-backed operational secrets.

The right first question is simple: is LiteLLM present anywhere in production, staging, proofs of concept, or internal AI enablement stacks? If yes, confirm patched status, restrict direct internet exposure, and review logs for suspicious unauthenticated database activity.

Finding: cPanel/WHM WID-SEC-2026-1310 Requires Hosting Fleet Triage

Confidence: Medium

BSI CERT-Bund added WID-SEC-2026-1310 for a cPanel/WHM security-bypass condition. Technical reporting indicates an emergency update for an authentication login exploit, with fixed builds listed as 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, and 11.134.0.20.

The source set does not cite a CVE, so this finding stays at medium confidence despite the emergency-patch signal. Hosting operators should still treat it as urgent because exposed cPanel and WHM management ports can concentrate large numbers of customer sites behind one administrative surface.

Finding: NSA GRASSMARLIN CVE-2026-6807 Needs Applicability Review

Confidence: High

CISA published ICSA-26-118-01 for NSA GRASSMARLIN, tracking CVE-2026-6807. The advisory describes an XML External Entity weakness in GRASSMARLIN v3.2.1 that can expose sensitive information from crafted session data, with CVSS 5.5 and no known public exploitation reported by CISA.

This is not a mass internet emergency on the evidence available. It is an asset-mapping task for information technology and critical-infrastructure environments that use GRASSMARLIN for network visibility or session analysis.

Finding: Ubuntu USN-8223-1 Patches Roundcube Webmail Issues

Confidence: Low

Ubuntu published USN-8223-1 for Roundcube Webmail fixes, including CVE-2019-15237, CVE-2024-38356, CVE-2024-38357, and CVE-2024-42008. The covered issues include homograph and cross-site scripting problems in rendered mail and webmail handling.

This is lower-confidence as a severity story because the source set does not provide one clear CVSS score for the cluster. It still belongs in hosted-mail hygiene checks, especially where Roundcube is exposed to untrusted email content and internet-facing users.

Why This Matters

The practical change from yesterday is not another source-code platform issue. Today’s priority stack is active exploitation and emergency patch verification across three different surfaces: Windows endpoints, AI gateway infrastructure, and hosting administration panels.

Intrado 911 Emergency Gateway CVE-2026-6074 and AVEVA Pipeline Simulation CVE-2026-5387 remain serious, but they are unchanged in today’s coverage. They stay on the watchlist rather than taking the lead narrative again.

  • Recommended Actions
  • Add CVE-2026-32202 to Windows emergency compliance checks and verify MSRC patch coverage on privileged endpoints.
  • Identify any LiteLLM deployments and confirm patched versions or compensating controls for CVE-2026-42208 today.
  • Review LiteLLM exposure, authentication boundaries, database access, and logs for suspicious unauthenticated activity.
  • Check cPanel/WHM estates against fixed builds 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, and 11.134.0.20.
  • Restrict exposed WHM and cPanel management ports, especially 2083 and 2087, whilst emergency patch status is confirmed.
  • Route CISA ICSA-26-118-01 to asset owners who may run NSA GRASSMARLIN v3.2.1.
  • Apply Ubuntu USN-8223-1 where Roundcube Webmail packages are present.

All findings grounded in a13e intelligence sweeps through 04:30 UTC 30 April 2026.

cpanel-whmcve-2019-15237cve-2026-32202cve-2026-42208cve-2026-6807kevlitellmwid-sec-2026-1310windows-security

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed