Spring 2026 web security roundup: what changed in 6 weeks

Between the end of April and the middle of May 2026, the web security calendar filled up faster than usual. Web framework CVEs, a Windows worm risk, a backdoor in a 70,000-install WordPress plugin, a Let's Encrypt outage and fresh research on how quickly common password hashes can be cracked. This is a grounded recap of what actually matters for a small business website.

Web frameworks and servers

SPIP — CERTFR-2026-AVI-0564, 12 May 2026. CERT-FR published an advisory for SPIP versions before 4.4.14, warning of remote arbitrary code execution. The fix is to update to SPIP 4.4.14 or later.

Spring — CERTFR-2026-AVI-0554, 11 May 2026. Five CVEs were disclosed across Spring Cloud Function and Spring (CVE-2026-40989, CVE-2026-40990, CVE-2026-41705, CVE-2026-41712, CVE-2026-41713), spanning data confidentiality breach, security policy bypass, remote denial of service and remote arbitrary code execution. Affected versions include Spring Cloud Function before 3.2.16, 4.1.10, 4.2.6, 4.3.3 and 5.0.2.

NGINX — CVE-2026-42945, 14 May 2026. A heap buffer overflow in the rewrite module, CVSS 9.2, affecting NGINX Open Source 0.6.27 through 1.30.0. Patched in 1.31.0 and 1.30.1. The flaw can cause denial of service and, with ASLR disabled, remote code execution. The bug had been there for 18 years.

cPanel — CVE-2026-29202, disclosed 8 May 2026. CVSS 8.8. An authenticated user can execute arbitrary Perl code on the underlying machine. On shared hosting, any regular account holder can become an attacker against neighbouring sites on the same server.

WordPress

Quick Page/Post Redirect backdoor — Security.NL, 30 April 2026. Researcher Austin Ginder found that the plugin, which had more than 70,000 active installations, contained two backdoors: a content-injection capability and the ability to install updates from a malicious domain (effectively remote code execution). The malicious code was reportedly added in 2021. WordPress.org has removed the plugin from the official repository. If you have it installed, deactivate and remove it.

For the four other WordPress plugin vulnerabilities disclosed in March-April 2026 (MW WP Form, Perfmatters, Tutor LMS Pro, Smart Slider 3), see our dedicated WP plugin roundup.

Trust and certificates

Let's Encrypt outage — 8-9 May 2026, ~2.5 hours. Newly created Root and Intermediate Certification Authorities lacked the serverAuth EKU extension required by the Common CA Database Policy. Let's Encrypt halted certificate issuance to fix the configuration, then resumed. Sites whose renewals fell in that window may have had to retry.

DNSSEC and SSL renewal failures — Sucuri Blog, 4 May 2026. Marc Kranat at Sucuri describes how the CA/Browser Forum's Ballot SC-085v2, fully implemented in March 2026, has made strict DNSSEC validation a hard requirement during certificate issuance and renewal. Common failure modes: incorrect or absent DS records at the registrar, expired RRSIG signatures, incomplete key rollovers, inconsistent signed data across nameservers, and clock or algorithm mismatches. Diagnostic tools include DNSViz, Zonemaster and the delv utility.

Cryptography

60% of MD5 hashes crackable in under an hour — Kaspersky, 7 May 2026. Using a single Nvidia RTX 5090, Kaspersky researchers tested over 231 million unique passwords from dark web leaks. Sixty percent were cracked in less than an hour, and 48 percent in under 60 seconds. Practical implication: if your site still stores password hashes as MD5 (or any other fast unsalted hash), assume any database breach means the passwords are recovered too. Move to bcrypt, scrypt, Argon2 or whatever your stack supports.

Windows infrastructure

Three wormable Windows CVEs — Security.NL, 13 May 2026. Microsoft's May Patch Tuesday included CVE-2026-41089 (Windows Netlogon, remote code execution on domain controllers, no credentials needed); CVE-2026-41096 (Windows DNS Client, RCE via malicious DNS responses); and CVE-2026-40415 (Windows TCP/IP, unauthenticated RCE, though Microsoft notes exploitation is "considerably less likely" due to memory constraints). Patches are available. If you run Windows Server in any form, apply them.

What it adds up to

The UK's NCSC published a blog post on 1 May 2026 titled "Preparing for a vulnerability patch wave", arguing that AI tools are accelerating vulnerability discovery and that organisations should expect more disclosures, faster, across the whole stack. The six weeks summarised above are roughly what that looks like in practice: every major surface (web framework, hosting panel, web server, WordPress plugin, public CA, OS) had something disclosed.

For a small business, the response is not panic but routine. Three habits cover most of the risk:

1. Turn on automatic updates for WordPress core, plugins and your operating system. The exceptions (paid plugins, custom integrations) should be a short list you actively manage, not the default.
2. Track which third-party services your site depends on, so you find out about an advisory in hours rather than reading about it on a competitor's blog weeks later.
3. Stop storing fast unsalted hashes for any credential. If you have not audited your password storage in 2026, do that this week.

The security checklist for small business and the vulnerable WordPress plugins guide cover the foundations.

Sources: CERT-FR AVI-0564 — SPIP, CERT-FR AVI-0554 — Spring, BleepingComputer — NGINX CVE-2026-42945, Security.NL — cPanel CVE-2026-29202, Security.NL — Let's Encrypt outage, Sucuri Blog — DNSSEC and SSL, The Register / Kaspersky — MD5, Security.NL — Windows wormable CVEs, Security.NL — Quick Page/Post Redirect backdoor, NCSC — Vulnerability patch wave.