No review-now item passed evidence gates. Treat today as monitor/background unless new exploitation evidence arrives. Highest-scored item: Nuclei template: CVE-2026-5073.yaml.

Monitor

These are notable but currently lack active-exploitation evidence in configured sources.

• Nuclei template: CVE-2026-5073.yaml — score 60 — exploit status poc — CVE CVE-2026-5073 — KQL: MDE exposure: devices with CVE-2026-5073. Evidence: nvd. Angle: Public Nuclei PoC for unauthenticated SQL injection in ARMember Premium WordPress plugin up to 7.3.1 with 60/100 priority.

• New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds — score 50 — exploit status poc — flags: no_primary_source. Evidence: New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds. Angle: Zimperium details Rokarolla Android trojan offering 137 remote commands for PIN theft, SMS interception, and crypto clipboard hijacks across 217 apps.

• CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection v… — score 25 — exploit status none — CVE CVE-2026-38967 — flags: no_exploitation_signal — KQL: MDE exposure: devices with CVE-2026-38967. Evidence: nvd. Angle: Low-priority (25/100) response header injection flaw in CrowCpp Crow <=1.3.1 shows zero exploitation signals or KEV listing.

• UK to require ID or face scan before you can make social media accounts — score 25 — exploit status none — flags: no_primary_source, no_exploitation_signal. Evidence: UK to require ID or face scan before you can make social media accounts. Angle: UK mandate for ID upload or face scan to create social media accounts introduces easy circumvention and new data-breach risks.

• GhostTree Attack Abused Recursive Windows Junctions to Hide Malware — score 25 — exploit status none — flags: no_primary_source, no_exploitation_signal. Evidence: GhostTree Attack Abused Recursive Windows Junctions to Hide Malware. Angle: GhostTree abused recursive NTFS junctions to generate vast Windows paths that prevent Microsoft Defender scans from finishing and detecting malware.

Background

• React Router is a router for React. In versions 7.0.0 through 7.14.1, when us… — score 38 — exploit status none — CVE CVE-2026-42211 — flags: no_exploitation_signal — KQL: MDE exposure: devices with CVE-2026-42211; MDE edge/service exploitation telemetry triage. Evidence: nvd. Angle: Low-priority React Router RCE is conditional on Framework Mode plus an existing prototype pollution flaw.

• The Content Visibility for Divi Builder plugin for WordPress is vulnerable to… — score 30 — exploit status none — CVE CVE-2026-1829 — flags: no_exploitation_signal — KQL: MDE exposure: devices with CVE-2026-1829. Evidence: nvd. Angle: Low-priority RCE in a WordPress Divi Builder plugin requires authenticated Contributor access and shows zero exploitation signals.

• React Router is a router for React. In versions 7.0.0 through 7.14.x of react… — score 23 — exploit status none — CVE CVE-2026-42342 — flags: no_exploitation_signal — KQL: MDE exposure: devices with CVE-2026-42342; MDE edge/service exploitation telemetry triage. Evidence: nvd.

• React Router is a router for React. In versions 7.7.0 through 7.13.1, when us… — score 23 — exploit status none — CVE CVE-2026-34077 — flags: no_exploitation_signal — KQL: MDE exposure: devices with CVE-2026-34077; MDE edge/service exploitation telemetry triage. Evidence: nvd.

• React Router is a router for React. In versions 7.7.0 through 7.13.1, when us… — score 23 — exploit status none — CVE CVE-2026-33245 — flags: no_exploitation_signal — KQL: MDE exposure: devices with CVE-2026-33245; MDE edge/service exploitation telemetry triage. Evidence: nvd.