This pack covers four high-to-critical severity vulnerabilities spanning two distinct attack surfaces: web application plugin ecosystems (WordPress CMS) and infrastructure-level exploitation (FortiClient EMS and Node.js supply chain). The most urgent item is CVE-2026-35616, an actively exploited FortiClient EMS zero-day delivering the EKZ infostealer with an EPSS at the 97th percentile, requiring immediate containment action. Simultaneously, two WordPress plugin vulnerabilities (CVE-2025-11993 and CVE-2025-11262) and a prototype pollution flaw in the axios library (CVE-2026-44495) expose web application and development pipeline assets to credential theft, session hijacking, and potential remote code execution.