Dynamicweb CMS before version 9.12.8 contains a critical authentication bypass that allows unauthenticated attackers to create new administrator accounts. The vulnerability exists because the application's setup wizard can be re-executed on deployed instances, enabling attackers to initialize a fresh admin account and subsequently upload webshells.
SmarterTools SmarterMail prior to build 9511 contains a second critical vulnerability (CVE-2026-24423) — an unauthenticated remote code execution flaw in the ConnectToHub API method. An attacker can redirect the SmarterMail server to connect to a malicious HTTP endpoint that serves OS commands for execution. KEV-listed with EPSS 29%, this is chainable with CVE-2026-23760 for complete server compromise.
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes in the application's global scope.
Sourcecodester Modern Image Gallery App v1.0 has an arbitrary file upload in the gallery endpoint allowing unauthenticated remote code execution.
Unified Remote 3.9.0.2463 allows unauthenticated remote code execution by sending crafted network packets to the remote control service.
Free5gc NRF 1.4.0 has an authorization bypass in access token generation that allows authenticated users to request tokens with broader scope than permitted.
RuoYi v4.8.2 has an access control flaw in the update function allowing unauthorized attackers to modify arbitrary data in the admin management system.
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.
GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.
MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.
GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.
Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.
Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.
A Birebir product has a CVSS 10.0 authentication bypass through a primary weakness in the password recovery mechanism, allowing complete account takeover without any authentication.
ALGO 8180 has a use-after-free in SIP session handling (EPSS 1.1%) enabling remote code execution through crafted VoIP signaling sequences.
Katana Network Development Starter Kit has a command injection in executeCommand enabling remote code execution through the development framework.
github-kanban-mcp-server has a command injection in execAsync (EPSS 1.0%) enabling remote code execution on developer machines using the GitHub Kanban MCP integration.
Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.
ALGO 8180 IP Audio Alerter has a command injection in the SAC interface (EPSS 0.68%) allowing remote code execution on the emergency notification device.
Azure Resource Manager has a CVSS 9.9 access control vulnerability allowing authorized users to escalate privileges across Azure subscriptions and resource groups.
ALGO 8180 has a heap-based buffer overflow in InformaCast message processing enabling remote code execution through the emergency notification protocol.
ALGO 8180 has a stack-based buffer overflow in SIP INVITE Alert-Info header processing, enabling remote code execution through the VoIP protocol.
ALGO 8180 has a stack-based buffer overflow in SIP INVITE Replaces header processing enabling remote code execution through crafted VoIP calls.
SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through the authentication routing mechanism.
gemini-mcp-tool has a command injection in execAsync allowing remote code execution on systems using the Gemini AI MCP integration.
IAQS and I6 by JNC have a missing authentication vulnerability allowing unauthenticated remote attackers to directly access sensitive system functionality.
IAQS and I6 systems by JNC have a client-side enforcement vulnerability allowing unauthenticated attackers to bypass security controls and access server functionality.
Orval TypeScript code generator versions 7.19+ have a command injection vulnerability allowing RCE through malicious OpenAPI specifications during code generation.
ToDesktop Builder v0.32.1 has an improper certificate validation vulnerability allowing man-in-the-middle attackers to inject malicious code into desktop application builds.
A bounds checking vulnerability in the Linux kernel's libceph authentication handler allows local attackers with user privileges to trigger out-of-bounds memory reads, potentially leading to information disclosure or denial of service. The flaw exists in the handle_auth_done() function which fails to properly validate payload length before processing authentication data. A patch is available to address this vulnerability.
A product by Birebir has weak authentication with improper rate limiting on login attempts and insecure password recovery, enabling brute-force attacks and account takeover.
Aptsys POS Platform Web Services module exposes internal API testing endpoints to the public, allowing unauthenticated access to point-of-sale backend systems.
Aptsys gemscms POS Platform has a SQL injection in the GetServiceByRestaurantID endpoint allowing extraction of restaurant and payment data.