Skip to main content

Code Injection

4842 CVEs technique

Monthly

CVE-2026-31040 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).

RCE Code Injection Stata Mcp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4837 MEDIUM PATCH This Month

Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.

RCE Code Injection Insight Agent
NVD VulDB
CVSS 3.1
6.6
EPSS
0.2%
CVE-2026-25776 CRITICAL Act Now

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

Code Injection RCE Movable Type
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-71058 CRITICAL Act Now

DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-5739 Maven MEDIUM GHSA This Month

Remote code injection in PowerJob 5.1.0, 5.1.1, and 5.1.2 allows unauthenticated attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI endpoint /openApi/addWorkflowNode by manipulating the nodeParams argument. The vulnerability exploits unsafe Groovy code evaluation without input sanitization, enabling full remote code execution with a low CVSS complexity score (6.9/10). No public exploit code is confirmed at time of analysis, and the vendor has not yet responded to the early disclosure notification.

Code Injection RCE Powerjob
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-39337 CRITICAL PATCH Act Now

Remote code execution in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code through the unsanitized $dbPassword variable during setup wizard initialization, resulting in complete server compromise. This critical flaw (CVSS 10.0) exists as an incomplete fix for CVE-2025-62521 and requires no authentication or user interaction to exploit. The pre-authentication nature and maximum CVSS severity indicate immediate patching priority for all exposed ChurchCRM installations.

PHP Code Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-22666 HIGH POC PATCH This Week

Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.

PHP RCE Code Injection Dolibarr Erp Crm
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-30460 HIGH This Week

Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

RCE Code Injection N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-70844 PHP MEDIUM This Month

Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.

RCE XSS Code Injection
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-36057 CRITICAL Act Now

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Code Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-35197 MEDIUM PATCH This Month

Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.

RCE Code Injection Dye
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-35178 CRITICAL PATCH Act Now

Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.

RCE Code Injection Forceworkbench
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34975 HIGH PATCH This Week

CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.

Code Injection Plunk
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-26026 CRITICAL PATCH Act Now

Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.

RCE Code Injection Glpi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-37977 Maven MEDIUM PATCH This Month

CORS header injection in Keycloak's User-Managed Access token endpoint allows remote attackers to reflect attacker-controlled origin values before JWT signature validation, potentially exposing low-sensitivity authorization error responses when clients are misconfigured with wildcard origin permissions. The vulnerability requires high attack complexity and affects only clients explicitly configured with webOrigins set to "*", resulting in a low-severity information disclosure with limited real-world exploitability.

Code Injection Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5631 MEDIUM POC This Month

Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.

Code Injection RCE Gpt Researcher
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5594 LOW POC Monitor

Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.

RCE Code Injection Premsql
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5584 MEDIUM POC This Month

Remote code execution in Fosowl agenticSeek 0.1.0 allows unauthenticated attackers to inject arbitrary Python code via the PyInterpreter.execute function in the query endpoint, enabling full system compromise. The vulnerability exploits unsafe code execution in the component responsible for interpreting user-supplied queries. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Code Injection RCE Agenticseek
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5562 MEDIUM POC This Month

Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.

Code Injection RCE Kafka Ui
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-5556 LOW POC Monitor

Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.

Code Injection RCE Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3309 MEDIUM This Month

Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.

WordPress Code Injection RCE
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-28797 HIGH This Week

Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.

Code Injection Python
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-35171 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a

RCE Code Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-34767 npm MEDIUM PATCH GHSA This Month

HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.

Code Injection Red Hat
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-35536 PyPI HIGH PATCH GHSA This Week

Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.

Code Injection Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-35507 MEDIUM PATCH This Month

Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.

Code Injection Shynet
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-34830 Ruby MEDIUM PATCH GHSA This Month

Rack::Sendfile in versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to inject regex metacharacters into X-Accel-Mapping request headers, enabling unescaped interpolation that manipulates the X-Accel-Redirect response header and causes nginx to serve unintended files from internal locations. No public exploit code or active exploitation has been confirmed; patch versions are available from the vendor.

Nginx Code Injection Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-26962 Ruby MEDIUM PATCH GHSA This Month

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of

Code Injection Rack
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-34083 npm MEDIUM PATCH GHSA This Month

SignalK Server versions prior to 2.24.0 allow unauthenticated attackers to hijack OAuth2 sessions and steal authorization codes by spoofing the HTTP Host header in OIDC login and logout handlers. The vulnerability exploits the default-unset redirectUri configuration, causing the OIDC provider to send authorization codes to an attacker-controlled domain. EPSS score of 6.1 reflects moderate real-world risk despite the requirement for user interaction (UI:R) to initiate login.

Code Injection Signalk Server
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-35002 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.

Python RCE Code Injection Agno
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-29138 MEDIUM PATCH This Month

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to impersonate other users by claiming their PGP signatures through a specially crafted email address, enabling signature forgery and identity spoofing in encrypted email communications. The vulnerability exploits LDAP injection mechanisms to manipulate signature verification, affecting all versions prior to 15.0.3. No CVSS score is available, and exploitation status remains unconfirmed from provided data.

Information Disclosure LDAP Code Injection
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-29131 MEDIUM PATCH This Month

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to read encrypted email contents intended for other users by crafting specially malformed email addresses that exploit LDAP injection in the recipient validation process. This information disclosure vulnerability affects all versions prior to 15.0.3 and requires only network access to send a specially crafted email, making it a practical attack vector against organizations using vulnerable SEPPmail deployments.

Information Disclosure LDAP Code Injection
NVD
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-1540 HIGH POC PATCH This Week

Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.

WordPress PHP RCE Code Injection
NVD VulDB WPScan
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-34519 PyPI LOW PATCH GHSA Monitor

Header injection in AIOHTTP prior to version 3.13.4 allows remote attackers to inject arbitrary HTTP headers or conduct similar exploits by controlling the reason parameter when creating a Response object. The vulnerability has low real-world impact (CVSS 2.7, EPSS not available) and requires the attacker to control application-level input that directly influences the reason parameter; no public exploit code or active exploitation has been identified. A vendor-released patch is available in version 3.13.4.

Python Code Injection
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34514 PyPI LOW PATCH GHSA Monitor

Header injection in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to inject arbitrary headers by controlling the content_type parameter, potentially enabling HTTP response splitting or cache poisoning attacks. The vulnerability has a low CVSS score (2.7) reflecting limited integrity impact, but affects all versions before the patched release 3.13.4.

Python Code Injection
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-35093 HIGH PATCH This Week

Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

RCE Code Injection Libinput Fedora
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29014 CRITICAL POC Act Now

MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.

PHP RCE Code Injection
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-35056 HIGH PATCH This Week

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.

RCE Code Injection Xenforo
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2025-71281 HIGH PATCH This Week

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.

Code Injection RCE Xenforo
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-34601 npm HIGH PATCH NEWS GHSA This Week

XML injection in xmldom's CDATA serialization allows remote attackers to inject arbitrary markup into generated XML documents without authentication. The vulnerability affects both the legacy xmldom package and @xmldom/xmldom when applications embed untrusted input into CDATA sections. Attackers can break out of CDATA context by including the sequence ]]> in user-controlled strings, causing downstream XML consumers to parse injected elements as legitimate markup. Vendor-released patches are avai

Code Injection Mozilla
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-49048 PyPI HIGH PATCH GHSA This Week

### Impact TorchGeo 0.4-0.6.0 used an [`eval`](https://docs.python.org/3/library/functions.html#eval) statement in its model weight API that could allow an unauthenticated, remote attacker to execute. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Microsoft Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2026-30643 CRITICAL Act Now

Remote code execution in DedeCMS 5.7.118 allows unauthenticated attackers to execute arbitrary code through crafted setup tag values during module upload operations. The vulnerability exploits insufficient input validation in the module upload functionality, enabling direct code injection. No CVSS score, EPSS data, or KEV confirmation is available; however, the presence of a public proof-of-concept demonstrates practical exploitability.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-40489 CRITICAL Act Now

There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-4800 LIB CRITICAL POC PATCH NEWS GHSA Act Now

Server-side code injection in Lodash's _.template function (lodash, lodash-es, lodash-amd and lodash.template, versions 4.0.0 to <4.18.0) lets an attacker execute arbitrary JavaScript at template-compilation time when an application passes untrusted input as options.imports key names. This is an incomplete-fix follow-on to CVE-2021-23337/GHSA-35jh-r3h4-6jhm: the original patch validated the variable option but left the imports key path flowing unchecked into the same Function() sink, and assignInWith's for..in merge also pulls in any prototype-polluted keys. Publicly available exploit code exists, but EPSS is only 0.07% (21st percentile) and CISA SSVC rates exploitation as none, reflecting that the dangerous pattern is uncommon in real deployments.

Code Injection RCE Lodash Lodash Es Lodash Amd +1
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4399 HIGH This Week

Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.

Code Injection Millie Chat
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-3300 CRITICAL POC Act Now

Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.

WordPress PHP RCE Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-4257 CRITICAL POC Emergency

Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis.

WordPress PHP RCE Code Injection
NVD VulDB Exploit-DB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-28228 HIGH PATCH This Week

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

Java Tomcat Ssti Code Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-31799 MEDIUM PATCH This Month

SQL injection in Tautulli's /api/v2?cmd=get_home_stats endpoint allows authenticated administrators to exfiltrate sensitive data from the SQLite database via boolean-blind SQL inference. Affected versions include 2.14.2-2.16.x for the 'before' and 'after' parameters, and 2.1.0-beta-2.16.x for 'section_id' and 'user_id' parameters. The vulnerability requires possession of the admin API key and results in confidentiality compromise without code execution. Patch is available in version 2.17.0.

Python Code Injection
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-28505 HIGH PATCH This Week

Remote code execution in Tautulli (Python-based Plex Media Server monitoring tool) versions prior to 2.17.0 allows authenticated administrators to bypass sandbox restrictions in notification templates via lambda expressions, enabling arbitrary Python code execution. The vulnerability exploits a flaw in the str_eval() sandbox implementation that only inspects outer code object names (co_names) while nested lambda code objects store attribute accesses in co_consts, evading security checks. CVSS 7.5 with high attack complexity and high privilege requirement (PR:H) indicates limited real-world risk scope, with no public exploit identified at time of analysis.

Python Code Injection RCE
NVD GitHub
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-2287 CRITICAL Act Now

CrewAI fails to validate Docker runtime availability during execution and silently reverts to an insecure sandbox mode, enabling remote code execution. Affected versions prior to the patch rely on Docker for isolation; when Docker becomes unavailable or is misconfigured, the fallback mechanism does not enforce adequate sandboxing constraints, allowing attackers to execute arbitrary commands within the application context. No CVSS score or official CVE details are available at this time, though the vulnerability has been reported to CERT and carries high practical risk due to the automatic unsafe fallback behavior.

Docker RCE Code Injection
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30305 CRITICAL Act Now

Remote code execution in Syntx's command auto-approval module allows unauthenticated attackers to bypass whitelist security via shell command substitution syntax in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(…) and backtick command substitution patterns, enabling an attacker to inject malicious commands within seemingly benign git operations (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS score or KEV status data available; no public exploit code confirmed at time of analysis.

Command Injection RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30313 CRITICAL Act Now

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding newline characters in command payloads, forcing automatic approval and sequential execution of arbitrary OS commands via PowerShell without user interaction.

Command Injection RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-30306 CRITICAL Act Now

SakaDev's automatic terminal command execution feature can be bypassed via prompt injection attacks, allowing unauthenticated remote attackers to execute arbitrary commands without user approval by wrapping malicious commands in templates that mislead the underlying language model into misclassifying destructive operations as safe. The vulnerability exploits a design flaw in the model-based safety classification mechanism rather than a traditional code defect, affecting the extension across all versions where the 'Execute safe commands' option is enabled.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30307 CRITICAL Act Now

Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.

RCE Command Injection Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30308 CRITICAL Act Now

HAI Build Code Generator's automatic command execution feature can be bypassed through prompt injection attacks, allowing unauthenticated remote code execution by misleading the AI model into misclassifying malicious commands as safe. The vulnerability exploits a fundamental design flaw in the model's safety classification logic, where attackers can wrap destructive commands in generic templates to bypass the user approval requirement that should be triggered for potentially dangerous operations.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-5011 LOW POC Monitor

Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.

Code Injection RCE Elecv2P
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4998 MEDIUM POC This Month

Code injection in Sinaptik AI PandasAI versions up to 3.0.0 allows unauthenticated remote attackers to execute arbitrary code via the CodeExecutor.execute function in the Chat Message Handler component. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (POC on GitHub Gist). EPSS data not provided, but the combination of unauthenticated remote execution and public exploit significantly elevates real-world risk. Vendor non-responsive to coordinated disclosure.

Code Injection RCE Pandasai pandas
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-2442 MEDIUM This Month

CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Code Injection
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-34202 Cargo CRITICAL PATCH GHSA Act Now

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

Denial Of Service Deserialization Code Injection RCE
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-33881 HIGH PATCH This Week

JavaScript code injection in Windmill's NativeTS executor allows workspace administrators to achieve remote code execution by embedding malicious payloads in environment variable values. The vulnerability (CWE-94) stems from improper sanitization of single quotes when interpolating workspace environment variables into JavaScript string literals, enabling arbitrary code execution in all NativeTS scripts within the affected workspace. Windmill versions prior to 1.664.0 are affected. CVSS 7.3 reflects high confidentiality, integrity, and availability impact, though exploitation requires high privileges (workspace admin role). Publicly available exploit code exists, though no confirmed active exploitation (CISA KEV) at time of analysis.

Code Injection RCE Windmill
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-33654 HIGH PATCH This Week

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

RCE Code Injection Nanobot
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-34060 Ruby HIGH PATCH GHSA This Week

Ruby Language Server (ruby-lsp) allows arbitrary code execution when opening malicious projects. The vulnerability exploits unsanitized interpolation of the rubyLsp.branch workspace setting into a generated Gemfile, enabling attackers to embed malicious Ruby code in .vscode/settings.json that executes when users open and trust the workspace. Affects ruby-lsp gem < 0.26.9 and VS Code extension < 0.10.2. No active exploitation or public POC currently identified at time of analysis, but the attack requires only social engineering to trick developers into opening a crafted repository.

RCE Code Injection
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33940 npm HIGH PATCH GHSA This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated network attackers to execute arbitrary server-side commands by exploiting dynamic partial resolution logic. Affected versions include all releases prior to v4.7.9. Attack requires the adversary to control context data passed to templates that use dynamic partial lookups. A proof-of-concept exploit demonstrates arbitrary code execution and is publicly documented. CVSS score of 8.1 reflects high complexity due to the need for specific template patterns and attacker-controlled context values.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33938 npm HIGH PATCH This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by exploiting the @partial-block mechanism when combined with vulnerable helper functions. The attack overwrites @partial-block with a malicious Handlebars AST that is dynamically compiled and executed during template rendering. A working proof-of-concept exists demonstrating exploitation via the commonly-used handlebars-helpers package. Vendor-released patch is available in Handlebars version 4.7.9.

RCE Node.js Code Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33937 npm CRITICAL PATCH Act Now

Remote code execution in Handlebars.js npm package allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by injecting malicious payloads through crafted AST objects passed to Handlebars.compile(). The vulnerability (CWE-94 code injection) affects applications that accept user-controlled JSON and deserialize it as template input. A detailed proof-of-concept exploit demonstrates command execution via process.getBuiltinModule. Vendor patch is available in version 4.7.9 per GitHub advisory GHSA-2w6w-674q-4c4q. CVSS score 9.8 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-4965 MEDIUM POC This Month

Improper neutralization of directives in dynamically evaluated code within letta-ai letta 0.16.4 allows remote attackers without authentication to manipulate the resolve_type function in letta/functions/ast_parsers.py, resulting in code injection and information disclosure. This vulnerability represents an incomplete fix for CVE-2025-6101, and publicly available exploit code exists that demonstrates remote exploitation with low attack complexity.

Code Injection Information Disclosure Letta
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4963 PyPI LOW POC Monitor

Code injection in HuggingFace smolagents 1.25.0.dev0 allows remote attackers without authentication to execute arbitrary code through incomplete remediation of CVE-2025-9959 in the local Python executor component. The vulnerability affects the evaluate_augassign, evaluate_call, and evaluate_with functions in src/smolagents/local_python_executor.py, with publicly available exploit code and active public disclosure despite lack of vendor response.

RCE Code Injection Smolagents
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15616 HIGH PATCH This Week

Multiple shell injection and untrusted search path vulnerabilities in Wazuh agent and manager (versions 2.1.0 through 4.7.x) enable remote code execution through malicious configuration parameters. Authenticated attackers with high privileges can inject commands via logcollector configuration files, maild SMTP server tags, and Kaspersky AR script parameters. The CVSS 4.0 score of 7.1 reflects network-accessible attack vector with low complexity but requiring high-privilege credentials; no public exploit identified at time of analysis.

RCE Code Injection Wazuh Agent Wazuh Manager
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-27876 CRITICAL PATCH Act Now

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Grafana RCE Code Injection Grafana Enterprise
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-27860 LOW POC PATCH Monitor

Open-Xchange Dovecot Pro contains an LDAP filter injection vulnerability in its authentication module that allows remote unauthenticated attackers to inject arbitrary LDAP filters when the auth_username_chars configuration parameter is left empty, potentially enabling authentication bypass and reconnaissance of LDAP directory structures. The vulnerability carries a low CVSS score of 3.7 due to high attack complexity requirements, and no public exploit code has been identified at the time of analysis.

LDAP Authentication Bypass Code Injection
NVD VulDB GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32669 HIGH This Week

BUFFALO Wi-Fi router products allow remote code execution through a code injection vulnerability requiring user interaction. An unauthenticated attacker (CVSS PR:N) can execute arbitrary code on affected devices with high impact to confidentiality, integrity, and availability (CVSS 8.8). The vulnerability was disclosed through JVN and BUFFALO's official advisory, with no public exploit identified at time of analysis.

RCE Code Injection Buffalo Wi Fi Router Products
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33943 npm CRITICAL PATCH GHSA Act Now

{ ... }` declarations directly into generated executable code, and its quote filter strips single/double quotes but not backticks, so template-literal payloads such as ``export { require(`child_process`).execSync(`id`) }`` evaluate as live JavaScript. Publicly available exploit code exists (CISA SSVC marks exploitation 'poc'); EPSS is low at 0.07% and it is not on the CISA KEV, so no confirmed active exploitation.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33873 PyPI CRITICAL PATCH GHSA Act Now

Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.

Python RCE Code Injection Command Injection
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-33396 CRITICAL PATCH Act Now

Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.

RCE Node.js Docker Privilege Escalation Code Injection +1
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.8%
CVE-2025-55271 LOW Monitor

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.

Code Injection Aftermarket Dpc
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-33744 PyPI HIGH PATCH GHSA This Week

BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.

Docker Python RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30457 CRITICAL Act Now

Remote code execution in Daylight Studio FuelCMS v1.5.2 through the /parser/dwoo component enables unauthenticated attackers to execute arbitrary PHP code via specially crafted input. The vulnerability exploits insufficient input validation in the Dwoo template engine integration, allowing direct PHP code injection. Attack complexity appears low given the public references to exploitation techniques in the provided pentest-tools PDF, though no formal CVSS scoring or CISA KEV confirmation is available to assess real-world exploitation prevalence.

PHP RCE Code Injection N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-33751 npm MEDIUM PATCH This Month

n8n contains an LDAP injection vulnerability in the LDAP node's filter escape logic that allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. This affects n8n versions prior to 1.123.27, 2.13.3, and 2.14.1, enabling attackers to manipulate LDAP queries to retrieve unintended directory records or bypass authentication controls implemented within workflows. The vulnerability requires specific workflow configuration (LDAP node receiving external user input via expressions) and has not been publicly reported as actively exploited, though no proof-of-concept availability is explicitly confirmed across available intelligence sources.

LDAP Authentication Bypass Code Injection
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-33660 npm CRITICAL POC PATCH GHSA Act Now

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.

RCE Code Injection N8n
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-32573 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.

Code Injection RCE Nelio Ab Testing
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32525 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.

Code Injection RCE Jetformbuilder
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-27044 CRITICAL Act Now

Total Poll Lite, a WordPress plugin, contains an improper code injection vulnerability (CWE-94) that allows remote code inclusion and execution. All versions up to and including 4.12.0 are affected. An attacker can exploit this vulnerability to achieve remote code execution (RCE) on WordPress installations running the vulnerable plugin, potentially gaining full control of the affected web application.

Code Injection RCE Total Poll Lite
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-25447 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.

Code Injection RCE Widget Wrangler
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25366 CRITICAL Act Now

A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.

PHP Code Injection RCE
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-25001 HIGH This Week

The Post Snippets WordPress plugin versions up to and including 4.0.12 contain an improper code generation vulnerability (CWE-94) that enables remote code injection and execution. An attacker can exploit this flaw to execute arbitrary code on affected WordPress installations, potentially leading to complete site compromise. The vulnerability has been publicly documented by Patchstack with available references, and the attack vector appears to be network-based without requiring high privileges.

RCE Code Injection Post Snippets
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-20113 MEDIUM This Month

A CRLF injection vulnerability exists in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software that allows unauthenticated remote attackers to inject arbitrary log entries and manipulate log file structure. The vulnerability stems from insufficient input validation in the Cisco IOx management interface and affects a broad range of Cisco IOS XE Software versions from 16.6.1 through 17.18.1x. A successful exploit enables attackers to obscure legitimate log events, inject malicious log entries, or corrupt log file integrity without requiring authentication, making it particularly dangerous in environments where log analysis is relied upon for security monitoring and compliance.

Cisco Code Injection Apple
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23385 MEDIUM PATCH This Month

A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.

Linux Code Injection Google Red Hat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26833 npm CRITICAL GHSA Act Now

Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.

Code Injection RCE Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26830 npm CRITICAL Act Now

The pdf-image npm package through version 2.0.0 contains an OS command injection vulnerability in the pdfFilePath parameter. Attackers can exploit this remotely without authentication by injecting malicious commands through file path inputs that are passed unsafely to shell commands via child_process.exec(). A proof-of-concept exploit is publicly available on GitHub (zebbernCVE/CVE-2026-26830), significantly increasing exploitation risk.

Node.js Command Injection RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).

RCE Code Injection Stata Mcp
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.

RCE Code Injection Insight Agent
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

Code Injection RCE Movable Type
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Remote code injection in PowerJob 5.1.0, 5.1.1, and 5.1.2 allows unauthenticated attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI endpoint /openApi/addWorkflowNode by manipulating the nodeParams argument. The vulnerability exploits unsafe Groovy code evaluation without input sanitization, enabling full remote code execution with a low CVSS complexity score (6.9/10). No public exploit code is confirmed at time of analysis, and the vendor has not yet responded to the early disclosure notification.

Code Injection RCE Powerjob
NVD VulDB GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code through the unsanitized $dbPassword variable during setup wizard initialization, resulting in complete server compromise. This critical flaw (CVSS 10.0) exists as an incomplete fix for CVE-2025-62521 and requires no authentication or user interaction to exploit. The pre-authentication nature and maximum CVSS severity indicate immediate patching priority for all exposed ChurchCRM installations.

PHP Code Injection RCE
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.

PHP RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

RCE Code Injection N A
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.

RCE XSS Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Code Injection
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.

RCE Code Injection Dye
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.

RCE Code Injection Forceworkbench
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.

Code Injection Plunk
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.

RCE Code Injection Glpi
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CORS header injection in Keycloak's User-Managed Access token endpoint allows remote attackers to reflect attacker-controlled origin values before JWT signature validation, potentially exposing low-sensitivity authorization error responses when clients are misconfigured with wildcard origin permissions. The vulnerability requires high attack complexity and affects only clients explicitly configured with webOrigins set to "*", resulting in a low-severity information disclosure with limited real-world exploitability.

Code Injection Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.

Code Injection RCE Gpt Researcher
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.

RCE Code Injection Premsql
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote code execution in Fosowl agenticSeek 0.1.0 allows unauthenticated attackers to inject arbitrary Python code via the PyInterpreter.execute function in the query endpoint, enabling full system compromise. The vulnerability exploits unsafe code execution in the component responsible for interpreting user-supplied queries. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Code Injection RCE Agenticseek
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.

Code Injection RCE Kafka Ui
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.

Code Injection RCE Pi Mono
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.

WordPress Code Injection RCE
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.

Code Injection Python
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.

Code Injection Red Hat
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.

Code Injection Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.

Code Injection Shynet
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Rack::Sendfile in versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to inject regex metacharacters into X-Accel-Mapping request headers, enabling unescaped interpolation that manipulates the X-Accel-Redirect response header and causes nginx to serve unintended files from internal locations. No public exploit code or active exploitation has been confirmed; patch versions are available from the vendor.

Nginx Code Injection Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of

Code Injection Rack
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

SignalK Server versions prior to 2.24.0 allow unauthenticated attackers to hijack OAuth2 sessions and steal authorization codes by spoofing the HTTP Host header in OIDC login and logout handlers. The vulnerability exploits the default-unset redirectUri configuration, causing the OIDC provider to send authorization codes to an attacker-controlled domain. EPSS score of 6.1 reflects moderate real-world risk despite the requirement for user interaction (UI:R) to initiate login.

Code Injection Signalk Server
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.

Python RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to impersonate other users by claiming their PGP signatures through a specially crafted email address, enabling signature forgery and identity spoofing in encrypted email communications. The vulnerability exploits LDAP injection mechanisms to manipulate signature verification, affecting all versions prior to 15.0.3. No CVSS score is available, and exploitation status remains unconfirmed from provided data.

Information Disclosure LDAP Code Injection
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to read encrypted email contents intended for other users by crafting specially malformed email addresses that exploit LDAP injection in the recipient validation process. This information disclosure vulnerability affects all versions prior to 15.0.3 and requires only network access to send a specially crafted email, making it a practical attack vector against organizations using vulnerable SEPPmail deployments.

Information Disclosure LDAP Code Injection
NVD
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.

WordPress PHP RCE +1
NVD VulDB WPScan
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Header injection in AIOHTTP prior to version 3.13.4 allows remote attackers to inject arbitrary HTTP headers or conduct similar exploits by controlling the reason parameter when creating a Response object. The vulnerability has low real-world impact (CVSS 2.7, EPSS not available) and requires the attacker to control application-level input that directly influences the reason parameter; no public exploit code or active exploitation has been identified. A vendor-released patch is available in version 3.13.4.

Python Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Header injection in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to inject arbitrary headers by controlling the content_type parameter, potentially enabling HTTP response splitting or cache poisoning attacks. The vulnerability has a low CVSS score (2.7) reflecting limited integrity impact, but affects all versions before the patched release 3.13.4.

Python Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

RCE Code Injection Libinput +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.

PHP RCE Code Injection
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.

RCE Code Injection Xenforo
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.

Code Injection RCE Xenforo
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

XML injection in xmldom's CDATA serialization allows remote attackers to inject arbitrary markup into generated XML documents without authentication. The vulnerability affects both the legacy xmldom package and @xmldom/xmldom when applications embed untrusted input into CDATA sections. Attackers can break out of CDATA context by including the sequence ]]> in user-controlled strings, causing downstream XML consumers to parse injected elements as legitimate markup. Vendor-released patches are avai

Code Injection Mozilla
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

### Impact TorchGeo 0.4-0.6.0 used an [`eval`](https://docs.python.org/3/library/functions.html#eval) statement in its model weight API that could allow an unauthenticated, remote attacker to execute. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Microsoft +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in DedeCMS 5.7.118 allows unauthenticated attackers to execute arbitrary code through crafted setup tag values during module upload operations. The vulnerability exploits insufficient input validation in the module upload functionality, enabling direct code injection. No CVSS score, EPSS data, or KEV confirmation is available; however, the presence of a public proof-of-concept demonstrates practical exploitability.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Server-side code injection in Lodash's _.template function (lodash, lodash-es, lodash-amd and lodash.template, versions 4.0.0 to <4.18.0) lets an attacker execute arbitrary JavaScript at template-compilation time when an application passes untrusted input as options.imports key names. This is an incomplete-fix follow-on to CVE-2021-23337/GHSA-35jh-r3h4-6jhm: the original patch validated the variable option but left the imports key path flowing unchecked into the same Function() sink, and assignInWith's for..in merge also pulls in any prototype-polluted keys. Publicly available exploit code exists, but EPSS is only 0.07% (21st percentile) and CISA SSVC rates exploitation as none, reflecting that the dangerous pattern is uncommon in real deployments.

Code Injection RCE Lodash +3
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.

Code Injection Millie Chat
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Emergency

Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis.

WordPress PHP RCE +1
NVD VulDB Exploit-DB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

Java Tomcat Ssti +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

SQL injection in Tautulli's /api/v2?cmd=get_home_stats endpoint allows authenticated administrators to exfiltrate sensitive data from the SQLite database via boolean-blind SQL inference. Affected versions include 2.14.2-2.16.x for the 'before' and 'after' parameters, and 2.1.0-beta-2.16.x for 'section_id' and 'user_id' parameters. The vulnerability requires possession of the admin API key and results in confidentiality compromise without code execution. Patch is available in version 2.17.0.

Python Code Injection
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Tautulli (Python-based Plex Media Server monitoring tool) versions prior to 2.17.0 allows authenticated administrators to bypass sandbox restrictions in notification templates via lambda expressions, enabling arbitrary Python code execution. The vulnerability exploits a flaw in the str_eval() sandbox implementation that only inspects outer code object names (co_names) while nested lambda code objects store attribute accesses in co_consts, evading security checks. CVSS 7.5 with high attack complexity and high privilege requirement (PR:H) indicates limited real-world risk scope, with no public exploit identified at time of analysis.

Python Code Injection RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

CrewAI fails to validate Docker runtime availability during execution and silently reverts to an insecure sandbox mode, enabling remote code execution. Affected versions prior to the patch rely on Docker for isolation; when Docker becomes unavailable or is misconfigured, the fallback mechanism does not enforce adequate sandboxing constraints, allowing attackers to execute arbitrary commands within the application context. No CVSS score or official CVE details are available at this time, though the vulnerability has been reported to CERT and carries high practical risk due to the automatic unsafe fallback behavior.

Docker RCE Code Injection
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Syntx's command auto-approval module allows unauthenticated attackers to bypass whitelist security via shell command substitution syntax in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(…) and backtick command substitution patterns, enabling an attacker to inject malicious commands within seemingly benign git operations (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS score or KEV status data available; no public exploit code confirmed at time of analysis.

Command Injection RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding newline characters in command payloads, forcing automatic approval and sequential execution of arbitrary OS commands via PowerShell without user interaction.

Command Injection RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SakaDev's automatic terminal command execution feature can be bypassed via prompt injection attacks, allowing unauthenticated remote attackers to execute arbitrary commands without user approval by wrapping malicious commands in templates that mislead the underlying language model into misclassifying destructive operations as safe. The vulnerability exploits a design flaw in the model-based safety classification mechanism rather than a traditional code defect, affecting the extension across all versions where the 'Execute safe commands' option is enabled.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.

RCE Command Injection Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

HAI Build Code Generator's automatic command execution feature can be bypassed through prompt injection attacks, allowing unauthenticated remote code execution by misleading the AI model into misclassifying malicious commands as safe. The vulnerability exploits a fundamental design flaw in the model's safety classification logic, where attackers can wrap destructive commands in generic templates to bypass the user approval requirement that should be triggered for potentially dangerous operations.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.

Code Injection RCE Elecv2P
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code injection in Sinaptik AI PandasAI versions up to 3.0.0 allows unauthenticated remote attackers to execute arbitrary code via the CodeExecutor.execute function in the Chat Message Handler component. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (POC on GitHub Gist). EPSS data not provided, but the combination of unauthenticated remote execution and public exploit significantly elevates real-world risk. Vendor non-responsive to coordinated disclosure.

Code Injection RCE Pandasai +1
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Code Injection
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

Denial Of Service Deserialization Code Injection +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

JavaScript code injection in Windmill's NativeTS executor allows workspace administrators to achieve remote code execution by embedding malicious payloads in environment variable values. The vulnerability (CWE-94) stems from improper sanitization of single quotes when interpolating workspace environment variables into JavaScript string literals, enabling arbitrary code execution in all NativeTS scripts within the affected workspace. Windmill versions prior to 1.664.0 are affected. CVSS 7.3 reflects high confidentiality, integrity, and availability impact, though exploitation requires high privileges (workspace admin role). Publicly available exploit code exists, though no confirmed active exploitation (CISA KEV) at time of analysis.

Code Injection RCE Windmill
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

RCE Code Injection Nanobot
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Ruby Language Server (ruby-lsp) allows arbitrary code execution when opening malicious projects. The vulnerability exploits unsanitized interpolation of the rubyLsp.branch workspace setting into a generated Gemfile, enabling attackers to embed malicious Ruby code in .vscode/settings.json that executes when users open and trust the workspace. Affects ruby-lsp gem < 0.26.9 and VS Code extension < 0.10.2. No active exploitation or public POC currently identified at time of analysis, but the attack requires only social engineering to trick developers into opening a crafted repository.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated network attackers to execute arbitrary server-side commands by exploiting dynamic partial resolution logic. Affected versions include all releases prior to v4.7.9. Attack requires the adversary to control context data passed to templates that use dynamic partial lookups. A proof-of-concept exploit demonstrates arbitrary code execution and is publicly documented. CVSS score of 8.1 reflects high complexity due to the need for specific template patterns and attacker-controlled context values.

Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by exploiting the @partial-block mechanism when combined with vulnerable helper functions. The attack overwrites @partial-block with a malicious Handlebars AST that is dynamically compiled and executed during template rendering. A working proof-of-concept exists demonstrating exploitation via the commonly-used handlebars-helpers package. Vendor-released patch is available in Handlebars version 4.7.9.

RCE Node.js Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Handlebars.js npm package allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by injecting malicious payloads through crafted AST objects passed to Handlebars.compile(). The vulnerability (CWE-94 code injection) affects applications that accept user-controlled JSON and deserialize it as template input. A detailed proof-of-concept exploit demonstrates command execution via process.getBuiltinModule. Vendor patch is available in version 4.7.9 per GitHub advisory GHSA-2w6w-674q-4c4q. CVSS score 9.8 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper neutralization of directives in dynamically evaluated code within letta-ai letta 0.16.4 allows remote attackers without authentication to manipulate the resolve_type function in letta/functions/ast_parsers.py, resulting in code injection and information disclosure. This vulnerability represents an incomplete fix for CVE-2025-6101, and publicly available exploit code exists that demonstrates remote exploitation with low attack complexity.

Code Injection Information Disclosure Letta
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Code injection in HuggingFace smolagents 1.25.0.dev0 allows remote attackers without authentication to execute arbitrary code through incomplete remediation of CVE-2025-9959 in the local Python executor component. The vulnerability affects the evaluate_augassign, evaluate_call, and evaluate_with functions in src/smolagents/local_python_executor.py, with publicly available exploit code and active public disclosure despite lack of vendor response.

RCE Code Injection Smolagents
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Multiple shell injection and untrusted search path vulnerabilities in Wazuh agent and manager (versions 2.1.0 through 4.7.x) enable remote code execution through malicious configuration parameters. Authenticated attackers with high privileges can inject commands via logcollector configuration files, maild SMTP server tags, and Kaspersky AR script parameters. The CVSS 4.0 score of 7.1 reflects network-accessible attack vector with low complexity but requiring high-privilege credentials; no public exploit identified at time of analysis.

RCE Code Injection Wazuh Agent +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Grafana RCE Code Injection +1
NVD VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

Open-Xchange Dovecot Pro contains an LDAP filter injection vulnerability in its authentication module that allows remote unauthenticated attackers to inject arbitrary LDAP filters when the auth_username_chars configuration parameter is left empty, potentially enabling authentication bypass and reconnaissance of LDAP directory structures. The vulnerability carries a low CVSS score of 3.7 due to high attack complexity requirements, and no public exploit code has been identified at the time of analysis.

LDAP Authentication Bypass Code Injection
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH This Week

BUFFALO Wi-Fi router products allow remote code execution through a code injection vulnerability requiring user interaction. An unauthenticated attacker (CVSS PR:N) can execute arbitrary code on affected devices with high impact to confidentiality, integrity, and availability (CVSS 8.8). The vulnerability was disclosed through JVN and BUFFALO's official advisory, with no public exploit identified at time of analysis.

RCE Code Injection Buffalo Wi Fi Router Products
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

{ ... }` declarations directly into generated executable code, and its quote filter strips single/double quotes but not backticks, so template-literal payloads such as ``export { require(`child_process`).execSync(`id`) }`` evaluate as live JavaScript. Publicly available exploit code exists (CISA SSVC marks exploitation 'poc'); EPSS is low at 0.07% and it is not on the CISA KEV, so no confirmed active exploitation.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.

Python RCE Code Injection +1
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.

RCE Node.js Docker +3
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW Monitor

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.

Code Injection Aftermarket Dpc
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.

Docker Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Daylight Studio FuelCMS v1.5.2 through the /parser/dwoo component enables unauthenticated attackers to execute arbitrary PHP code via specially crafted input. The vulnerability exploits insufficient input validation in the Dwoo template engine integration, allowing direct PHP code injection. Attack complexity appears low given the public references to exploitation techniques in the provided pentest-tools PDF, though no formal CVSS scoring or CISA KEV confirmation is available to assess real-world exploitation prevalence.

PHP RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

n8n contains an LDAP injection vulnerability in the LDAP node's filter escape logic that allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. This affects n8n versions prior to 1.123.27, 2.13.3, and 2.14.1, enabling attackers to manipulate LDAP queries to retrieve unintended directory records or bypass authentication controls implemented within workflows. The vulnerability requires specific workflow configuration (LDAP node receiving external user input via expressions) and has not been publicly reported as actively exploited, though no proof-of-concept availability is explicitly confirmed across available intelligence sources.

LDAP Authentication Bypass Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.

RCE Code Injection N8n
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.

Code Injection RCE Nelio Ab Testing
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.

Code Injection RCE Jetformbuilder
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Total Poll Lite, a WordPress plugin, contains an improper code injection vulnerability (CWE-94) that allows remote code inclusion and execution. All versions up to and including 4.12.0 are affected. An attacker can exploit this vulnerability to achieve remote code execution (RCE) on WordPress installations running the vulnerable plugin, potentially gaining full control of the affected web application.

Code Injection RCE Total Poll Lite
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.

Code Injection RCE Widget Wrangler
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.

PHP Code Injection RCE
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

The Post Snippets WordPress plugin versions up to and including 4.0.12 contain an improper code generation vulnerability (CWE-94) that enables remote code injection and execution. An attacker can exploit this flaw to execute arbitrary code on affected WordPress installations, potentially leading to complete site compromise. The vulnerability has been publicly documented by Patchstack with available references, and the attack vector appears to be network-based without requiring high privileges.

RCE Code Injection Post Snippets
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A CRLF injection vulnerability exists in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software that allows unauthenticated remote attackers to inject arbitrary log entries and manipulate log file structure. The vulnerability stems from insufficient input validation in the Cisco IOx management interface and affects a broad range of Cisco IOS XE Software versions from 16.6.1 through 17.18.1x. A successful exploit enables attackers to obscure legitimate log events, inject malicious log entries, or corrupt log file integrity without requiring authentication, making it particularly dangerous in environments where log analysis is relied upon for security monitoring and compliance.

Cisco Code Injection Apple
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.

Linux Code Injection Google +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.

Code Injection RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

The pdf-image npm package through version 2.0.0 contains an OS command injection vulnerability in the pdfFilePath parameter. Attackers can exploit this remotely without authentication by injecting malicious commands through file path inputs that are passed unsafely to shell commands via child_process.exec(). A proof-of-concept exploit is publicly available on GitHub (zebbernCVE/CVE-2026-26830), significantly increasing exploitation risk.

Node.js Command Injection RCE +1
NVD GitHub VulDB
Prev Page 8 of 54 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy