RCE
Monthly
Arbitrary code execution in MobaXterm Personal Edition (Portable) version 26.3 Build 5154 occurs because the application loads winspool.drv from its working directory at startup, enabling classic DLL search-order hijacking. A local attacker who can write to the directory containing the portable executable can drop a malicious winspool.drv that executes in the victim's user context the next time MobaXterm is launched. No public exploit identified at time of analysis, and EPSS data was not provided, but the trivial nature of DLL planting makes weaponization straightforward.
Arbitrary code execution in MobaXterm Personal Edition (Portable) 26.3 Build 5154 occurs because the application loads DLLs from a predictable, user-writable temporary directory before falling back to secure system paths. A local attacker who can drop a crafted DLL into that path achieves code execution under the victim's account when MobaXterm is next launched. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Authenticated arbitrary code execution in CyberArk Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5 allows low-privileged users to escape intended boundaries through incomplete input validation combined with misconfigured folder permissions. Because PSM brokers privileged sessions to critical infrastructure, code execution here directly threatens vaulted credentials and downstream targets, making this a high-impact issue despite requiring authentication. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the severity of compromising a PAM component.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable.
Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skill installation by planting a workspace-level .env file that overrides the trusted Homebrew path. The flaw, classified as CWE-426 (Untrusted Search Path), enables full system compromise when an operator installs a tampered skill. There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Arbitrary code execution in OpenClaw before 2026.5.18 allows operators with trusted marketplace access to redirect extension loading to unscanned package payloads, bypassing the platform's security scanning controls. The flaw stems from improper validation of runtime extension metadata (CWE-829), and while no public exploit has been identified at time of analysis, a vendor patch is available via GHSA-v6r2-jh58-xx6w and VulnCheck has tagged it as RCE.
Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. Despite a CVSS of 8.1, there is no public exploit identified at time of analysis and EPSS sits at 0.04%, suggesting limited near-term exploitation likelihood.
Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.
Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. No public exploit identified at time of analysis, but a proof-of-concept payload is embedded in the upstream regression test (Test_netrw_injection).
Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. No public exploit identified at time of analysis, but the patch commit includes a working proof-of-concept demonstrating the injection technique.
Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.
Sandbox escape leading to remote code execution affects KanaDojo (lingdojo/kana-dojo) before version 0.1.18, where the issue-auto-respond.yml GitHub Actions workflow passes the global require function into a Node.js vm.runInNewContext() sandbox. An attacker submitting a pull request that modifies messages.cjs can load arbitrary Node.js modules from within the sandbox and gain code execution on the Actions runner with access to AUTOMATION_PR_TOKEN. No public exploit identified at time of analysis, though the VulnCheck advisory documents the exploitation primitive in detail.
Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).
Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.
Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied strings passed through `opts.name` or `opts.uri` into the `zipHardhat`/`zipFoundry` helpers to break out of string literals inside generated Hardhat and Foundry test scaffolding, leading to arbitrary code execution on the developer's machine when `npm test` or `forge test` is run. No public exploit is identified at time of analysis, but a vendor advisory and patched commit are public via GitHub Security Advisory GHSA-4x76-22x2-rx8v.
Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.
Improper input validation in free5GC UDR (versions <= 1.4.3) allows any actor with network access to the UDR Service Based Interface to inject arbitrary non-3GPP-compliant identifiers into the EE subscription data path, causing persistent database pollution of the UDR subscriber data store. The flaw originates from a catch-all regex branch (`|.+`) in `HandleCreateEeSubscriptions` and `HandleQueryeesubscriptions` within `api_datarepository.go` that nullifies all preceding format-specific checks for IMSI, NAI, MSISDN, EXTID, GCI, and GLI identifiers. A publicly available proof-of-concept - published in the GHSA advisory - confirms that attacker-controlled `ueId` strings are accepted with HTTP 201, persisted, and retrievable via HTTP 200, demonstrating a fully exploitable integrity violation with no patch available at time of analysis.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.
Arbitrary code execution in Dulwich (pure-Python Git implementation) versions 0.23.2 through 1.2.4 allows a malicious upstream repository to drop executable files into a victim's .git/hooks/ directory during a recursive clone or submodule update. When the victim subsequently runs any git or dulwich command that invokes the planted hook, the attacker's code executes with the victim's privileges. No public exploit identified at time of analysis, though the technique mirrors the well-documented upstream Git flaws CVE-2024-32002 and CVE-2024-32004.
Arbitrary code execution in GIMP via malicious HDR (High Dynamic Range) image files allows attackers to run code in the context of the user opening the file. The flaw is a heap-based buffer overflow (CWE-122) in the HDR parser, requiring the victim to open a crafted file or visit a malicious page that delivers one. No public exploit identified at time of analysis, but the vulnerability was reported through ZDI (ZDI-CAN-28618) indicating verified researcher analysis.
Arbitrary file clobber in PDM (Python Development Master) below version 2.27.0 allows an attacker who controls a cloned project repository to overwrite files outside the repository root by planting symlinks at project-local config paths (pdm.toml, .pdm-python, .python-version) that PDM writes to without symlink protection. When a developer runs any PDM command triggering a project-local config write against the malicious checkout, the tool follows the symlink and overwrites the target with attacker-influenced content - up to arbitrary file corruption relative to the invoking user's privileges. A working proof-of-concept is included in the GitHub security advisory GHSA-ghq2-5c67-fprm; no active exploitation is confirmed in CISA KEV at time of analysis.
Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands inside the initramfs by sending crafted DHCP options (e.g., malicious hostname) that are written unescaped into temporary shell scripts. The flaw affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, granting full system compromise during early boot. No public exploit identified at time of analysis, and EPSS is low (0.16%, 36th percentile), but SSVC rates technical impact as total.
Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading `.mcp.json` from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious `.mcp.json` that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.
Server-side template injection in Apache OFBiz before 24.09.07 allows authenticated users holding Content or DataResource editing privileges to inject template code that is rendered by the framework, resulting in remote code execution on the application server. The flaw is rated CVSS 8.8 with publicly available exploit code exists via the oss-security disclosure thread, though EPSS sits at 0.09% (26th percentile), indicating broad opportunistic exploitation has not yet been observed. Apache has shipped a fix in 24.09.07 and recommends immediate upgrade.
Privilege escalation in Lenovo Smart Connect for Windows allows a local authenticated user to bypass authentication checks and execute arbitrary code with elevated privileges. The flaw stems from an authentication bypass weakness (CWE-290) in the Windows client and carries a CVSS 4.0 score of 7.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Lenovo's LanSchool Classic client application allows authenticated users on affected endpoints to execute arbitrary code with elevated privileges via an uncontrolled search path (CWE-427). The flaw carries a CVSS 4.0 score of 8.5 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because LanSchool Classic is widely deployed in K-12 and education environments, exploitation could let a student or low-privileged user gain SYSTEM-level control of managed classroom devices.
Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.
Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to inject arbitrary HAProxy directives via unvalidated JSON option fields in the HAProxy section-save API endpoints, achieving command execution as the haproxy user on every managed load balancer. No public exploit has been identified at time of analysis, but the attack is straightforward given the documented injection path through the section.j2, global.j2, and defaults.j2 Ansible templates, and no vendor-released patch is available.
Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No public exploit identified at time of analysis, but the vendor (Jenkins project) has issued a coordinated advisory and patched releases.
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. No public exploit identified at time of analysis, though the technique (Zip Slip) is well-documented and trivially reproducible.
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. No public exploit identified at time of analysis, though the technique is well-documented and trivially reproducible.
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.
Insecure deserialization in Broadcom Layer 7 API Gateway 11.2.1 exposes organizations to remote code execution or broken security control enforcement when an adversary can intercept and tamper with traffic between a client application and the gateway. The CVSS 4.0 vector assigns High subsequent-system confidentiality impact (SC:H), reflecting the gateway's privileged position as a broker to downstream backend services - meaning a successful exploit can cascade beyond the gateway itself. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the RCE potential and architectural sensitivity of an API gateway make this a meaningful priority for affected deployments.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on the Backup Server, with CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream systems. The vulnerability is tagged as a deserialization flaw (CWE-502), and while no public exploit is identified at time of analysis, the low attack complexity and only-low-privilege requirement make this a high-priority patching event for any environment running Veeam in a domain-joined configuration.
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation.
Arbitrary code execution in Adobe Format Plugins 1.1.2 and earlier occurs through a heap-based buffer overflow that executes in the current user's security context when a victim opens a maliciously crafted file. The flaw was reported by Adobe PSIRT and carries a CVSS 7.8 (high) score, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, suggesting it is currently a patching priority rather than an active incident.
Arbitrary code execution in Adobe Format Plugins versions 1.1.2 and earlier occurs via a heap-based buffer overflow triggered when a victim opens a malicious file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The flaw is addressed in Adobe Security Bulletin APSB26-65.
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers.
Arbitrary code execution in Adobe ColdFusion 2023 (through update 19) and 2025 (through update 8) lets an attacker who already holds high-privilege access run code in the context of the current user without any user interaction. The flaw stems from improper input validation (CWE-20) and carries a scope-changed CVSS 9.1, meaning impact can extend beyond the vulnerable component. There is no public exploit identified at time of analysis, EPSS is low (0.04%), and CISA SSVC currently rates exploitation as none, so this is a high-severity but not-yet-exploited issue requiring proactive patching.
Privilege escalation and arbitrary code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and 2025 (Update 8 and earlier) allows a high-privileged remote attacker to bypass authorization controls and execute code in the context of the current user. The flaw is a CWE-863 incorrect-authorization issue with a scope change, raising CVSS to 9.1, but no public exploit identified at time of analysis and EPSS is low (0.02%, 6th percentile). Adobe disclosed the issue via APSB26-64 and a vendor patch is available.
Remote code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and ColdFusion 2025 (Update 8 and earlier) allows unauthenticated network attackers to execute arbitrary code in the context of the current user without any user interaction, with a scope change extending impact beyond the vulnerable component. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS 3.1 score of 10.0, though EPSS exploitation probability is currently only 0.04% (11th percentile) and SSVC reports no observed exploitation. No public exploit identified at time of analysis.
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651 and earlier arises from an uncontrolled search path element (CWE-427), enabling a local attacker to run code in the current user's context when a victim opens a malicious file. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation as 'none' with total technical impact. Adobe has released a fix via security bulletin APSB26-63.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) occurs when a victim opens a maliciously crafted PDF, triggering a use-after-free memory corruption that lets the attacker run code with the privileges of the logged-on user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; however, Acrobat Reader is a perennial target for phishing-delivered malware, making patching a near-term priority. Adobe has issued APSB26-63 with fixed builds.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is triggered when a user opens a malicious PDF, exploiting a Use-After-Free memory corruption flaw to run code as the current user. No public exploit identified at time of analysis, and EPSS data was not provided, but the high CVSS of 7.8 combined with Reader's massive install base makes this a routine patch priority. Vendor (Adobe) issued advisory APSB26-63 with corrective updates.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier results from a use-after-free memory corruption bug (CWE-416) triggered when a victim opens a malicious PDF. Code runs in the security context of the current user, making this a credible client-side initial-access vector via phishing or drive-by document delivery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap-based buffer overflow in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. No public exploit has been identified at time of analysis, but the high CVSS of 7.8 reflects severe local impact, and Acrobat Reader's massive install base makes it a perennial phishing target. Exploitation requires user interaction, which moderates urgency relative to zero-click flaws but does not eliminate risk in document-heavy enterprise environments.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a maliciously crafted PDF, triggering a use-after-free memory corruption flaw. Code runs with the privileges of the current user, and no public exploit identified at time of analysis, though Adobe has released APSB26-63 as the corresponding advisory.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier is possible when a victim opens a maliciously crafted file that triggers a use-after-free in the document parser. The flaw runs code in the context of the logged-in user and carries a CVSS 7.8 (High) score, but requires user interaction; no public exploit identified at time of analysis and EPSS data is not provided in the input.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is possible when a victim opens a maliciously crafted document, triggering a use-after-free condition in the renderer. The flaw runs code in the context of the current user and has no public exploit identified at time of analysis, though Adobe issued advisory APSB26-63 confirming the vulnerability class and affected versions.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs through a use-after-free flaw triggered when a victim opens a maliciously crafted PDF document. Code executes in the context of the current user, making this a classic client-side document exploit vector. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a maliciously crafted PDF that triggers a use-after-free condition in the parser. Exploitation runs at the privilege of the user opening the file, and no public exploit identified at time of analysis. CVSS 7.8 reflects the local attack vector and required user interaction, but Reader's massive install base makes this a high-value target for phishing-driven campaigns.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier stems from a Use After Free condition (CWE-416) that triggers when a victim opens a malicious PDF, yielding execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the file-opening attack pattern is a perennial favorite in phishing and document-borne campaigns targeting Acrobat. Adobe has shipped fixed builds under advisory APSB26-63.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs through a use-after-free condition triggered by opening a malicious PDF document. Successful exploitation runs code in the context of the current user, but no public exploit identified at time of analysis and the issue requires user interaction to open the crafted file.
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-after-free condition triggered when a victim opens a malicious PDF file. Successful exploitation runs attacker-supplied code with the privileges of the current user, making this a viable phishing and drive-by document attack vector. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs via a stack-based buffer overflow triggered when a victim opens a malicious PDF. Successful exploitation runs attacker code in the context of the current user, making this a viable initial-access vector through phishing or drive-by document delivery. No public exploit identified at time of analysis, but the bug class (CWE-121) and Acrobat's broad install base historically attract weaponization quickly after disclosure.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a malicious PDF file that triggers an out-of-bounds write condition. The flaw executes code in the context of the logged-in user, and while no public exploit identified at time of analysis, the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability. Adobe has published advisory APSB26-63 with a fix.
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the context of the current user when a victim opens a malicious file. The flaw stems from access of an uninitialized pointer (CWE-824) and is tracked under Adobe advisory APSB26-62. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Heap-based buffer overflow in SQLite's FTS5 full-text search extension (versions before 3.53.2) allows attackers to crash the process or execute arbitrary code by supplying a malicious database file that triggers an integer underflow in fts5ChunkIterate() during MATCH query processing. The flaw affects any application compiled with SQLITE_ENABLE_FTS5 that opens an attacker-supplied database and runs an FTS5 query against it; no public exploit identified at time of analysis, though VulnCheck has published an advisory.
Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted asset file that triggers an out-of-bounds write in the application's parsing logic. Exploitation runs in the context of the logged-in user and requires user interaction to open the file; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs through an out-of-bounds write triggered when a user opens a maliciously crafted file. The flaw executes code in the context of the current user and requires victim interaction, with no public exploit identified at time of analysis and no CISA KEV listing.
Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) in the application's file parser. Exploitation runs in the context of the current user and no public exploit identified at time of analysis, though the high CVSS of 7.8 reflects the full local impact triad once a user is socially engineered into opening the file.
Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted 3D asset file, triggering an out-of-bounds write that runs attacker code with the current user's privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the local attack vector combined with high impact and required user interaction makes this a classic targeted-phishing/social-engineering risk against artists and 3D designers.
Memory corruption in SQLite versions before 3.53.2 enables attackers to crash processes, exhaust memory, or potentially execute arbitrary code by supplying a crafted database that triggers flaws in the FTS5 full-text search extension when a MATCH query runs. The CVSS 4.0 vector indicates local attack vector with passive user interaction required, and no public exploit identified at time of analysis. Reported by VulnCheck with patches already merged upstream.
Arbitrary code execution in Adobe InCopy versions 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122). Successful exploitation runs attacker code in the security context of the current user, making this a credible vector for endpoint compromise via social engineering. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.
Arbitrary code execution in Adobe InCopy 21.3, 20.5.3, and earlier allows attackers to run code as the current user when a victim opens a maliciously crafted file. The flaw stems from an out-of-bounds write (CWE-787) in file parsing logic, carries a CVSS 7.8 (local, user-interaction required), and has no public exploit identified at time of analysis. Adobe published advisory APSB26-59 addressing the issue.
Stack-based buffer overflow in Adobe InCopy 21.3, 20.5.3 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. The flaw is locally exploitable via file-format parsing and requires user interaction, with no public exploit identified at time of analysis. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but constrained reachability through the document-open vector.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a heap-based buffer overflow triggered when a victim opens a maliciously crafted file. The flaw runs code in the security context of the current user and requires user interaction, with no public exploit identified at time of analysis. Adobe has published advisory APSB26-58 addressing the issue.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document, triggering a stack-based buffer overflow (CWE-121) that runs attacker code in the context of the current user. Adobe issued advisory APSB26-58 for this issue; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through an out-of-bounds write triggered when a user opens a maliciously crafted document, allowing attacker code to run with the privileges of the current user. The flaw carries a CVSS 7.8 (High) rating, requires victim interaction, and no public exploit identified at time of analysis.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition triggered when a user opens a maliciously crafted document, allowing an attacker to run code with the privileges of the logged-in user. The flaw is reported by Adobe with a CVSS 3.1 base score of 7.8 and tagged for RCE, denial of service, and memory corruption, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted document file. The flaw runs code in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. Adobe published advisory APSB26-58 addressing the issue.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier is possible when a user opens a maliciously crafted document, triggering a heap-based buffer overflow. The flaw runs code in the context of the logged-in user and was reported by Adobe; no public exploit identified at time of analysis and EPSS data is not provided.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a victim opens a malicious document file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The issue was reported by Adobe and addressed in security bulletin APSB26-58.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-in user when a victim opens a maliciously crafted document file. The flaw is an out-of-bounds write (CWE-787) memory corruption issue requiring user interaction, and no public exploit has been identified at time of analysis.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a user opens a malicious document. Successful exploitation runs attacker-controlled code in the context of the current user, but requires social engineering since the attack vector is local and user interaction is mandatory. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.
Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Heap-based buffer overflow in NVIDIA DALI enables local authenticated attackers to achieve code execution, data tampering, denial of service, or information disclosure when a victim user interacts with attacker-supplied input. The flaw affects the Data Loading Library used in GPU-accelerated deep learning data pipelines and carries a CVSS 3.1 score of 7.3 (High). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution and data tampering in NVIDIA DALI (Data Loading Library) is possible when a low-privileged user is tricked into processing attacker-controlled input through a component that performs improper index validation (CWE-129). The CVSS 7.3 vector (AV:L/AC:L/PR:L/UI:R) indicates local access, low privileges, and user interaction are required, with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.
Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.
Arbitrary code execution in MobaXterm Personal Edition (Portable) version 26.3 Build 5154 occurs because the application loads winspool.drv from its working directory at startup, enabling classic DLL search-order hijacking. A local attacker who can write to the directory containing the portable executable can drop a malicious winspool.drv that executes in the victim's user context the next time MobaXterm is launched. No public exploit identified at time of analysis, and EPSS data was not provided, but the trivial nature of DLL planting makes weaponization straightforward.
Arbitrary code execution in MobaXterm Personal Edition (Portable) 26.3 Build 5154 occurs because the application loads DLLs from a predictable, user-writable temporary directory before falling back to secure system paths. A local attacker who can drop a crafted DLL into that path achieves code execution under the victim's account when MobaXterm is next launched. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Authenticated arbitrary code execution in CyberArk Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5 allows low-privileged users to escape intended boundaries through incomplete input validation combined with misconfigured folder permissions. Because PSM brokers privileged sessions to critical infrastructure, code execution here directly threatens vaulted credentials and downstream targets, making this a high-impact issue despite requiring authentication. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the severity of compromising a PAM component.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Remote code execution in GeoServer (versions prior to 2.27.0) with the DB2 extension installed allows authenticated administrators to perform a JNDI injection attack via a crafted DB2 JDBC connection URL submitted through the Vector Data Sources page, ultimately triggering Java deserialization of untrusted data and arbitrary code execution. No public exploit identified at time of analysis, and the vulnerability is not on CISA KEV, but the attack pattern follows well-known JNDI/Log4Shell-style RCE techniques. Risk is meaningful only where the DB2 extension is deployed and an administrative account is reachable.
Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skill installation by planting a workspace-level .env file that overrides the trusted Homebrew path. The flaw, classified as CWE-426 (Untrusted Search Path), enables full system compromise when an operator installs a tampered skill. There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Arbitrary code execution in OpenClaw before 2026.5.18 allows operators with trusted marketplace access to redirect extension loading to unscanned package payloads, bypassing the platform's security scanning controls. The flaw stems from improper validation of runtime extension metadata (CWE-829), and while no public exploit has been identified at time of analysis, a vendor patch is available via GHSA-v6r2-jh58-xx6w and VulnCheck has tagged it as RCE.
Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. Despite a CVSS of 8.1, there is no public exploit identified at time of analysis and EPSS sits at 0.04%, suggesting limited near-term exploitation likelihood.
Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.
Vimscript code injection in the netrw plugin shipped with Vim before 9.2.0495 allows attackers who can plant or have a victim browse a maliciously named directory to execute arbitrary Vimscript and shell commands in the user's Vim session. The flaw resides in s:NetrwBookHistSave(), which serializes directory paths into ~/.vim/.netrwhist using unescaped single-quoted string literals, so a directory name containing a single quote breaks out of the literal and is executed the next time Vim sources the history. No public exploit identified at time of analysis, but a proof-of-concept payload is embedded in the upstream regression test (Test_netrw_injection).
Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. No public exploit identified at time of analysis, but the patch commit includes a working proof-of-concept demonstrating the injection technique.
Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.
Sandbox escape leading to remote code execution affects KanaDojo (lingdojo/kana-dojo) before version 0.1.18, where the issue-auto-respond.yml GitHub Actions workflow passes the global require function into a Node.js vm.runInNewContext() sandbox. An attacker submitting a pull request that modifies messages.cjs can load arbitrary Node.js modules from within the sandbox and gain code execution on the Actions runner with access to AUTOMATION_PR_TOKEN. No public exploit identified at time of analysis, though the VulnCheck advisory documents the exploitation primitive in detail.
Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the `ext_in` validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on `ext_in` for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. No public exploit identified at time of analysis, though the patch commit and tests publicly demonstrate the bypass technique (a polyglot file named `shell.php` carrying GIF magic bytes).
Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.
Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied strings passed through `opts.name` or `opts.uri` into the `zipHardhat`/`zipFoundry` helpers to break out of string literals inside generated Hardhat and Foundry test scaffolding, leading to arbitrary code execution on the developer's machine when `npm test` or `forge test` is run. No public exploit is identified at time of analysis, but a vendor advisory and patched commit are public via GitHub Security Advisory GHSA-4x76-22x2-rx8v.
Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.
Improper input validation in free5GC UDR (versions <= 1.4.3) allows any actor with network access to the UDR Service Based Interface to inject arbitrary non-3GPP-compliant identifiers into the EE subscription data path, causing persistent database pollution of the UDR subscriber data store. The flaw originates from a catch-all regex branch (`|.+`) in `HandleCreateEeSubscriptions` and `HandleQueryeesubscriptions` within `api_datarepository.go` that nullifies all preceding format-specific checks for IMSI, NAI, MSISDN, EXTID, GCI, and GLI identifiers. A publicly available proof-of-concept - published in the GHSA advisory - confirms that attacker-controlled `ueId` strings are accepted with HTTP 201, persisted, and retrievable via HTTP 200, demonstrating a fully exploitable integrity violation with no patch available at time of analysis.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. No public exploit identified at time of analysis; EPSS sits at 0.34% (57th percentile) and the issue is not in CISA KEV, but a vendor patch is available.
Arbitrary code execution in Dulwich (pure-Python Git implementation) versions 0.23.2 through 1.2.4 allows a malicious upstream repository to drop executable files into a victim's .git/hooks/ directory during a recursive clone or submodule update. When the victim subsequently runs any git or dulwich command that invokes the planted hook, the attacker's code executes with the victim's privileges. No public exploit identified at time of analysis, though the technique mirrors the well-documented upstream Git flaws CVE-2024-32002 and CVE-2024-32004.
Arbitrary code execution in GIMP via malicious HDR (High Dynamic Range) image files allows attackers to run code in the context of the user opening the file. The flaw is a heap-based buffer overflow (CWE-122) in the HDR parser, requiring the victim to open a crafted file or visit a malicious page that delivers one. No public exploit identified at time of analysis, but the vulnerability was reported through ZDI (ZDI-CAN-28618) indicating verified researcher analysis.
Arbitrary file clobber in PDM (Python Development Master) below version 2.27.0 allows an attacker who controls a cloned project repository to overwrite files outside the repository root by planting symlinks at project-local config paths (pdm.toml, .pdm-python, .python-version) that PDM writes to without symlink protection. When a developer runs any PDM command triggering a project-local config write against the malicious checkout, the tool follows the symlink and overwrites the target with attacker-influenced content - up to arbitrary file corruption relative to the invoking user's privileges. A working proof-of-concept is included in the GitHub security advisory GHSA-ghq2-5c67-fprm; no active exploitation is confirmed in CISA KEV at time of analysis.
Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands inside the initramfs by sending crafted DHCP options (e.g., malicious hostname) that are written unescaped into temporary shell scripts. The flaw affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, granting full system compromise during early boot. No public exploit identified at time of analysis, and EPSS is low (0.16%, 36th percentile), but SSVC rates technical impact as total.
Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading `.mcp.json` from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious `.mcp.json` that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.
Server-side template injection in Apache OFBiz before 24.09.07 allows authenticated users holding Content or DataResource editing privileges to inject template code that is rendered by the framework, resulting in remote code execution on the application server. The flaw is rated CVSS 8.8 with publicly available exploit code exists via the oss-security disclosure thread, though EPSS sits at 0.09% (26th percentile), indicating broad opportunistic exploitation has not yet been observed. Apache has shipped a fix in 24.09.07 and recommends immediate upgrade.
Privilege escalation in Lenovo Smart Connect for Windows allows a local authenticated user to bypass authentication checks and execute arbitrary code with elevated privileges. The flaw stems from an authentication bypass weakness (CWE-290) in the Windows client and carries a CVSS 4.0 score of 7.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Lenovo's LanSchool Classic client application allows authenticated users on affected endpoints to execute arbitrary code with elevated privileges via an uncontrolled search path (CWE-427). The flaw carries a CVSS 4.0 score of 8.5 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because LanSchool Classic is widely deployed in K-12 and education environments, exploitation could let a student or low-privileged user gain SYSTEM-level control of managed classroom devices.
Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.
Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to inject arbitrary HAProxy directives via unvalidated JSON option fields in the HAProxy section-save API endpoints, achieving command execution as the haproxy user on every managed load balancer. No public exploit has been identified at time of analysis, but the attack is straightforward given the documented injection path through the section.j2, global.j2, and defaults.j2 Ansible templates, and no vendor-released patch is available.
Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No public exploit identified at time of analysis, but the vendor (Jenkins project) has issued a coordinated advisory and patched releases.
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. No public exploit identified at time of analysis, though the technique (Zip Slip) is well-documented and trivially reproducible.
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. No public exploit identified at time of analysis, though the technique is well-documented and trivially reproducible.
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.
Insecure deserialization in Broadcom Layer 7 API Gateway 11.2.1 exposes organizations to remote code execution or broken security control enforcement when an adversary can intercept and tamper with traffic between a client application and the gateway. The CVSS 4.0 vector assigns High subsequent-system confidentiality impact (SC:H), reflecting the gateway's privileged position as a broker to downstream backend services - meaning a successful exploit can cascade beyond the gateway itself. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the RCE potential and architectural sensitivity of an API gateway make this a meaningful priority for affected deployments.
Cross-site scripting in Spring Security's SAML 2.0 relying party support allows an attacker who can influence RelyingPartyRegistration values to inject malicious content into HTML forms generated by Spring Security filters, potentially leading to script execution in a victim's browser. The advisory and tagging characterize this as an XSS issue with possible code-execution implications in the browser context, affecting Spring Security 5.7.x through 7.0.x prior to the fixed maintenance releases. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on the Backup Server, with CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream systems. The vulnerability is tagged as a deserialization flaw (CWE-502), and while no public exploit is identified at time of analysis, the low attack complexity and only-low-privilege requirement make this a high-priority patching event for any environment running Veeam in a domain-joined configuration.
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation.
Arbitrary code execution in Adobe Format Plugins 1.1.2 and earlier occurs through a heap-based buffer overflow that executes in the current user's security context when a victim opens a maliciously crafted file. The flaw was reported by Adobe PSIRT and carries a CVSS 7.8 (high) score, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, suggesting it is currently a patching priority rather than an active incident.
Arbitrary code execution in Adobe Format Plugins versions 1.1.2 and earlier occurs via a heap-based buffer overflow triggered when a victim opens a malicious file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The flaw is addressed in Adobe Security Bulletin APSB26-65.
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers.
Arbitrary code execution in Adobe ColdFusion 2023 (through update 19) and 2025 (through update 8) lets an attacker who already holds high-privilege access run code in the context of the current user without any user interaction. The flaw stems from improper input validation (CWE-20) and carries a scope-changed CVSS 9.1, meaning impact can extend beyond the vulnerable component. There is no public exploit identified at time of analysis, EPSS is low (0.04%), and CISA SSVC currently rates exploitation as none, so this is a high-severity but not-yet-exploited issue requiring proactive patching.
Privilege escalation and arbitrary code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and 2025 (Update 8 and earlier) allows a high-privileged remote attacker to bypass authorization controls and execute code in the context of the current user. The flaw is a CWE-863 incorrect-authorization issue with a scope change, raising CVSS to 9.1, but no public exploit identified at time of analysis and EPSS is low (0.02%, 6th percentile). Adobe disclosed the issue via APSB26-64 and a vendor patch is available.
Remote code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and ColdFusion 2025 (Update 8 and earlier) allows unauthenticated network attackers to execute arbitrary code in the context of the current user without any user interaction, with a scope change extending impact beyond the vulnerable component. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS 3.1 score of 10.0, though EPSS exploitation probability is currently only 0.04% (11th percentile) and SSVC reports no observed exploitation. No public exploit identified at time of analysis.
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651 and earlier arises from an uncontrolled search path element (CWE-427), enabling a local attacker to run code in the current user's context when a victim opens a malicious file. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation as 'none' with total technical impact. Adobe has released a fix via security bulletin APSB26-63.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) occurs when a victim opens a maliciously crafted PDF, triggering a use-after-free memory corruption that lets the attacker run code with the privileges of the logged-on user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; however, Acrobat Reader is a perennial target for phishing-delivered malware, making patching a near-term priority. Adobe has issued APSB26-63 with fixed builds.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is triggered when a user opens a malicious PDF, exploiting a Use-After-Free memory corruption flaw to run code as the current user. No public exploit identified at time of analysis, and EPSS data was not provided, but the high CVSS of 7.8 combined with Reader's massive install base makes this a routine patch priority. Vendor (Adobe) issued advisory APSB26-63 with corrective updates.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier results from a use-after-free memory corruption bug (CWE-416) triggered when a victim opens a malicious PDF. Code runs in the security context of the current user, making this a credible client-side initial-access vector via phishing or drive-by document delivery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap-based buffer overflow in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. No public exploit has been identified at time of analysis, but the high CVSS of 7.8 reflects severe local impact, and Acrobat Reader's massive install base makes it a perennial phishing target. Exploitation requires user interaction, which moderates urgency relative to zero-click flaws but does not eliminate risk in document-heavy enterprise environments.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a maliciously crafted PDF, triggering a use-after-free memory corruption flaw. Code runs with the privileges of the current user, and no public exploit identified at time of analysis, though Adobe has released APSB26-63 as the corresponding advisory.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier is possible when a victim opens a maliciously crafted file that triggers a use-after-free in the document parser. The flaw runs code in the context of the logged-in user and carries a CVSS 7.8 (High) score, but requires user interaction; no public exploit identified at time of analysis and EPSS data is not provided in the input.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is possible when a victim opens a maliciously crafted document, triggering a use-after-free condition in the renderer. The flaw runs code in the context of the current user and has no public exploit identified at time of analysis, though Adobe issued advisory APSB26-63 confirming the vulnerability class and affected versions.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs through a use-after-free flaw triggered when a victim opens a maliciously crafted PDF document. Code executes in the context of the current user, making this a classic client-side document exploit vector. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a maliciously crafted PDF that triggers a use-after-free condition in the parser. Exploitation runs at the privilege of the user opening the file, and no public exploit identified at time of analysis. CVSS 7.8 reflects the local attack vector and required user interaction, but Reader's massive install base makes this a high-value target for phishing-driven campaigns.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier stems from a Use After Free condition (CWE-416) that triggers when a victim opens a malicious PDF, yielding execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the file-opening attack pattern is a perennial favorite in phishing and document-borne campaigns targeting Acrobat. Adobe has shipped fixed builds under advisory APSB26-63.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs through a use-after-free condition triggered by opening a malicious PDF document. Successful exploitation runs code in the context of the current user, but no public exploit identified at time of analysis and the issue requires user interaction to open the crafted file.
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-after-free condition triggered when a victim opens a malicious PDF file. Successful exploitation runs attacker-supplied code with the privileges of the current user, making this a viable phishing and drive-by document attack vector. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs via a stack-based buffer overflow triggered when a victim opens a malicious PDF. Successful exploitation runs attacker code in the context of the current user, making this a viable initial-access vector through phishing or drive-by document delivery. No public exploit identified at time of analysis, but the bug class (CWE-121) and Acrobat's broad install base historically attract weaponization quickly after disclosure.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a malicious PDF file that triggers an out-of-bounds write condition. The flaw executes code in the context of the logged-in user, and while no public exploit identified at time of analysis, the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability. Adobe has published advisory APSB26-63 with a fix.
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the context of the current user when a victim opens a malicious file. The flaw stems from access of an uninitialized pointer (CWE-824) and is tracked under Adobe advisory APSB26-62. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Heap-based buffer overflow in SQLite's FTS5 full-text search extension (versions before 3.53.2) allows attackers to crash the process or execute arbitrary code by supplying a malicious database file that triggers an integer underflow in fts5ChunkIterate() during MATCH query processing. The flaw affects any application compiled with SQLITE_ENABLE_FTS5 that opens an attacker-supplied database and runs an FTS5 query against it; no public exploit identified at time of analysis, though VulnCheck has published an advisory.
Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted asset file that triggers an out-of-bounds write in the application's parsing logic. Exploitation runs in the context of the logged-in user and requires user interaction to open the file; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs through an out-of-bounds write triggered when a user opens a maliciously crafted file. The flaw executes code in the context of the current user and requires victim interaction, with no public exploit identified at time of analysis and no CISA KEV listing.
Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) in the application's file parser. Exploitation runs in the context of the current user and no public exploit identified at time of analysis, though the high CVSS of 7.8 reflects the full local impact triad once a user is socially engineered into opening the file.
Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted 3D asset file, triggering an out-of-bounds write that runs attacker code with the current user's privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the local attack vector combined with high impact and required user interaction makes this a classic targeted-phishing/social-engineering risk against artists and 3D designers.
Memory corruption in SQLite versions before 3.53.2 enables attackers to crash processes, exhaust memory, or potentially execute arbitrary code by supplying a crafted database that triggers flaws in the FTS5 full-text search extension when a MATCH query runs. The CVSS 4.0 vector indicates local attack vector with passive user interaction required, and no public exploit identified at time of analysis. Reported by VulnCheck with patches already merged upstream.
Arbitrary code execution in Adobe InCopy versions 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122). Successful exploitation runs attacker code in the security context of the current user, making this a credible vector for endpoint compromise via social engineering. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.
Arbitrary code execution in Adobe InCopy 21.3, 20.5.3, and earlier allows attackers to run code as the current user when a victim opens a maliciously crafted file. The flaw stems from an out-of-bounds write (CWE-787) in file parsing logic, carries a CVSS 7.8 (local, user-interaction required), and has no public exploit identified at time of analysis. Adobe published advisory APSB26-59 addressing the issue.
Stack-based buffer overflow in Adobe InCopy 21.3, 20.5.3 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. The flaw is locally exploitable via file-format parsing and requires user interaction, with no public exploit identified at time of analysis. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but constrained reachability through the document-open vector.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a heap-based buffer overflow triggered when a victim opens a maliciously crafted file. The flaw runs code in the security context of the current user and requires user interaction, with no public exploit identified at time of analysis. Adobe has published advisory APSB26-58 addressing the issue.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document, triggering a stack-based buffer overflow (CWE-121) that runs attacker code in the context of the current user. Adobe issued advisory APSB26-58 for this issue; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through an out-of-bounds write triggered when a user opens a maliciously crafted document, allowing attacker code to run with the privileges of the current user. The flaw carries a CVSS 7.8 (High) rating, requires victim interaction, and no public exploit identified at time of analysis.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition triggered when a user opens a maliciously crafted document, allowing an attacker to run code with the privileges of the logged-in user. The flaw is reported by Adobe with a CVSS 3.1 base score of 7.8 and tagged for RCE, denial of service, and memory corruption, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted document file. The flaw runs code in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. Adobe published advisory APSB26-58 addressing the issue.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier is possible when a user opens a maliciously crafted document, triggering a heap-based buffer overflow. The flaw runs code in the context of the logged-in user and was reported by Adobe; no public exploit identified at time of analysis and EPSS data is not provided.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a victim opens a malicious document file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The issue was reported by Adobe and addressed in security bulletin APSB26-58.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-in user when a victim opens a maliciously crafted document file. The flaw is an out-of-bounds write (CWE-787) memory corruption issue requiring user interaction, and no public exploit has been identified at time of analysis.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a user opens a malicious document. Successful exploitation runs attacker-controlled code in the context of the current user, but requires social engineering since the attack vector is local and user interaction is mandatory. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.
Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Heap-based buffer overflow in NVIDIA DALI enables local authenticated attackers to achieve code execution, data tampering, denial of service, or information disclosure when a victim user interacts with attacker-supplied input. The flaw affects the Data Loading Library used in GPU-accelerated deep learning data pipelines and carries a CVSS 3.1 score of 7.3 (High). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution and data tampering in NVIDIA DALI (Data Loading Library) is possible when a low-privileged user is tricked into processing attacker-controlled input through a component that performs improper index validation (CWE-129). The CVSS 7.3 vector (AV:L/AC:L/PR:L/UI:R) indicates local access, low privileges, and user interaction are required, with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.
Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.