Skip to main content

RCE

31873 CVEs technique

Monthly

CVE-2026-0414 MEDIUM PATCH This Month

Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.

Code Injection Netgear RCE Rbe97X
NVD VulDB
CVSS 4.0
4.3
EPSS
0.0%
CVE-2026-24065 HIGH This Week

Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.

Apple Privilege Escalation RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-24064 HIGH This Week

Local privilege escalation in Waves Central for macOS versions 13.0.9 through 16.5.5 allows an unprivileged user to gain root code execution by injecting a malicious dylib into a trusted XPC client process via DYLD_INSERT_LIBRARIES. The injected code then abuses the product's privileged helper service to perform operations as root. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), consistent with a local-only macOS desktop attack surface.

Apple RCE Privilege Escalation Waves Central
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-10520 CRITICAL POC KEV THREAT NEWS Emergency

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.

RCE Ivanti Command Injection Sentry
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
Threat
6.0
CVE-2026-47900 MEDIUM This Month

Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.

XSS RCE Logseq
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-9279 HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection Logseq
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2017-20251 CRITICAL POC PATCH Monitor

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP WordPress Code Injection
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-49740 PHP MEDIUM PATCH GHSA This Month

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.

PHP Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2025-40808 MEDIUM CISA This Month

Unrestricted file upload via the DIGSI 5 engineering protocol in Siemens SIPROTEC 5 protective relays enables authenticated, high-privileged users on an adjacent network to upload malicious configuration files, causing denial of service or potentially achieving code execution on the affected device. All hardware variants (CP050/CP100/CP150/CP200/CP300) across more than 60 distinct SIPROTEC 5 model lines are affected, with no patched firmware version available. No public exploit identified at time of analysis, but the presence of RCE and DoS tags alongside a confirmed CWE-434 root cause makes this a meaningful operational technology (OT) risk in poorly segmented substation environments.

Denial Of Service File Upload RCE Siprotec 5 6Md84 Cp300 Siprotec 5 6Md85 Cp200 +59
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-8365 HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-5067 CRITICAL Act Now

Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.

Denial Of Service Buffer Overflow RCE Zephyr
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-8499 MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9662 HIGH This Week

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.

Information Disclosure WordPress Path Traversal PHP RCE +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11694 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers who have already compromised the renderer process to execute arbitrary code via a crafted HTML page that triggers a use-after-free in the ServiceWorker component. Rated High severity by Chromium with a CVSS 7.5, the flaw requires user interaction (visiting a malicious page) and a pre-existing renderer compromise, and no public exploit has been identified at time of analysis. The vendor has released a patched Stable channel update.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11690 HIGH PATCH This Week

Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.

Information Disclosure Google Buffer Overflow RCE Red Hat +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11688 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page that abuses an inappropriate SVG implementation. Google rates the underlying Chromium issue as High severity, and no public exploit identified at time of analysis, though the user-interaction requirement (UI:R) and high CVSS of 8.8 make this a meaningful drive-by browsing risk once a patch is reverse-engineered.

Code Injection Google RCE Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11683 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers to execute arbitrary code within the browser sandbox by luring users to a malicious HTML page that triggers a use-after-free in the WebCodecs component. Chromium rates this as High severity with a CVSS score of 8.8, and while a vendor patch is available, no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a crafted page), which moderates real-world risk somewhat but still places this in the high-priority browser-patching tier.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11680 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 allows attackers to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page, triggering a use-after-free condition in the Media component. The flaw carries a CVSS 8.8 (High) rating and is tagged by Chromium as High severity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Microsoft +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11674 HIGH PATCH This Week

Remote code execution in Google Chrome's Guest View component prior to version 149.0.7827.103 allows attackers to execute arbitrary code within the renderer sandbox by luring users to a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium with a CVSS of 8.8, and while no public exploit has been identified at time of analysis, Google has shipped a patched stable channel build. Exploitation requires user interaction (visiting a malicious page) and code execution is confined to the sandbox, meaning a sandbox escape would be needed for full host compromise.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11673 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the InterestGroups component, enabling a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. The vulnerability carries a CVSS 8.8 (High) score and is rated High severity by Chromium, but no public exploit identified at time of analysis and SSVC indicates exploitation status of none. Attack requires user interaction (visiting a malicious page) but no authentication.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11670 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the PDF component, enabling a remote attacker who lures a user into opening a crafted PDF to execute arbitrary code within the renderer sandbox. Rated High by Chromium with CVSS 8.8, the issue requires user interaction but no authentication, and currently has no public exploit identified at time of analysis.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11662 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw stems from a type confusion bug in Chromium's Bindings layer (CWE-843), rated High severity by Chromium and CVSS 8.8 due to network-based exploitation requiring only user interaction. No public exploit identified at time of analysis and EPSS data was not provided, but Chromium V8/bindings issues historically attract exploit development.

Google Memory Corruption RCE Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11657 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 stems from a use-after-free flaw in the Payments component, allowing a remote attacker to run arbitrary code in the renderer process via a crafted HTML page. The issue carries a CVSS 8.8 (High) rating and was reported through Google's internal Chrome security process; no public exploit identified at time of analysis. Exploitation requires the victim to load attacker-controlled web content (UI:R), but no authentication or special privileges are needed.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11651 CRITICAL PATCH Act Now

Remote code execution in Google Chrome's Network component before version 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free (CWE-416) classified High severity by Chromium with a CVSS 9.6 due to scope change and user-interaction prerequisite. No public exploit identified at time of analysis, but a vendor patch is already shipped via the Stable channel update.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-11650 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium and carries a CVSS 8.8 score; no public exploit identified at time of analysis, but V8 UAF bugs are historically high-value targets for exploit chains.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11649 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.103 allows attackers to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS 8.8 score reflecting low attack complexity but requiring user interaction. No public exploit identified at time of analysis, though V8 use-after-frees historically attract rapid weaponization for browser exploit chains.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11646 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the ViewTransitions component, allowing a remote attacker to execute arbitrary code within the browser's renderer sandbox by serving a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11645 HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.

Information Disclosure Google Buffer Overflow RCE Red Hat +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
Threat
4.8
CVE-2026-11644 HIGH PATCH This Week

Use-after-free in the Views component of Google Chrome on Linux prior to 149.0.7827.103 allows remote attackers to execute arbitrary code by tricking a user into installing a crafted malicious extension. Chromium rates the underlying flaw Critical, though the NVD CVSS score of 7.5 reflects the high attack complexity and required user interaction. No public exploit identified at time of analysis.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-11643 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the Proxy component, enabling remote attackers to execute arbitrary code by delivering malicious network traffic. Chromium has rated this issue Critical severity, and while no public exploit is identified at the time of analysis, the network-reachable nature of the Proxy subsystem and Chrome's massive deployment footprint make this a high-priority browser patch. The CVSS 8.1 score reflects high attack complexity offset by no required privileges or user interaction.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11641 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 can be triggered via a use-after-free flaw in the Bluetooth component, allowing a remote attacker to execute arbitrary code when a victim visits a crafted HTML page and performs specific UI gestures. Chromium rates the severity as Critical, though the CVSS 3.1 score of 7.5 reflects high attack complexity and required user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Google Memory Corruption RCE Use After Free Microsoft +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11639 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 allows a remote attacker to exploit a use-after-free flaw in the Compositing component via a crafted HTML page. Google has rated the underlying Chromium security severity as Critical, and no public exploit identified at time of analysis, though the bug is patched in the latest stable channel. Successful exploitation requires user interaction (visiting a malicious page) and high attack complexity, which moderates real-world risk despite the high impact.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-11637 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 stems from a use-after-free flaw in the Views UI component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Google rates the underlying Chromium severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis. The CVSS 8.8 score reflects network-reachable exploitation with low complexity but requiring user interaction (visiting the malicious page).

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11633 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to 149.0.7827.103 stems from a use-after-free condition in the browser's Bluetooth subsystem, rated Critical by Chromium's internal severity scale and CVSS 8.8 by NVD. A remote attacker operating a malicious Bluetooth peripheral can trigger memory corruption to execute arbitrary code in the browser process after the victim performs minimal interaction. No public exploit identified at time of analysis, though Google has released a patched Stable channel build addressing the flaw.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11632 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the TabStrip UI component, allowing remote attackers to execute arbitrary code when victims interact with a malicious HTML page via specific UI gestures. Google rates the Chromium severity as Critical, and a vendor-released patch is available; no public exploit has been identified at time of analysis. The high attack complexity (AC:H) and required user interaction (UI:R) constrain mass exploitation despite the severe technical impact.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30141 CRITICAL Act Now

Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.

Denial Of Service Buffer Overflow RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-36723 HIGH This Week

Remote code execution in BookCars v8.3 is achievable by authenticated attackers who abuse a path traversal flaw in the /api/create-user endpoint to rename and relocate files from temporary storage to attacker-chosen filesystem paths. The flaw is tagged as Authentication Bypass, Path Traversal, and RCE, and a public write-up exists in a third-party GitHub repository, though it is not listed in CISA KEV and EPSS is low at 0.17% (38th percentile).

RCE Path Traversal Authentication Bypass N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-36722 MEDIUM This Month

Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.

RCE File Upload N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-47722 Go HIGH PATCH GHSA This Week

YAML injection in nebula-mesh (juev/nebula-mesh, forked as forgekeep/nebula-mesh) prior to v0.3.2 allows an authenticated operator to inject arbitrary YAML keys into a managed agent's config.yml via the unvalidated adv_tun_device and ListenHost host-override fields. A successful injection lets the attacker self-promote a target host to a Nebula lighthouse or relay, redirecting and intercepting mesh traffic across the overlay network. No public exploit identified at time of analysis, but a detailed PoC payload is published in the GHSA advisory itself.

Code Injection RCE
NVD GitHub
EPSS
0.0%
CVE-2026-47252 Go CRITICAL PATCH GHSA Act Now

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.

Command Injection Code Injection Google RCE Apple +2
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-40519 HIGH PATCH This Week

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

RCE Nginx Command Injection Nginx Proxy Manager
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-11393 HIGH PATCH This Week

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. No public exploit identified at time of analysis, but the cross-user, cross-environment scope and 9.0 CVSS rating make this a high-priority patch.

Python Code Injection RCE
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-52778 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.

PHP Code Injection Denial Of Service RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42890 npm MEDIUM PATCH GHSA This Month

Arbitrary Node.js code execution via signed Actual Budget macOS binary (versions prior to 26.5.0) is enabled by the ELECTRON_RUN_AS_NODE fuse being left active in the Electron 39.2.7 runtime. An attacker who can place a script on disk or influence the process environment can invoke Actual.app with ELECTRON_RUN_AS_NODE=1, causing the signed binary to act as a Node.js interpreter executing attacker-controlled code under Actual's macOS code signature and entitlements. No public exploit identified at time of analysis; a vendor-released patch exists in version 26.5.0 per GHSA-7rvm-xjpp-63r9.

Apple Code Injection Node.js RCE
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-25559 HIGH POC This Week

Path traversal in OpenBullet2 through 0.3.2 lets authenticated attackers read, write, and delete arbitrary files via the wordlist endpoint, escalating to remote code execution by tampering with system files like /etc/passwd. Because the application runs as root by default, successful exploitation yields full system compromise. Publicly available exploit code exists (VulnCheck advisory and HackerNoon write-up), though there is no public exploit identified at time of analysis indicating CISA KEV listing.

Path Traversal RCE Openbullet2
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-25856 HIGH POC HOSTED Monitor

Authenticated remote code execution in OpenBullet2 through version 0.3.2 allows any logged-in user to run arbitrary C# code on the host by abusing the job configuration interface's plain C# execution mode. Because that mode lacks reference filtering or API restrictions, attackers can touch the file system, spawn child processes, and call any .NET API as the OpenBullet2 service account. Publicly available exploit code exists, and the issue was reported by VulnCheck; pairing it with a known authentication bypass route (referenced HackerNoon write-up) materially raises real-world exploitability.

Code Injection RCE Openbullet2
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-25855 HIGH POC This Week

Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. No public exploit identified in CISA KEV at time of analysis, but the combination of a documented technique and trivial exploitation path elevates near-term abuse risk.

RCE Command Injection Openbullet2
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-46442 npm CRITICAL POC PATCH GHSA Act Now

Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.

Code Injection RCE Flowise
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-49756 LOW PATCH Monitor

CRLF injection in Req, the Elixir HTTP client library (versions 0.5.3 through before 0.6.0), allows an attacker who can influence multipart form field metadata - specifically name, filename, or content_type values - to inject arbitrary headers into outgoing multipart requests or smuggle additional form parts. The flaw exists because Req.Utils.encode_form_part/2 interpolates caller-supplied metadata directly into Content-Disposition and Content-Type header lines without escaping double-quotes, carriage returns, or newlines. The attack surface is particularly accessible when using File.Stream inputs, since POSIX filenames may legitimately contain CR/LF characters. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog; however, any application forwarding user-controlled filenames through Req.post/2 with form_multipart is affected.

RCE Req
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-43972 MEDIUM PATCH This Month

Cross-origin cookie injection in ninenines gun (versions 2.0.0 through 2.3.x) allows a malicious or compromised HTTP/2 server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. The gun_http2 module fails to validate the :authority pseudo-header in incoming PUSH_PROMISE frames before passing the server-supplied value to the cookie-setting path, violating RFC 7540 §10.6 and RFC 9113 §8.4. This enables session fixation attacks against third-party domains and may lead to account takeover if planted cookies override legitimate session tokens; no public exploit identified at time of analysis. Note: the 'RCE' tag present in source intelligence is not supported by any available data and appears to be erroneous metadata.

RCE Gun
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2024-58349 CRITICAL POC Act Now

WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2024-58348 CRITICAL POC Act Now

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress PHP
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54352 CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54350 HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-47430 npm CRITICAL PATCH GHSA Act Now

Improper input validation in Apache Cordova Plugin InAppBrowser on iOS allows remote attackers to dispatch arbitrary Cordova callback IDs without validation, potentially leading to remote code execution within the hybrid app context. The issue was disclosed June 7, 2026 via the oss-security mailing list by an Apache contributor and is tagged RCE; no public exploit has been identified at time of analysis and it is not present in CISA KEV. The CVSS 4.0 base score of 9.5 reflects high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream subsequent systems.

RCE Cordova Inappbrowser
NVD VulDB
CVSS 4.0
9.5
EPSS
0.1%
CVE-2026-7795 MEDIUM This Month

Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.

PHP XSS WordPress RCE
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7537 HIGH This Week

Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.

File Upload WordPress RCE
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-9290 HIGH POC This Week

Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.

WordPress Path Traversal RCE PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-7654 HIGH This Week

Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-11429 CRITICAL PATCH Act Now

Remote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal flaw in the shared Git Service component, which processes post-clone file-manipulation operations using user-supplied paths without validation. An authenticated user with basic git permissions can move arbitrary files outside the repository area, drop attacker-controlled scripts into directories the service later executes, and on multi-tenant Altium 365 infrastructure could have reached data belonging to other tenants on the same node. No public exploit identified at time of analysis, and EPSS sits at 0.44% (63rd percentile).

Path Traversal RCE Altium Enterprise Server Altium 365
NVD VulDB
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-11420 CRITICAL PATCH Act Now

Unauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise Server enables remote attackers to overwrite binaries or configuration, drop content into web-accessible directories, and exfiltrate package archives - escalating to remote code execution as the service account. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high impact across confidentiality, integrity, availability and scope) reflects a worst-case unauthenticated network primitive. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Path Traversal RCE On Prem Enterprise Server
NVD VulDB
CVSS 4.0
10.0
EPSS
0.7%
CVE-2026-11419 CRITICAL PATCH Act Now

Arbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured storage root via the UploadController image upload endpoint and place content-controlled files anywhere the service account can write. The flaw (CVSS 4.0 base 9.4, CWE-22) escalates to remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping payloads in web-accessible directories. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Denial Of Service Path Traversal Hashicorp RCE On Prem Enterprise Server
NVD VulDB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-11422 HIGH PATCH This Week

Arbitrary JavaScript execution in the Markdown Preview Enhanced VS Code extension (0.8.x, bundling crossnote 0.9.28) is triggered when a victim opens or previews a crafted Markdown document containing a malicious wavedrom fenced code block. The WaveDrom rendering pipeline passes block contents directly to window.eval() inside the VS Code webview, letting an attacker abuse the extension's message-passing channel to write arbitrary files to the victim's local filesystem. Vendor patches were released on 2026-06-05; no public exploit was identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection RCE Markdown Preview Enhanced Crossnote
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-46400 HIGH PATCH This Week

Arbitrary file upload in HAX CMS (PHP backend) versions 11.0.6 through 24.x allows authenticated remote attackers to upload PHP webshells disguised as images by abusing a regex-only extension check that ignores MIME type and content inspection, leading to remote code execution on the web server. CVSS v4.0 scores this 8.7 (High) with PR:L indicating low-privilege authentication is required, and no public exploit was identified at time of analysis although the underlying CWE-434 pattern is highly automatable.

PHP File Upload RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-5411 HIGH This Week

Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.

File Upload WordPress Google RCE PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-46394 HIGH PATCH This Week

OS command injection in HAX CMS (haxtheweb/haxcms-php) prior to version 26.0.0 allows authenticated remote attackers to execute arbitrary commands as the web server user via Git operations in the PHP backend. The Git.php library passes unsanitized input into proc_open() across 16 of 17 shell-invoking functions, with only commit() correctly using escapeshellarg(). No public exploit identified at time of analysis, though the vendor advisory describes a clear chain to full RCE when combined with configuration manipulation.

PHP RCE Command Injection
NVD GitHub
CVSS 4.0
7.7
EPSS
0.9%
CVE-2026-46399 CRITICAL PATCH Act Now

Authenticated remote code execution affects HAX CMS PHP backend versions prior to 26.0.0, where attackers with valid credentials can configure malicious Git filter commands to overwrite files and execute arbitrary code on the server. The flaw carries a CVSS 4.0 score of 9.4 due to full compromise of confidentiality, integrity, and availability with cascading subsequent system impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

PHP RCE
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-47731 PyPI CRITICAL PATCH GHSA Act Now

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.

Python Path Traversal RCE Canonical Denial Of Service
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-50733 HIGH PATCH This Week

Remote code execution in the Markdown Preview Enhanced extension (versions before 0.8.28) allows attackers to run arbitrary JavaScript when a victim previews or exports a crafted markdown document containing a WaveDrom diagram. The flaw stems from the renderer evaluating untrusted markdown content with eval() across every render path - live preview, presentation mode, and HTML export - and can also be triggered via raw HTML <script type="WaveDrom"> injection. No public exploit identified at time of analysis; EPSS data was not provided, but the high CVSS 4.0 score (8.6) and trivial trigger via a shared markdown file make this a meaningful risk for developer workstations.

Code Injection RCE Markdown Preview Enhanced
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-49493 HIGH PATCH This Week

Arbitrary code execution in Markdown Preview Enhanced (shd101wyy) before 0.8.28 lets a crafted markdown document run attacker-controlled JavaScript when rendered or exported, because Bitfield fenced code blocks were evaluated through interpretJS() / vm.runInNewContext() instead of being parsed as data. CVSS 4.0 scores this 8.6 with network vector and active user interaction; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection RCE Markdown Preview Enhanced
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-48017 npm HIGH PATCH GHSA This Week

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.

Privilege Escalation Code Injection RCE Docker Node.js
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-47670 npm CRITICAL POC PATCH GHSA Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection RCE Docker
NVD GitHub
EPSS
0.3%
CVE-2026-47668 npm CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.

Docker Node.js RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-48095 HIGH PATCH This Week

Remote code execution in 7-Zip versions 26.00 and earlier is achievable via a crafted NTFS image that triggers a heap buffer overflow in the archive handler, overwriting an adjacent C++ object's vtable pointer to hijack control flow. The flaw stems from an undefined-behavior shift in CInStream::GetCuSize() that under-allocates a buffer to just one byte, which is then written up to 256 MB of attacker-controlled data. Exploitation requires the victim to open or extract a malicious archive (UI:R), but the NTFS handler is enabled by default and is selected via signature matching regardless of file extension; no public exploit identified at time of analysis.

Denial Of Service Memory Corruption Buffer Overflow RCE Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-50265 HIGH This Week

Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.

RCE Command Injection Suse
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-11332 PyPI HIGH PATCH NEWS GHSA This Week

Arbitrary code execution in ansible-core's ansible-galaxy role install command allows malicious role authors to execute code on a victim's machine when the victim installs the role. The flaw stems from improper neutralization of argument delimiters (CWE-88) in the src field of meta/requirements.yml, allowing injection of arbitrary git configuration flags. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-10732 MEDIUM This Month

Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.

Path Traversal RCE Decompress
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-7763 CRITICAL PATCH Act Now

Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.

Denial Of Service Buffer Overflow RCE Halowlink 2
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-7762 CRITICAL PATCH Act Now

Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.

Denial Of Service Buffer Overflow RCE Halowlink 2
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-11307 HIGH PATCH This Week

Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to open a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) carrying a CVSS 8.8 rating, though Chromium rated its security severity as Low and no public exploit has been identified at time of analysis. User interaction is required, and code execution is constrained to the Chrome sandbox absent a chained sandbox escape.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11306 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component, allowing a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted PDF file. While exploitation is constrained to the sandbox and requires user interaction (visiting a page or opening a PDF), the CVSS score of 8.8 reflects the high impact on confidentiality, integrity, and availability if combined with a sandbox escape. No public exploit identified at time of analysis, and CISA SSVC indicates exploitation status of 'none'.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11305 HIGH PATCH This Week

Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) requiring user interaction to open or render the malicious PDF, and no public exploit identified at time of analysis. Chromium rates the security severity as Low despite the CVSS 8.8 score, reflecting the sandbox containment of the resulting code execution.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11303 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component that parses PDF documents. A remote attacker who lures a user into opening a crafted PDF can execute arbitrary code, though execution is contained within Chrome's renderer sandbox. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation.

Google Memory Corruption RCE Use After Free Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11279 HIGH PATCH This Week

Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.

Information Disclosure Google Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11269 HIGH PATCH This Week

Remote code execution within the Chrome renderer sandbox affects Google Chrome desktop builds prior to 149.0.7827.53, stemming from an inappropriate implementation in the Extensions subsystem. An attacker in a privileged network position can deliver a crafted Chrome Extension that, with user interaction, executes arbitrary code confined to the sandbox. No public exploit identified at time of analysis and EPSS probability is very low (0.01%), but a vendor patch is available.

Google RCE Chrome
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-11262 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the TabStrip component, enabling a remote attacker who lures a victim to a crafted HTML page to corrupt memory and execute arbitrary code within the renderer context. Google rates the underlying Chromium severity as Low, but the CVSS base score of 8.8 reflects the potential impact when chained with a sandbox escape. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11235 HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome versions prior to 149.0.7827.53 stems from insufficient policy enforcement in the Compositing component, requiring an attacker to first compromise the renderer process before triggering the flaw via a crafted HTML page. Google has released a patched stable channel build and rates the Chromium-internal severity as Low, while NVD scores it CVSS 8.8 due to the network attack vector and high impact triad. No public exploit identified at time of analysis, and SSVC indicates exploitation status 'none' with non-automatable attack characteristics.

Google RCE
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11231 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker to run arbitrary code by tricking a user into interacting with a malicious file, due to an inappropriate implementation in the Safe Browsing component. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.04%, 12th percentile), though the CVSS base score of 8.1 reflects high confidentiality and integrity impact. Chromium internally rated the security severity as Low, suggesting practical exploitability is constrained despite the high CVSS.

Code Injection Google RCE Chrome
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11230 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 149.0.7827.53 stems from a use-after-free flaw in the Extensions component, allowing a remote attacker who tricks a user into visiting a crafted HTML page to execute arbitrary code inside the browser's renderer sandbox. The issue is rated High by NVD (CVSS 8.8) despite Chromium's own Low severity tag, and no public exploit identified at time of analysis. A vendor patch is available via the June 2026 Stable Channel update.

Google Memory Corruption RCE Use After Free Denial Of Service
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11224 HIGH PATCH This Week

Remote code execution in Google Chrome on Linux versions prior to 149.0.7827.53 allows a remote attacker to exploit a use-after-free condition in the Chromoting component via malicious network traffic. The flaw carries a CVSS 3.1 score of 8.1 (high) with no public exploit identified at time of analysis and an EPSS probability of 0.04%, though Google rates the Chromium severity as Low. The vendor has shipped a fix in the stable channel update for desktop.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.

Code Injection Netgear RCE +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.

Apple Privilege Escalation RCE
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Waves Central for macOS versions 13.0.9 through 16.5.5 allows an unprivileged user to gain root code execution by injecting a malicious dylib into a trusted XPC client process via DYLD_INSERT_LIBRARIES. The injected code then abuses the product's privileged helper service to perform operations as root. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), consistent with a local-only macOS desktop attack surface.

Apple RCE Privilege Escalation +1
NVD VulDB
EPSS 0% 6.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.

RCE Ivanti Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.

XSS RCE Logseq
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection +1
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Monitor

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.

PHP Deserialization RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Unrestricted file upload via the DIGSI 5 engineering protocol in Siemens SIPROTEC 5 protective relays enables authenticated, high-privileged users on an adjacent network to upload malicious configuration files, causing denial of service or potentially achieving code execution on the affected device. All hardware variants (CP050/CP100/CP150/CP200/CP300) across more than 60 distinct SIPROTEC 5 model lines are affected, with no patched firmware version available. No public exploit identified at time of analysis, but the presence of RCE and DoS tags alongside a confirmed CWE-434 root cause makes this a meaningful operational technology (OT) risk in poorly segmented substation environments.

Denial Of Service File Upload RCE +61
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.

Denial Of Service Buffer Overflow RCE +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.

Information Disclosure WordPress Path Traversal +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers who have already compromised the renderer process to execute arbitrary code via a crafted HTML page that triggers a use-after-free in the ServiceWorker component. Rated High severity by Chromium with a CVSS 7.5, the flaw requires user interaction (visiting a malicious page) and a pre-existing renderer compromise, and no public exploit has been identified at time of analysis. The vendor has released a patched Stable channel update.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.

Information Disclosure Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page that abuses an inappropriate SVG implementation. Google rates the underlying Chromium issue as High severity, and no public exploit identified at time of analysis, though the user-interaction requirement (UI:R) and high CVSS of 8.8 make this a meaningful drive-by browsing risk once a patch is reverse-engineered.

Code Injection Google RCE +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers to execute arbitrary code within the browser sandbox by luring users to a malicious HTML page that triggers a use-after-free in the WebCodecs component. Chromium rates this as High severity with a CVSS score of 8.8, and while a vendor patch is available, no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a crafted page), which moderates real-world risk somewhat but still places this in the high-priority browser-patching tier.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 allows attackers to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page, triggering a use-after-free condition in the Media component. The flaw carries a CVSS 8.8 (High) rating and is tagged by Chromium as High severity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Google Memory Corruption RCE +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Guest View component prior to version 149.0.7827.103 allows attackers to execute arbitrary code within the renderer sandbox by luring users to a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium with a CVSS of 8.8, and while no public exploit has been identified at time of analysis, Google has shipped a patched stable channel build. Exploitation requires user interaction (visiting a malicious page) and code execution is confined to the sandbox, meaning a sandbox escape would be needed for full host compromise.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the InterestGroups component, enabling a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. The vulnerability carries a CVSS 8.8 (High) score and is rated High severity by Chromium, but no public exploit identified at time of analysis and SSVC indicates exploitation status of none. Attack requires user interaction (visiting a malicious page) but no authentication.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the PDF component, enabling a remote attacker who lures a user into opening a crafted PDF to execute arbitrary code within the renderer sandbox. Rated High by Chromium with CVSS 8.8, the issue requires user interaction but no authentication, and currently has no public exploit identified at time of analysis.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw stems from a type confusion bug in Chromium's Bindings layer (CWE-843), rated High severity by Chromium and CVSS 8.8 due to network-based exploitation requiring only user interaction. No public exploit identified at time of analysis and EPSS data was not provided, but Chromium V8/bindings issues historically attract exploit development.

Google Memory Corruption RCE +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 stems from a use-after-free flaw in the Payments component, allowing a remote attacker to run arbitrary code in the renderer process via a crafted HTML page. The issue carries a CVSS 8.8 (High) rating and was reported through Google's internal Chrome security process; no public exploit identified at time of analysis. Exploitation requires the victim to load attacker-controlled web content (UI:R), but no authentication or special privileges are needed.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in Google Chrome's Network component before version 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free (CWE-416) classified High severity by Chromium with a CVSS 9.6 due to scope change and user-interaction prerequisite. No public exploit identified at time of analysis, but a vendor patch is already shipped via the Stable channel update.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium and carries a CVSS 8.8 score; no public exploit identified at time of analysis, but V8 UAF bugs are historically high-value targets for exploit chains.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.103 allows attackers to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS 8.8 score reflecting low attack complexity but requiring user interaction. No public exploit identified at time of analysis, though V8 use-after-frees historically attract rapid weaponization for browser exploit chains.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the ViewTransitions component, allowing a remote attacker to execute arbitrary code within the browser's renderer sandbox by serving a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.

Information Disclosure Google Buffer Overflow +3
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use-after-free in the Views component of Google Chrome on Linux prior to 149.0.7827.103 allows remote attackers to execute arbitrary code by tricking a user into installing a crafted malicious extension. Chromium rates the underlying flaw Critical, though the NVD CVSS score of 7.5 reflects the high attack complexity and required user interaction. No public exploit identified at time of analysis.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the Proxy component, enabling remote attackers to execute arbitrary code by delivering malicious network traffic. Chromium has rated this issue Critical severity, and while no public exploit is identified at the time of analysis, the network-reachable nature of the Proxy subsystem and Chrome's massive deployment footprint make this a high-priority browser patch. The CVSS 8.1 score reflects high attack complexity offset by no required privileges or user interaction.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 can be triggered via a use-after-free flaw in the Bluetooth component, allowing a remote attacker to execute arbitrary code when a victim visits a crafted HTML page and performs specific UI gestures. Chromium rates the severity as Critical, though the CVSS 3.1 score of 7.5 reflects high attack complexity and required user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Google Memory Corruption RCE +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 allows a remote attacker to exploit a use-after-free flaw in the Compositing component via a crafted HTML page. Google has rated the underlying Chromium security severity as Critical, and no public exploit identified at time of analysis, though the bug is patched in the latest stable channel. Successful exploitation requires user interaction (visiting a malicious page) and high attack complexity, which moderates real-world risk despite the high impact.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 stems from a use-after-free flaw in the Views UI component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Google rates the underlying Chromium severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis. The CVSS 8.8 score reflects network-reachable exploitation with low complexity but requiring user interaction (visiting the malicious page).

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to 149.0.7827.103 stems from a use-after-free condition in the browser's Bluetooth subsystem, rated Critical by Chromium's internal severity scale and CVSS 8.8 by NVD. A remote attacker operating a malicious Bluetooth peripheral can trigger memory corruption to execute arbitrary code in the browser process after the victim performs minimal interaction. No public exploit identified at time of analysis, though Google has released a patched Stable channel build addressing the flaw.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the TabStrip UI component, allowing remote attackers to execute arbitrary code when victims interact with a malicious HTML page via specific UI gestures. Google rates the Chromium severity as Critical, and a vendor-released patch is available; no public exploit has been identified at time of analysis. The high attack complexity (AC:H) and required user interaction (UI:R) constrain mass exploitation despite the severe technical impact.

Google Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.

Denial Of Service Buffer Overflow RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in BookCars v8.3 is achievable by authenticated attackers who abuse a path traversal flaw in the /api/create-user endpoint to rename and relocate files from temporary storage to attacker-chosen filesystem paths. The flaw is tagged as Authentication Bypass, Path Traversal, and RCE, and a public write-up exists in a third-party GitHub repository, though it is not listed in CISA KEV and EPSS is low at 0.17% (38th percentile).

RCE Path Traversal Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.

RCE File Upload N A
NVD GitHub
EPSS 0%
HIGH PATCH This Week

YAML injection in nebula-mesh (juev/nebula-mesh, forked as forgekeep/nebula-mesh) prior to v0.3.2 allows an authenticated operator to inject arbitrary YAML keys into a managed agent's config.yml via the unvalidated adv_tun_device and ListenHost host-override fields. A successful injection lets the attacker self-promote a target host to a Nebula lighthouse or relay, redirecting and intercepting mesh traffic across the overlay network. No public exploit identified at time of analysis, but a detailed PoC payload is published in the GHSA advisory itself.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.

Command Injection Code Injection Google +4
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

RCE Nginx Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. No public exploit identified at time of analysis, but the cross-user, cross-environment scope and 9.0 CVSS rating make this a high-priority patch.

Python Code Injection RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.

PHP Code Injection Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Arbitrary Node.js code execution via signed Actual Budget macOS binary (versions prior to 26.5.0) is enabled by the ELECTRON_RUN_AS_NODE fuse being left active in the Electron 39.2.7 runtime. An attacker who can place a script on disk or influence the process environment can invoke Actual.app with ELECTRON_RUN_AS_NODE=1, causing the signed binary to act as a Node.js interpreter executing attacker-controlled code under Actual's macOS code signature and entitlements. No public exploit identified at time of analysis; a vendor-released patch exists in version 26.5.0 per GHSA-7rvm-xjpp-63r9.

Apple Code Injection Node.js +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Path traversal in OpenBullet2 through 0.3.2 lets authenticated attackers read, write, and delete arbitrary files via the wordlist endpoint, escalating to remote code execution by tampering with system files like /etc/passwd. Because the application runs as root by default, successful exploitation yields full system compromise. Publicly available exploit code exists (VulnCheck advisory and HackerNoon write-up), though there is no public exploit identified at time of analysis indicating CISA KEV listing.

Path Traversal RCE Openbullet2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC HOSTED Monitor

Authenticated remote code execution in OpenBullet2 through version 0.3.2 allows any logged-in user to run arbitrary C# code on the host by abusing the job configuration interface's plain C# execution mode. Because that mode lacks reference filtering or API restrictions, attackers can touch the file system, spawn child processes, and call any .NET API as the OpenBullet2 service account. Publicly available exploit code exists, and the issue was reported by VulnCheck; pairing it with a known authentication bypass route (referenced HackerNoon write-up) materially raises real-world exploitability.

Code Injection RCE Openbullet2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. No public exploit identified in CISA KEV at time of analysis, but the combination of a documented technique and trivial exploitation path elevates near-term abuse risk.

RCE Command Injection Openbullet2
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.

Code Injection RCE Flowise
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

CRLF injection in Req, the Elixir HTTP client library (versions 0.5.3 through before 0.6.0), allows an attacker who can influence multipart form field metadata - specifically name, filename, or content_type values - to inject arbitrary headers into outgoing multipart requests or smuggle additional form parts. The flaw exists because Req.Utils.encode_form_part/2 interpolates caller-supplied metadata directly into Content-Disposition and Content-Type header lines without escaping double-quotes, carriage returns, or newlines. The attack surface is particularly accessible when using File.Stream inputs, since POSIX filenames may legitimately contain CR/LF characters. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog; however, any application forwarding user-controlled filenames through Req.post/2 with form_multipart is affected.

RCE Req
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-origin cookie injection in ninenines gun (versions 2.0.0 through 2.3.x) allows a malicious or compromised HTTP/2 server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. The gun_http2 module fails to validate the :authority pseudo-header in incoming PUSH_PROMISE frames before passing the server-supplied value to the cookie-setting path, violating RFC 7540 §10.6 and RFC 9113 §8.4. This enables session fixation attacks against third-party domains and may lead to account takeover if planted cookies override legitimate session tokens; no public exploit identified at time of analysis. Note: the 'RCE' tag present in source intelligence is not supported by any available data and appears to be erroneous metadata.

RCE Gun
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 9.5
CRITICAL PATCH Act Now

Improper input validation in Apache Cordova Plugin InAppBrowser on iOS allows remote attackers to dispatch arbitrary Cordova callback IDs without validation, potentially leading to remote code execution within the hybrid app context. The issue was disclosed June 7, 2026 via the oss-security mailing list by an Apache contributor and is tagged RCE; no public exploit has been identified at time of analysis and it is not present in CISA KEV. The CVSS 4.0 base score of 9.5 reflects high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream subsequent systems.

RCE Cordova Inappbrowser
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.

File Upload WordPress RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.

WordPress Path Traversal RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal flaw in the shared Git Service component, which processes post-clone file-manipulation operations using user-supplied paths without validation. An authenticated user with basic git permissions can move arbitrary files outside the repository area, drop attacker-controlled scripts into directories the service later executes, and on multi-tenant Altium 365 infrastructure could have reached data belonging to other tenants on the same node. No public exploit identified at time of analysis, and EPSS sits at 0.44% (63rd percentile).

Path Traversal RCE Altium Enterprise Server +1
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise Server enables remote attackers to overwrite binaries or configuration, drop content into web-accessible directories, and exfiltrate package archives - escalating to remote code execution as the service account. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high impact across confidentiality, integrity, availability and scope) reflects a worst-case unauthenticated network primitive. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Path Traversal RCE On Prem Enterprise Server
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Arbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured storage root via the UploadController image upload endpoint and place content-controlled files anywhere the service account can write. The flaw (CVSS 4.0 base 9.4, CWE-22) escalates to remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping payloads in web-accessible directories. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Denial Of Service Path Traversal Hashicorp +2
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary JavaScript execution in the Markdown Preview Enhanced VS Code extension (0.8.x, bundling crossnote 0.9.28) is triggered when a victim opens or previews a crafted Markdown document containing a malicious wavedrom fenced code block. The WaveDrom rendering pipeline passes block contents directly to window.eval() inside the VS Code webview, letting an attacker abuse the extension's message-passing channel to write arbitrary files to the victim's local filesystem. Vendor patches were released on 2026-06-05; no public exploit was identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection RCE Markdown Preview Enhanced +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary file upload in HAX CMS (PHP backend) versions 11.0.6 through 24.x allows authenticated remote attackers to upload PHP webshells disguised as images by abusing a regex-only extension check that ignores MIME type and content inspection, leading to remote code execution on the web server. CVSS v4.0 scores this 8.7 (High) with PR:L indicating low-privilege authentication is required, and no public exploit was identified at time of analysis although the underlying CWE-434 pattern is highly automatable.

PHP File Upload RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.

File Upload WordPress Google +2
NVD VulDB
EPSS 1% CVSS 7.7
HIGH PATCH This Week

OS command injection in HAX CMS (haxtheweb/haxcms-php) prior to version 26.0.0 allows authenticated remote attackers to execute arbitrary commands as the web server user via Git operations in the PHP backend. The Git.php library passes unsanitized input into proc_open() across 16 of 17 shell-invoking functions, with only commit() correctly using escapeshellarg(). No public exploit identified at time of analysis, though the vendor advisory describes a clear chain to full RCE when combined with configuration manipulation.

PHP RCE Command Injection
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authenticated remote code execution affects HAX CMS PHP backend versions prior to 26.0.0, where attackers with valid credentials can configure malicious Git filter commands to overwrite files and execute arbitrary code on the server. The flaw carries a CVSS 4.0 score of 9.4 due to full compromise of confidentiality, integrity, and availability with cascading subsequent system impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

PHP RCE
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.

Python Path Traversal RCE +2
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in the Markdown Preview Enhanced extension (versions before 0.8.28) allows attackers to run arbitrary JavaScript when a victim previews or exports a crafted markdown document containing a WaveDrom diagram. The flaw stems from the renderer evaluating untrusted markdown content with eval() across every render path - live preview, presentation mode, and HTML export - and can also be triggered via raw HTML <script type="WaveDrom"> injection. No public exploit identified at time of analysis; EPSS data was not provided, but the high CVSS 4.0 score (8.6) and trivial trigger via a shared markdown file make this a meaningful risk for developer workstations.

Code Injection RCE Markdown Preview Enhanced
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary code execution in Markdown Preview Enhanced (shd101wyy) before 0.8.28 lets a crafted markdown document run attacker-controlled JavaScript when rendered or exported, because Bitfield fenced code blocks were evaluated through interpretJS() / vm.runInNewContext() instead of being parsed as data. CVSS 4.0 scores this 8.6 with network vector and active user interaction; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection RCE Markdown Preview Enhanced
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.

Privilege Escalation Code Injection RCE +2
NVD GitHub
EPSS 0%
CRITICAL POC PATCH Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection +2
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.

Docker Node.js RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in 7-Zip versions 26.00 and earlier is achievable via a crafted NTFS image that triggers a heap buffer overflow in the archive handler, overwriting an adjacent C++ object's vtable pointer to hijack control flow. The flaw stems from an undefined-behavior shift in CInStream::GetCuSize() that under-allocates a buffer to just one byte, which is then written up to 256 MB of attacker-controlled data. Exploitation requires the victim to open or extract a malicious archive (UI:R), but the NTFS handler is enabled by default and is selected via signature matching regardless of file extension; no public exploit identified at time of analysis.

Denial Of Service Memory Corruption Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.

RCE Command Injection Suse
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in ansible-core's ansible-galaxy role install command allows malicious role authors to execute code on a victim's machine when the victim installs the role. The flaw stems from improper neutralization of argument delimiters (CWE-88) in the src field of meta/requirements.yml, allowing injection of arbitrary git configuration flags. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM This Month

Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.

Path Traversal RCE Decompress
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.

Denial Of Service Buffer Overflow RCE +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.

Denial Of Service Buffer Overflow RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to open a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) carrying a CVSS 8.8 rating, though Chromium rated its security severity as Low and no public exploit has been identified at time of analysis. User interaction is required, and code execution is constrained to the Chrome sandbox absent a chained sandbox escape.

Google Memory Corruption RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component, allowing a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted PDF file. While exploitation is constrained to the sandbox and requires user interaction (visiting a page or opening a PDF), the CVSS score of 8.8 reflects the high impact on confidentiality, integrity, and availability if combined with a sandbox escape. No public exploit identified at time of analysis, and CISA SSVC indicates exploitation status of 'none'.

Google Memory Corruption RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) requiring user interaction to open or render the malicious PDF, and no public exploit identified at time of analysis. Chromium rates the security severity as Low despite the CVSS 8.8 score, reflecting the sandbox containment of the resulting code execution.

Google Memory Corruption RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component that parses PDF documents. A remote attacker who lures a user into opening a crafted PDF can execute arbitrary code, though execution is contained within Chrome's renderer sandbox. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation.

Google Memory Corruption RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.

Information Disclosure Google Buffer Overflow +1
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Remote code execution within the Chrome renderer sandbox affects Google Chrome desktop builds prior to 149.0.7827.53, stemming from an inappropriate implementation in the Extensions subsystem. An attacker in a privileged network position can deliver a crafted Chrome Extension that, with user interaction, executes arbitrary code confined to the sandbox. No public exploit identified at time of analysis and EPSS probability is very low (0.01%), but a vendor patch is available.

Google RCE Chrome
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the TabStrip component, enabling a remote attacker who lures a victim to a crafted HTML page to corrupt memory and execute arbitrary code within the renderer context. Google rates the underlying Chromium severity as Low, but the CVSS base score of 8.8 reflects the potential impact when chained with a sandbox escape. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Google Memory Corruption RCE +5
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome versions prior to 149.0.7827.53 stems from insufficient policy enforcement in the Compositing component, requiring an attacker to first compromise the renderer process before triggering the flaw via a crafted HTML page. Google has released a patched stable channel build and rates the Chromium-internal severity as Low, while NVD scores it CVSS 8.8 due to the network attack vector and high impact triad. No public exploit identified at time of analysis, and SSVC indicates exploitation status 'none' with non-automatable attack characteristics.

Google RCE
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker to run arbitrary code by tricking a user into interacting with a malicious file, due to an inappropriate implementation in the Safe Browsing component. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.04%, 12th percentile), though the CVSS base score of 8.1 reflects high confidentiality and integrity impact. Chromium internally rated the security severity as Low, suggesting practical exploitability is constrained despite the high CVSS.

Code Injection Google RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 149.0.7827.53 stems from a use-after-free flaw in the Extensions component, allowing a remote attacker who tricks a user into visiting a crafted HTML page to execute arbitrary code inside the browser's renderer sandbox. The issue is rated High by NVD (CVSS 8.8) despite Chromium's own Low severity tag, and no public exploit identified at time of analysis. A vendor patch is available via the June 2026 Stable Channel update.

Google Memory Corruption RCE +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome on Linux versions prior to 149.0.7827.53 allows a remote attacker to exploit a use-after-free condition in the Chromoting component via malicious network traffic. The flaw carries a CVSS 3.1 score of 8.1 (high) with no public exploit identified at time of analysis and an EPSS probability of 0.04%, though Google rates the Chromium severity as Low. The vendor has shipped a fix in the stable channel update for desktop.

Google Memory Corruption RCE +5
NVD VulDB
Prev Page 11 of 355 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy