RCE

Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation restrictions and execute arbitrary code on the server. The vulnerability stems from a configuration validation flaw where the PLUGIN_INSTALLER setting is enforced only in the UI but not validated at the backend endpoint, enabling an attacker to force installation of malicious plugins. Public exploit code exists for this vulnerability.

RCE in Chevereto 3.13.4 image hosting via code injection during database configuration. Allows injecting code during installation/setup. PoC available.

Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.

An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution. [CVSS 8.8 HIGH]

Unauthenticated web shell in METIS DFS devices (versions <= oscore 2.1.234-r18). Same vulnerability as CVE-2026-2248 but on DFS product line.

Unauthenticated web shell in METIS WIC devices (versions <= oscore 2.1.234-r18). The /console endpoint provides shell access without authentication. First of two related METIS CVEs.

Incorrect permission assignment in AMD µProf may allow a local user-privileged attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]

A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]

Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution

ActiveFaxServiceNT service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Zilab Remote Console Server 3.2.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

Remote code execution in the Custom Block Builder - Lazy Blocks WordPress plugin through version 4.2.0 allows authenticated users with Contributor privileges or higher to execute arbitrary code on the server via vulnerable functions in the LazyBlocks_Blocks class. This high-severity vulnerability (CVSS 8.8) affects all installations of the affected plugin versions with no patch currently available.

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

Roundcube Webmail versions up to 1.5.13 is affected by inclusion of functionality from untrusted control sphere (CVSS 4.7).

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

Arbitrary code execution in Adobe Lightroom Desktop 15.1 and earlier via an out-of-bounds write vulnerability when users open malicious files. Local exploitation requires user interaction but executes with the privileges of the current user. No patch is currently available.

Insufficient parameter sanitization in AMD Secure Processor (ASP) Boot Loader could allow an attacker with access to SPIROM upgrade to overwrite the memory, potentially resulting in arbitrary code execution.

A buffer overflow in the AMD Secure Processor (ASP) bootloader could allow an attacker to overwrite memory, potentially resulting in privilege escalation and arbitrary code execution.

Improper input validation in system management mode (SMM) could allow a privileged attacker to overwrite stack memory leading to arbitrary code execution.

Improper input validation in the SMM handler could allow an attacker with Ring0 access to write to SMRAM and modify execution flow for S3 (sleep) wake up, potentially resulting in arbitrary code execution.

Command injection in Catalyst game server management platform. Install scripts in server templates allow injecting OS commands. EPSS 0.29%.

Arbitrary code execution in DNG SDK 1.7.1 build 2410 and earlier via out-of-bounds write when processing malicious DNG files. An attacker can achieve code execution with user privileges by tricking a victim into opening a specially crafted file. No patch is currently available for this vulnerability.

Arbitrary code execution in Bridge 15.1.3, 16.0.1 and earlier through an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can execute commands with the privileges of the affected user, though exploitation requires social engineering to convince a victim to open a crafted file. No patch is currently available.

Arbitrary code execution in Substance 3D Stager 3.1.6 and earlier results from an out-of-bounds write vulnerability that executes with user privileges. An attacker can exploit this by crafting a malicious file that, when opened by a victim, triggers the memory corruption and executes arbitrary code. No patch is currently available, making user education about untrusted files critical for mitigation.

Arbitrary code execution in Substance 3D Stager 3.1.6 and earlier via an out-of-bounds write vulnerability allows local attackers to execute arbitrary code with user privileges when a victim opens a malicious file. The vulnerability requires user interaction but no special privileges, making it practical to exploit through social engineering. No patch is currently available.

Arbitrary code execution in Substance 3D Designer 15.1.0 and earlier via an out-of-bounds write vulnerability that triggers when users open a crafted malicious file. This local attack requires user interaction but executes with the privileges of the affected user, and no patch is currently available.

Arbitrary code execution in Substance 3D Designer 15.1.0 and earlier through an out-of-bounds write vulnerability that requires a user to open a malicious file. An attacker can execute code with the privileges of the targeted user by crafting a specially designed file. No patch is currently available for this high-severity vulnerability.

Arbitrary code execution in Adobe After Effects 25.6 and earlier through type confusion allows attackers to execute malicious code with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but poses a significant risk to creative professionals and organizations using affected versions. No patch is currently available.

Arbitrary code execution in Adobe After Effects 25.6 and earlier via out-of-bounds write vulnerability when users open malicious files. This local attack requires user interaction but grants the attacker full execution privileges within the victim's session. No patch is currently available.

Arbitrary code execution in Adobe After Effects 25.6 and earlier through out-of-bounds write vulnerability (CWE-787) when processing malicious files. An attacker can execute code with user privileges by convincing a victim to open a specially crafted file, with no patch currently available.

Arbitrary code execution in Adobe After Effects 25.6 and earlier via out-of-bounds write when processing malicious files. An attacker can achieve code execution with user privileges by tricking a victim into opening a crafted file. No patch is currently available.

Arbitrary code execution in Adobe Audition 25.3 and earlier through a local out-of-bounds write vulnerability that requires victims to open a specially crafted file. The vulnerability impacts all users running affected versions and allows attackers to execute code with the privileges of the current user. No patch is currently available.

Guest users on TP-Link Tapo C260 v1 cameras can modify protected device settings by exploiting inadequate access controls on synchronization endpoints. Authenticated attackers with limited privileges can bypass restrictions to change sensitive configuration parameters without authorization. No patch is currently available for this vulnerability.

TP-Link Tapo C260 v1 firmware contains a path traversal vulnerability in HTTPS GET request handling that allows local network attackers to probe filesystem paths and determine file existence without authentication. While the vulnerability does not permit file read, write, or code execution, it enables information disclosure about the device's filesystem structure to unauthenticated local users. No patch is currently available.

Arbitrary code execution with SYSTEM privileges in SINEC NMS User Management Component (all versions prior to V2.15.2.1) stems from improper access controls allowing low-privileged users to modify configuration files and load malicious DLLs. An authenticated attacker can exploit this to achieve complete system compromise. No patch is currently available.

Arbitrary code execution in Siemens SINEC NMS versions prior to V4.0 SP2 can be achieved when a low-privileged user modifies configuration files to load malicious DLLs, resulting in administrative privilege execution. This local vulnerability affects all current deployments and currently has no available patch. An authenticated attacker with local access can exploit this to gain full system compromise.

Nx versions prior to V2512 contain an insufficient input validation flaw in the PDF export functionality that permits local attackers to corrupt internal data structures and achieve arbitrary code execution. An attacker with local file system access can exploit this vulnerability to manipulate the export process and gain code execution privileges. No patch is currently available for this vulnerability.

Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. [CVSS 7.1 HIGH]

Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.

SandboxJS prior to 0.8.31 has yet another sandbox escape via prototype pollution, the sixth distinct escape technique discovered.

Unauthenticated remote code execution in Zai Shell prior to 9.0.3 via the unprotected P2P terminal sharing feature on port 5757, where attackers can inject arbitrary system commands that execute with user privileges if approved. Public exploit code exists for this vulnerability, and affected systems running --no-ai mode completely bypass safety checks during command execution. Update to version 9.0.3 to remediate.

Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]

A device has a stack-based buffer overflow in cookie parsing (including TRACKID) enabling unauthenticated remote code execution.

A device has a stack-based buffer overflow in HTTP SESSION cookie processing allowing unauthenticated remote code execution.

jsonpath library before 1.2.0 has an arbitrary code injection vulnerability via unsafe use of eval-like constructs in JSONPath expressions.

Wedding Slideshow Studio 1.36 has a buffer overflow allowing code execution through crafted project files.

Parallaxis Cuckoo Clock 5.0 has a buffer overflow enabling code execution through crafted input.

eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. [CVSS 7.1 HIGH]

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the project management server.

Path traversal in NiceGUI before 3.7.0 allows remote attackers to write arbitrary files outside intended directories by exploiting unsanitized filename metadata in the FileUpload.name property, potentially leading to remote code execution when developers incorporate this value directly into file paths. Public exploit code exists for this vulnerability, affecting applications using common patterns like concatenating user-supplied filenames with upload directories. Developers are only protected if they use fixed paths, generate filenames server-side, or explicitly sanitize user input.

Enclave versions up to 2.10.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 8.8).

BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) that allows unauthenticated attackers to execute OS commands through specially crafted requests. With EPSS 66% and KEV listing with public PoC, this vulnerability is devastating because these products are specifically designed for privileged remote access — compromising them grants attackers access to the most sensitive systems in an organization.

calibre is an e-book manager. [CVSS 7.8 HIGH]

Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.

Frigate NVR has a command injection vulnerability (CVSS 9.1) allowing authenticated attackers to execute OS commands on the network video recorder.

SandboxJS has a fourth CVSS 10.0 sandbox escape through Map's safe prototype being used as a gateway to inject arbitrary code.

SandboxJS has a second CVSS 10.0 sandbox escape where function return values aren't properly sanitized, allowing code execution outside the sandbox.

Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.

BstHdLogRotatorSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]

Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]

WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. [CVSS 8.8 HIGH]

Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. [CVSS 7.8 HIGH]

An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function [CVSS 7.2 HIGH]

Monstra Cms versions up to 3.0.4 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. [CVSS 8.4 HIGH]

PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. [CVSS 6.1 MEDIUM]

Unauthenticated remote code execution via OS command injection in Edimax EW-7438RPn-v3 Mini wireless extender firmware 1.27. EPSS 1.3% with PoC available.

Remote code execution via OS command injection in Pinger 1.0 allows attackers to inject shell commands through the ping target parameter. EPSS 12.2% indicates significant exploitation likelihood. PoC available.

CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler with crafted Unicode characters. [CVSS 5.5 MEDIUM]

Buffer overflow in Rubo DICOM Viewer 2.0 through the DICOM server name input field allows attackers to execute arbitrary code. PoC available.

gbClientService contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated privileges (CVSS 7.8).

Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot. [CVSS 7.8 HIGH]

BartVPNService contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

ScsiAccess service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

EasyRedirect service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

CCSrvProxy service contains a vulnerability that allows attackers to execute arbitrary code (CVSS 7.8).

Wing Ftp Server versions up to 6.0.7 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

Remote code execution in Godot MCP prior to version 0.1.1 results from unsafe shell command execution when processing user-supplied project paths. An unauthenticated attacker can inject shell metacharacters through multiple tools (create_scene, add_node, load_sprite, etc.) to execute arbitrary commands with the privileges of the MCP server process. No patch is currently available for affected deployments.

SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file operations on the server.

Authenticated attackers can execute arbitrary commands on Group-Office servers through unsanitized user input in the email attachment endpoint, where shell metacharacters are directly passed to system execution functions. The vulnerability affects Group-Office versions prior to 6.8.150, 25.0.82, and 26.0.5, and public exploit code exists. Organizations should apply available patches immediately as this is actively exploitable by authenticated users.

Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling attackers to execute arbitrary shell commands on build hosts by injecting shell metacharacters into patch-related inputs such as series paths and filenames. This vulnerability affects users who build APK packages using melange build or melange license-check operations, particularly in CI/CD environments where build inputs may be controlled by untrusted sources. A patch is available in version 0.40.3 and later.

melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]

N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]

n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.