Skip to main content

RCE

31887 CVEs technique

Monthly

CVE-2026-46562 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in the Yamcs mission control framework (org.yamcs:yamcs-core, releases 4.7.3 through 5.12.6) lets a caller of the algorithm-override endpoint run arbitrary Java/OS code on the ground server. The Nashorn JavaScript engine that evaluates user-supplied algorithm text is created without a ClassFilter, so payloads can reach any Java class (e.g. java.lang.Runtime) and execute commands as the Yamcs process user; because the default install (no security.yaml) gives the built-in guest user superuser=true, the endpoint is reachable by an unauthenticated network attacker. A detailed working exploit is published in the GitHub Security Advisory (publicly available exploit code exists); the issue is not listed in CISA KEV and no EPSS score was provided in the input.

Java RCE Code Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-45077 PHP HIGH PATCH GHSA This Week

Unauthenticated PHP object deserialization in Symfony's Monolog Bridge affects the development-time `server:log` console command, which by default binds its TCP log listener to 0.0.0.0:9911 and passes every received frame through `unserialize(base64_decode(...))` with no allowed_classes allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running `server:log` can crash the listener (unauthenticated DoS) or trigger PHP object injection whose magic-method side effects may reach remote code execution when a usable gadget chain exists in the target's autoload set. No public exploit identified at time of analysis; EPSS is low (0.99%, 77th percentile) and the flaw is not in CISA KEV, consistent with a dev-only tool rather than a production-facing service.

Denial Of Service PHP Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
1.0%
CVE-2026-9208 HIGH PATCH This Week

Unauthorized OS command execution in Tanium Connect allows an attacker holding low-privilege authenticated access to run arbitrary commands on the host, achieving full compromise of confidentiality, integrity, and availability. The CVSS 8.8 (network vector, low complexity, low privileges, no user interaction) reflects an authenticated remote code execution issue rooted in command injection (CWE-78). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS data was not provided.

Command Injection RCE Connect
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-47243 Go PATCH GHSA Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/21. he.org>) Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Solar Designer <solar@...nwall.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape (Aurelien Bombo <aurelien.bombo@...rosoft.com>) CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand (Robert Rothenberg <rrwo@...nsec.org>) Re: On the issue of MIME handlers that execute arbitrary code (e.

Linux RCE
NVD
EPSS
0.1%
CVE-2026-25879 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

PostgreSQL Python Information Disclosure SQLi RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-44887 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.

Code Injection RCE Python
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-44888 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.

Code Injection RCE Python
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-47161 HIGH This Week

Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being configured to accept and unpickle untrusted messages (CELERY_ACCEPT_CONTENT included "pickle"). Because the code-execution sandbox lacks network isolation, an authenticated student can reach the message broker and deliver a malicious pickle payload that the worker deserializes, yielding arbitrary command execution on the host. No public exploit identified at time of analysis; the issue is corrected in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.

RCE Deserialization Relate
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-45618 npm CRITICAL PATCH GHSA Act Now

Remote code execution in LiquidJS template engine versions before 10.26.0 lets an attacker who can supply template content escape the rendering context and run arbitrary Node.js code on the host. The `valueOf` filter leaks the engine's internal scope object (`this`), exposing the parser, filter registry, and ultimately the JavaScript Function constructor, which is chained into command execution. Rated CVSS 10.0 (CWE-94) with a complete working proof-of-concept published in the vendor advisory; it has publicly available exploit code but is not listed in CISA KEV, and no EPSS score was provided in the source data.

RCE Code Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-69600 HIGH This Week

Local privilege escalation via command injection in Raynet rvia (RayVentory) 12.6.4392.49-amd64.deb allows authenticated local users to achieve arbitrary code execution by exploiting an improperly terminated find query the application uses to locate the Java runtime. The flaw is reachable through the getconfig command, the upload URL argument, and the oracle -o flag, and publicly available exploit code exists on GitHub although no active exploitation has been observed.

Java Command Injection RCE Oracle
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-38945 HIGH This Week

Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a `find` command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.

Command Injection RCE Java
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45162 PHP HIGH PATCH GHSA This Week

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

RCE SQLi PHP Deserialization
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-48922 Maven HIGH PATCH GHSA This Week

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who can supply file or zip-file credentials to a job write files to attacker-chosen paths on the node filesystem, escalating to remote code execution when Jenkins is configured to let a low-privileged user configure such credentials for a job running on the built-in node. The flaw stems from missing file-name sanitization on the file and zip credential types. Rated CVSS 7.5 with high attack complexity (AC:H); no public exploit identified at time of analysis and the issue is not in CISA KEV.

RCE Jenkins
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-37713 HIGH This Week

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows network-based attackers to execute arbitrary PHP code via the commonobject.class.php component. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates no authentication or user interaction is required, though impact metrics are rated Low across CIA. No public exploit identified at time of analysis, and EPSS scoring is very low at 0.06% (18th percentile) despite the unauthenticated network attack surface.

RCE PHP Code Injection
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-37712 HIGH This Week

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha stems from unsafe use of PHP's call_user_func_array() within the cron job class, enabling attackers to execute arbitrary PHP code on the application server. The vulnerability carries CVSS 7.3 with CWE-94 (Code Injection) classification, and while no public exploit is identified at time of analysis, a security researcher writeup referenced from NVD discusses a five-year history of related dol_eval issues in Dolibarr suggesting recurring weaknesses in this code area. EPSS probability is very low at 0.06% and SSVC reports no observed exploitation, but the issue is rated automatable with partial technical impact.

RCE PHP Code Injection
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-37711 HIGH This Week

Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.

Code Injection RCE PHP
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-8179 HIGH This Week

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

RCE Stack Overflow IBM Buffer Overflow
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8175 CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow Heap Overflow Authentication Bypass +1
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-7524 CRITICAL Act Now

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

RCE Path Traversal IBM
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-38426 HIGH This Week

Remote code execution in Tasmota firmware (v15.3.0.3 and all earlier releases) stems from an unbounded strcpy() into the fixed 40-byte jpg_task.boundary[40] buffer inside fetch_jpg() in the Scripter driver (xdrv_10_scripter.ino). A network attacker able to reach the device and trigger this code path can overflow the buffer and, per the vendor description, execute arbitrary code on the ESP-based device. Publicly available exploit code exists (a CVE-named GitHub repository), and CISA's SSVC framework rates exploitation as POC with the attack automatable; no active exploitation is confirmed.

RCE Buffer Overflow
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-38422 HIGH This Week

Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.

Buffer Overflow RCE Stack Overflow
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-36540 HIGH This Week

Unauthenticated remote command injection in the Netis AC1200 Router (model NC21, firmware V4.0.1.4296) allows any LAN-resident attacker to execute arbitrary OS commands as the router's runtime user via a single HTTP POST to /cgi-bin/skk_set.cgi. The password and new_pwd_confirm parameters are concatenated into a shell invocation without sanitization, and exploitation requires no credentials. No public exploit is identified at time of analysis, though the disclosure repository documents the technique (base64-encoded backtick payloads), and EPSS scoring (0.21%) suggests limited broad exploitation pressure despite the trivial attack complexity.

Command Injection RCE
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-40852 HIGH This Week

OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.

Command Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-40851 HIGH This Week

Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.

RCE
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-12686 CRITICAL PATCH Act Now

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.

RCE Synology Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2023-52945 HIGH PATCH This Week

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Synology RCE OpenSSL
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-8832 HIGH This Week

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Code Injection RCE PHP WordPress
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-6169 HIGH This Week

Remote code execution in the affiliate-toolkit WordPress plugin ("Multi-Network Affiliate & Amazon Product Display") affects versions up to and including 3.8.5, letting authenticated users with Editor-level access or higher run arbitrary PHP on the host. The flaw stems from the bundled BladeOne template engine's runString() method, which compiles attacker-supplied template content into PHP and executes it through eval() with no sanitization or sandboxing. There is no public exploit identified at time of analysis and EPSS sits at a low 0.24%, but the technical impact is total because a successful injection yields full server-side code execution.

Code Injection RCE PHP WordPress
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-41669 HIGH PATCH This Week

Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.

RCE Jwt Attack
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-9200 HIGH This Week

Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.

PHP WordPress Information Disclosure RCE LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-48962 HIGH PATCH This Week

Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-9207 HIGH PATCH This Week

OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).

Command Injection RCE Connect
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-49014 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryContainers (frmts/netcdf/netcdfsg.cpp) copies a CF-convention geometry attribute into a fixed-size stack buffer without checking its length. Any service or workflow that feeds attacker-supplied NetCDF files to GDAL can be coerced into overflowing the stack and running attacker code in the process context. No public exploit is identified at time of analysis and EPSS is just 0.01% (3rd percentile), yet the issue carries a CVSS of 7.4 because the outcome is full remote code execution on the host.

RCE Stack Overflow Buffer Overflow Gdal
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-44632 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in Yamcs (Yet Another Mission Control System) versions before 5.12.7 allows an authenticated user holding the ChangeMissionDatabase privilege to run arbitrary OS commands on the server host. The flaw lives in the JavaExprAlgorithmExecutionFactory, which dynamically compiles user-supplied algorithm text with the Janino compiler without any sandbox or restrictive ClassLoader, so injected Java (e.g. java.lang.Runtime.exec) executes with the privileges of the Yamcs process. A detailed proof-of-concept exploit using a REST PATCH to override an existing algorithm is publicly available in the vendor advisory; the issue is not listed in CISA KEV.

RCE Java Code Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-44174 PHP HIGH PATCH GHSA This Week

Privilege escalation and sensitive-data disclosure in Kirby CMS (versions before 4.9.1 and 5.4.1) let authenticated Panel users invoke arbitrary model methods through unvalidated collection-query parameters. By naming internal methods such as password(), root(), loginPasswordless() or delete() in filter/sort/findBy queries or the equivalent REST API search endpoints, a low-privilege Panel user can leak password hashes and server filesystem paths, take over other accounts, or mass-delete content. No public exploit identified at time of analysis and EPSS is low (0.07%), but the vendor rates real-world impact as high for any site exposing the Panel to untrusted users.

RCE Information Disclosure Privilege Escalation
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-43947 npm HIGH PATCH GHSA This Week

Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.

RCE Information Disclosure Node.js Authentication Bypass
NVD GitHub
EPSS
0.6%
CVE-2026-43945 npm HIGH PATCH GHSA This Week

Pre-authentication remote code execution affects FUXA, an open-source web-based SCADA/HMI platform, in versions >= 1.2.11 and < 1.3.1 (the advisory references build v1.3.0-2706). The flaw is a path-confusion authentication bypass: the login middleware performs a substring match against the full request URL (including the query string), so appending a benign-looking parameter such as ?x=/socket.io to any administrative request causes the server to treat it as a public WebSocket handshake and skip the secureEnabled and nodeRedAuthMode checks entirely. When Node-RED is enabled with command-capable nodes, this reaches the /nodered/* admin interface and yields code execution in the container context (advisory states 'as root'). The GitHub Security Advisory (GHSA-p69w-mmfv-xrfj) discloses the exact bypass payload, so publicly available exploit details exist; there is no CISA KEV listing and no public report of active exploitation at time of analysis.

RCE Code Injection
NVD GitHub
EPSS
0.7%
CVE-2026-42462 npm HIGH PATCH GHSA This Week

Linked Data Signature forgery in Fedify (the @fedify/fedify ActivityPub server framework) before 2.2.3 lets remote unauthenticated attackers reshape a third-party-signed activity so it is interpreted differently while its signature still verifies. Because the signature covers the canonical RDF graph rather than the JSON-LD serialization, an attacker who has received a signed activity can use JSON-LD keywords (@graph, @reverse, @included) or context-alias tricks to promote, hide, or rewrite fields and have the forged result accepted as authentic. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the GitHub Security Advisory documents the exact restructuring techniques in detail.

RCE Canonical
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-42089 npm HIGH PATCH GHSA This Week

Arbitrary package installation leading to code execution affects the yeoman-environment npm library (the runtime behind the Yeoman/`yo` scaffolding CLI) in versions >= 2.9.0 and < 6.0.1. The vulnerable `installLocalGenerators()` method silently calls `repository.install()` on caller-supplied package names without any user confirmation, so a downstream CLI that passes attacker-controlled project configuration into this path will install and execute attacker-chosen packages during bootstrap. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; CVSS is 8.6 (high) but exploitation is contingent on how consumers feed configuration into the library.

RCE Red Hat
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-44444 CRITICAL PATCH Act Now

Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attackers to run arbitrary commands on the host by submitting a malicious Spindle extension whose package.json defines lifecycle scripts. The Spindle build pipeline invokes bun install before its static safety scan and without script execution disabled, so code runs at install time on the server rather than at runtime in any sandboxed bundle. No public exploit identified at time of analysis.

Command Injection RCE Lumiverse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-44450 CRITICAL PATCH Act Now

Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.

RCE Lumiverse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-9568 LOW PATCH Monitor

Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metacharacters into server-generated Docker Compose YAML files and MQTT publish commands via the /api/v1/provision endpoint's getGatewayDockerComposeFile and getMqttPublishCommand functions. Device credential fields - including clientId, userName, password, and credentialsId - are passed unsanitized into YAML and shell command construction, enabling injection of shell special characters such as $, backtick, and double-quote. No public exploit has been identified at time of analysis; SSVC rates exploitation as none and EPSS is 0.04%, though the RCE tag warrants scrutiny given the CVSS 4.0 score of only 2.3.

Code Injection RCE Thingsboard
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-9170 CRITICAL PATCH Act Now

Remote code execution and denial of service in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 stem from improper input validation (CWE-444 HTTP Request Smuggling). Unauthenticated network attackers can send crafted requests that desynchronize the plug-in's request parsing, potentially achieving full compromise of the application tier. No public exploit identified at time of analysis, and EPSS remains low (0.06%), but the vendor confirms a patch and CISA SSVC rates the technical impact as total with automatable exploitation.

Denial Of Service IBM Request Smuggling RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24200 HIGH This Week

Local privilege escalation and code execution in NVIDIA Virtual GPU Manager arises from a use-after-free on stack memory within the vGPU hypervisor component. Authenticated local attackers on the host or guest side of an affected vGPU deployment (vGPU branches 16.x through 20.x) can trigger memory corruption that may yield DoS, info disclosure, data tampering, or arbitrary code execution. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC rates technical impact as total.

Nvidia Memory Corruption RCE Information Disclosure Use After Free +2
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24194 HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest drivers) allows an authenticated local user to abuse improper permission handling in a kernel mode layer handler, enabling code execution, privilege elevation, and data tampering. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, but the attack vector is local and authenticated. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC marks technical impact as total.

Nvidia RCE Linux Information Disclosure Denial Of Service
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24191 HIGH This Week

Local privilege escalation in NVIDIA Display Driver for Windows (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest/manager components) stems from a time-of-check time-of-use (TOCTOU) race condition that can be abused by a low-privileged local user. Successful exploitation may yield code execution, privilege escalation, denial of service, information disclosure, or data tampering with scope change beyond the driver's security boundary. No public exploit identified at time of analysis; EPSS is 0.01% and SSVC exploitation status is 'none', so the practical risk is contingent on local access and winning a high-complexity race.

Nvidia RCE Information Disclosure Microsoft Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24190 HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.

Nvidia RCE Linux Information Disclosure Microsoft +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24193 HIGH PATCH This Week

Local privilege escalation in the NVIDIA Display Driver for Windows and Linux allows an authenticated low-privileged user to trigger an out-of-bounds write (CWE-787) in the kernel-mode driver, potentially leading to code execution, privilege escalation, information disclosure, data tampering, or denial of service. The flaw affects GeForce, RTX/Quadro/NVS, and Tesla product lines, with NVIDIA confirming the vulnerability and releasing patched driver versions. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.01%.

Nvidia Memory Corruption RCE Information Disclosure Microsoft +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-8633 CRITICAL PATCH Act Now

Remote code execution in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows unauthenticated network attackers to execute arbitrary code via a specially crafted HTTP request. The CVSS 9.8 rating reflects complete confidentiality, integrity, and availability impact with no authentication or user interaction required, though EPSS scores it at only 0.20% probability and CISA SSVC reports no current exploitation. No public exploit has been identified at time of analysis, but IBM has released a patch.

Code Injection IBM RCE Web Server Plug Ins For Websphere Application Server And Websphere Liberty
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-24192 HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and Virtual GPU Manager branches) stems from an incorrect numeric type conversion (CWE-681) that produces a heap buffer overflow. A locally authenticated attacker with low privileges can trigger the flaw to achieve code execution, privilege escalation, information disclosure, data tampering, or denial of service. No public exploit identified at time of analysis, and EPSS is very low (0.01%, 1st percentile), but technical impact per SSVC is total.

Nvidia RCE Information Disclosure Buffer Overflow Denial Of Service
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24187 HIGH PATCH This Week

Local privilege escalation and code execution in the NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest/Manager components) stems from a use-after-free memory corruption flaw (CWE-416) that a local low-privileged user can trigger to compromise the kernel-level driver. The scope-changed CVSS 8.8 score reflects that successful exploitation crosses a trust boundary, potentially yielding code execution, privilege escalation, information disclosure, data tampering, or denial of service. EPSS is 0.01% (1st percentile) and there is no public exploit identified at time of analysis, but a vendor patch is available across all affected branches.

Nvidia Memory Corruption RCE Information Disclosure Use After Free +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7454 HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL (VRML) file, leading to memory corruption that runs attacker-controlled code in the context of the current user. The flaw requires user interaction to open a malicious file and has no public exploit identified at time of analysis, with EPSS estimating only a 0.01% exploitation probability over the next 30 days. SSVC rates technical impact as total but classifies exploitation as 'none' and not automatable, consistent with a client-side file-format attack rather than a wormable internet-facing flaw.

Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7452 HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.

Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7451 HIGH PATCH This Week

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.

Memory Corruption Buffer Overflow RCE 3ds Max
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46624 CRITICAL Act Now

Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.

RCE SQLi PostgreSQL Command Injection Twenty
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-8855 HIGH PATCH This Week

Remote code execution and denial of service in IBM HTTP Server 8.5 and 9.0 affects deployments configured with TLS mutual (client certificate) authentication, where an attacker can trigger code injection (CWE-94) over the network without prior authentication. The flaw carries a CVSS 8.1 score with high attack complexity, and IBM has published a patch (advisory node/7274065); no public exploit has been identified at time of analysis and SSVC marks exploitation as 'none' with total technical impact.

Denial Of Service Code Injection IBM RCE Http Server
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-24162 HIGH This Week

Insecure deserialization in NVIDIA Merlin Transformers4Rec on Linux allows a local attacker to achieve code execution, data tampering, and information disclosure by tricking a user into loading a malicious serialized object. The flaw affects all Main-branch commits prior to March 11, 2026, and currently has no public exploit identified at time of analysis, with a very low EPSS score (0.02%) reflecting limited real-world activity. CISA SSVC classifies exploitation as 'none' but technical impact as 'total', placing it firmly in the supply-chain/MLOps risk category rather than a mass-exploitation threat.

Information Disclosure Nvidia Deserialization RCE Merlin Transformers4Rec
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24212 HIGH This Week

Cleartext transmission of sensitive information in NVIDIA Isaac Launchable for Linux (all versions prior to 1.2) exposes credentials or other sensitive data to attackers on the same adjacent network, potentially enabling downstream code execution, privilege escalation, information disclosure, and data tampering. The flaw carries a CVSS 7.5 (High) rating, but exploitation requires adjacent-network access and high attack complexity, and there is no public exploit identified at time of analysis. EPSS is 0.00% and the issue is not on the CISA KEV list.

Information Disclosure Nvidia RCE Isaac Launchable
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45247 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.

PHP Adobe Deserialization RCE Full Page Cache Warmer For Magento 2
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
Threat
4.9
CVE-2026-42785 HIGH POC This Week

Remote code execution in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) allows authenticated administrators to execute arbitrary Java/BeanShell code via the /admin/Scripting endpoint using the action=Evaluate parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), though no active exploitation has been confirmed in CISA KEV; EPSS sits at 0.42% (62th percentile), reflecting moderate-but-not-widespread interest.

Code Injection Java RCE Openkm Community Edition Openkm Professional Edition
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-41401 HIGH PATCH This Week

Heap use-after-free write in libyang before 5.2.6 enables remote authenticated attackers to crash processes or potentially execute code by submitting crafted YANG XML documents to applications using the library for parsing. The flaw resides in lyd_parser_set_data_flags, which mishandles metadata list pointers when freeing non-head default metadata entries. No public exploit identified at time of analysis, EPSS is low at 0.03%, and SSVC rates technical impact as partial with no automatable exploitation.

Use After Free Memory Corruption RCE Libyang
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40034 Cargo HIGH POC PATCH GHSA This Week

Command injection in the gitoxide Rust library (gix-submodule crate before 0.82.0, gix before 0.83.0) allows attackers controlling a repository's .gitmodules file to bypass the CommandForbiddenInModulesConfiguration guard and achieve arbitrary command execution when Submodule::update() runs against a previously-initialized submodule. The flaw stems from gix_submodule::File::update() checking only whether a same-named section exists in .git/config rather than verifying that the update value itself originated from that trusted source, so an attacker-supplied 'update = !cmd' falls through to execution. Publicly available exploit code exists (PoC referenced by VulnCheck and Anthropic), though EPSS is low (0.02%) and the issue is not in CISA KEV.

RCE Command Injection Gitoxide
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-40033 HIGH PATCH This Week

Heap buffer overflow in FreeRDP versions prior to 3.26.0 allows a malicious RDP server to write out-of-bounds heap memory on connecting clients through the gdi_CacheToSurface function, potentially leading to remote code execution or client crash. The flaw stems from inconsistent rectangle validation where coordinates are clamped to UINT16_MAX but copy operations use unclamped cache entry dimensions. Publicly available exploit code exists per SSVC, though EPSS exploitation probability remains low at 0.06%.

Heap Overflow Buffer Overflow RCE Freerdp
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-4480 CRITICAL POC PATCH Act Now

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.

RCE Command Injection Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +3
NVD VulDB
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-7310 MEDIUM PATCH CISA This Month

Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.

Denial Of Service Heap Overflow Buffer Overflow RCE Mach Hidraw
NVD
CVSS 4.0
4.4
EPSS
0.0%
CVE-2026-48689 CRITICAL Act Now

Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.

RCE Buffer Overflow Memory Corruption N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-48686 CRITICAL Act Now

Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.

Buffer Overflow RCE N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24937 HIGH PATCH This Week

Authenticated code injection in the VideoWhisper Broadcast Live Video WordPress plugin (versions before 7.1.3) lets a high-privileged user execute arbitrary PHP on the underlying host, yielding full confidentiality, integrity, and availability loss on the WordPress instance. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.04% (14th percentile), but SSVC rates the technical impact as total. A vendor patch is available in 7.1.3.

Code Injection RCE Broadcast Live Video
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2018-25377 HIGH POC This Week

Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Flash Slideshow Maker Professional
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25376 HIGH POC This Week

Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow 3Gp Photo Slideshow
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25375 HIGH POC This Week

SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Stack Overflow Buffer Overflow Ipod Photo Slideshow
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25373 HIGH POC This Week

SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Stack Overflow Buffer Overflow Dvd Photo Slideshow Professional
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25366 HIGH POC This Week

CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Cuteftp
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25360 HIGH POC This Week

AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability in the Trace Route host name field that allows local attackers to execute arbitrary code by triggering structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Stack Overflow Buffer Overflow Auto Pingmaster
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-47072 MEDIUM POC PATCH GHSA This Month

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.

RCE Hackney
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47075 MEDIUM POC PATCH GHSA This Month

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.

RCE Hackney
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-2651 PyPI CRITICAL PATCH GHSA Act Now

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.

Authentication Bypass RCE Mlflow Mlflow
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-9489 HIGH This Week

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Microsoft Path Traversal RCE Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-4372 PyPI HIGH PATCH GHSA This Week

Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the `_attn_implementation_internal` field to an attacker-controlled Hub repository. When the victim calls the standard `AutoModelForCausalLM.from_pretrained()` API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the `trust_remote_code` safety gate. No public exploit is identified at time of analysis (EPSS 0.03%, SSVC exploitation: none), but the technical impact is total and the attack uses the documented, default usage pattern.

Python Deserialization RCE Huggingface Transformers
NVD GitHub
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-3515 PyPI HIGH GHSA This Week

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands through the unsanitized reference field. The GitHubRepository block concatenates user input directly into git clone commands, enabling attackers to inject malicious options that can lead to SSRF, credential theft, or remote code execution. While no active exploitation is confirmed, the straightforward attack vector and high impact make this a priority for organizations using Prefect's GitHub integration features.

Gitlab RCE SSRF
NVD
CVSS 3.0
8.5
EPSS
0.1%
CVE-2018-25357 PHP CRITICAL POC PATCH GHSA Act Now

Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE
NVD Exploit-DB GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2018-25356 HIGH POC This Week

SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Suse
NVD Exploit-DB GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25355 HIGH POC This Week

Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Audiograbber
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25353 HIGH POC This Week

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Authentication Bypass Redaxo Cms Mediapool
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2018-25345 HIGH POC This Week

10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Network Scanner
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2018-25344 HIGH POC This Week

10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Stack Overflow Network Inventory Explorer
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-9302 LOW POC Monitor

Remote code injection in vps-inventory-monitoring allows authenticated attackers to execute arbitrary PHP code through the VpsTest console command. The vulnerability exists in the eval() function within VpsTest.php, exploitable by manipulating the 'vf' parameter with low attack complexity. Publicly available exploit code exists (GitHub POC published), and the maintainer has not responded to early disclosure attempts. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability, with EPSS data unavailable but risk elevated by confirmed POC and unresponsive vendor.

PHP Code Injection RCE
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5843 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5817 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-48700 CRITICAL Monitor

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

RCE Pcmanfm Qt Suse
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in the Yamcs mission control framework (org.yamcs:yamcs-core, releases 4.7.3 through 5.12.6) lets a caller of the algorithm-override endpoint run arbitrary Java/OS code on the ground server. The Nashorn JavaScript engine that evaluates user-supplied algorithm text is created without a ClassFilter, so payloads can reach any Java class (e.g. java.lang.Runtime) and execute commands as the Yamcs process user; because the default install (no security.yaml) gives the built-in guest user superuser=true, the endpoint is reachable by an unauthenticated network attacker. A detailed working exploit is published in the GitHub Security Advisory (publicly available exploit code exists); the issue is not listed in CISA KEV and no EPSS score was provided in the input.

Java RCE Code Injection +1
NVD GitHub
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Unauthenticated PHP object deserialization in Symfony's Monolog Bridge affects the development-time `server:log` console command, which by default binds its TCP log listener to 0.0.0.0:9911 and passes every received frame through `unserialize(base64_decode(...))` with no allowed_classes allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running `server:log` can crash the listener (unauthenticated DoS) or trigger PHP object injection whose magic-method side effects may reach remote code execution when a usable gadget chain exists in the target's autoload set. No public exploit identified at time of analysis; EPSS is low (0.99%, 77th percentile) and the flaw is not in CISA KEV, consistent with a dev-only tool rather than a production-facing service.

Denial Of Service PHP Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthorized OS command execution in Tanium Connect allows an attacker holding low-privilege authenticated access to run arbitrary commands on the host, achieving full compromise of confidentiality, integrity, and availability. The CVSS 8.8 (network vector, low complexity, low privileges, no user interaction) reflects an authenticated remote code execution issue rooted in command injection (CWE-78). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS data was not provided.

Command Injection RCE Connect
NVD
EPSS 0%
PATCH Awaiting Data

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/21. he.org>) Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Solar Designer <solar@...nwall.com>) Re: Linux kernel: Dirty Frag variants — fix merged into netdev (Hyunwoo Kim <imv4bel@...il.com>) CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape (Aurelien Bombo <aurelien.bombo@...rosoft.com>) CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand (Robert Rothenberg <rrwo@...nsec.org>) Re: On the issue of MIME handlers that execute arbitrary code (e.

Linux RCE
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

PostgreSQL Python Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.

Code Injection RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.

Code Injection RCE Python
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH This Week

Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being configured to accept and unpickle untrusted messages (CELERY_ACCEPT_CONTENT included "pickle"). Because the code-execution sandbox lacks network isolation, an authenticated student can reach the message broker and deliver a malicious pickle payload that the worker deserializes, yielding arbitrary command execution on the host. No public exploit identified at time of analysis; the issue is corrected in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.

RCE Deserialization Relate
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in LiquidJS template engine versions before 10.26.0 lets an attacker who can supply template content escape the rendering context and run arbitrary Node.js code on the host. The `valueOf` filter leaks the engine's internal scope object (`this`), exposing the parser, filter registry, and ultimately the JavaScript Function constructor, which is chained into command execution. Rated CVSS 10.0 (CWE-94) with a complete working proof-of-concept published in the vendor advisory; it has publicly available exploit code but is not listed in CISA KEV, and no EPSS score was provided in the source data.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation via command injection in Raynet rvia (RayVentory) 12.6.4392.49-amd64.deb allows authenticated local users to achieve arbitrary code execution by exploiting an improperly terminated find query the application uses to locate the Java runtime. The flaw is reachable through the getconfig command, the upload URL argument, and the oracle -o flag, and publicly available exploit code exists on GitHub although no active exploitation has been observed.

Java Command Injection RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a `find` command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.

Command Injection RCE Java
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

RCE SQLi PHP +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who can supply file or zip-file credentials to a job write files to attacker-chosen paths on the node filesystem, escalating to remote code execution when Jenkins is configured to let a low-privileged user configure such credentials for a job running on the built-in node. The flaw stems from missing file-name sanitization on the file and zip credential types. Rated CVSS 7.5 with high attack complexity (AC:H); no public exploit identified at time of analysis and the issue is not in CISA KEV.

RCE Jenkins
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows network-based attackers to execute arbitrary PHP code via the commonobject.class.php component. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates no authentication or user interaction is required, though impact metrics are rated Low across CIA. No public exploit identified at time of analysis, and EPSS scoring is very low at 0.06% (18th percentile) despite the unauthenticated network attack surface.

RCE PHP Code Injection
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha stems from unsafe use of PHP's call_user_func_array() within the cron job class, enabling attackers to execute arbitrary PHP code on the application server. The vulnerability carries CVSS 7.3 with CWE-94 (Code Injection) classification, and while no public exploit is identified at time of analysis, a security researcher writeup referenced from NVD discusses a five-year history of related dol_eval issues in Dolibarr suggesting recurring weaknesses in this code area. EPSS probability is very low at 0.06% and SSVC reports no observed exploitation, but the issue is rated automatable with partial technical impact.

RCE PHP Code Injection
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.

Code Injection RCE PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

RCE Stack Overflow IBM +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow +3
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

RCE Path Traversal IBM
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Tasmota firmware (v15.3.0.3 and all earlier releases) stems from an unbounded strcpy() into the fixed 40-byte jpg_task.boundary[40] buffer inside fetch_jpg() in the Scripter driver (xdrv_10_scripter.ino). A network attacker able to reach the device and trigger this code path can overflow the buffer and, per the vendor description, execute arbitrary code on the ESP-based device. Publicly available exploit code exists (a CVE-named GitHub repository), and CISA's SSVC framework rates exploitation as POC with the attack automatable; no active exploitation is confirmed.

RCE Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.

Buffer Overflow RCE Stack Overflow
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Unauthenticated remote command injection in the Netis AC1200 Router (model NC21, firmware V4.0.1.4296) allows any LAN-resident attacker to execute arbitrary OS commands as the router's runtime user via a single HTTP POST to /cgi-bin/skk_set.cgi. The password and new_pwd_confirm parameters are concatenated into a shell invocation without sanitization, and exploitation requires no credentials. No public exploit is identified at time of analysis, though the disclosure repository documents the technique (base64-encoded backtick payloads), and EPSS scoring (0.21%) suggests limited broad exploitation pressure despite the trivial attack complexity.

Command Injection RCE
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.

Command Injection RCE
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.

RCE
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.

RCE Synology Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Synology RCE OpenSSL
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Code Injection RCE PHP +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Remote code execution in the affiliate-toolkit WordPress plugin ("Multi-Network Affiliate & Amazon Product Display") affects versions up to and including 3.8.5, letting authenticated users with Editor-level access or higher run arbitrary PHP on the host. The flaw stems from the bundled BladeOne template engine's runString() method, which compiles attacker-supplied template content into PHP and executes it through eval() with no sanitization or sandboxing. There is no public exploit identified at time of analysis and EPSS sits at a low 0.24%, but the technical impact is total because a successful injection yields full server-side code execution.

Code Injection RCE PHP +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.

RCE Jwt Attack
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.

PHP WordPress Information Disclosure +2
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.

Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).

Command Injection RCE Connect
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryContainers (frmts/netcdf/netcdfsg.cpp) copies a CF-convention geometry attribute into a fixed-size stack buffer without checking its length. Any service or workflow that feeds attacker-supplied NetCDF files to GDAL can be coerced into overflowing the stack and running attacker code in the process context. No public exploit is identified at time of analysis and EPSS is just 0.01% (3rd percentile), yet the issue carries a CVSS of 7.4 because the outcome is full remote code execution on the host.

RCE Stack Overflow Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in Yamcs (Yet Another Mission Control System) versions before 5.12.7 allows an authenticated user holding the ChangeMissionDatabase privilege to run arbitrary OS commands on the server host. The flaw lives in the JavaExprAlgorithmExecutionFactory, which dynamically compiles user-supplied algorithm text with the Janino compiler without any sandbox or restrictive ClassLoader, so injected Java (e.g. java.lang.Runtime.exec) executes with the privileges of the Yamcs process. A detailed proof-of-concept exploit using a REST PATCH to override an existing algorithm is publicly available in the vendor advisory; the issue is not listed in CISA KEV.

RCE Java Code Injection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation and sensitive-data disclosure in Kirby CMS (versions before 4.9.1 and 5.4.1) let authenticated Panel users invoke arbitrary model methods through unvalidated collection-query parameters. By naming internal methods such as password(), root(), loginPasswordless() or delete() in filter/sort/findBy queries or the equivalent REST API search endpoints, a low-privilege Panel user can leak password hashes and server filesystem paths, take over other accounts, or mass-delete content. No public exploit identified at time of analysis and EPSS is low (0.07%), but the vendor rates real-world impact as high for any site exposing the Panel to untrusted users.

RCE Information Disclosure Privilege Escalation
NVD GitHub
EPSS 1%
HIGH PATCH This Week

Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.

RCE Information Disclosure Node.js +1
NVD GitHub
EPSS 1%
HIGH PATCH This Week

Pre-authentication remote code execution affects FUXA, an open-source web-based SCADA/HMI platform, in versions >= 1.2.11 and < 1.3.1 (the advisory references build v1.3.0-2706). The flaw is a path-confusion authentication bypass: the login middleware performs a substring match against the full request URL (including the query string), so appending a benign-looking parameter such as ?x=/socket.io to any administrative request causes the server to treat it as a public WebSocket handshake and skip the secureEnabled and nodeRedAuthMode checks entirely. When Node-RED is enabled with command-capable nodes, this reaches the /nodered/* admin interface and yields code execution in the container context (advisory states 'as root'). The GitHub Security Advisory (GHSA-p69w-mmfv-xrfj) discloses the exact bypass payload, so publicly available exploit details exist; there is no CISA KEV listing and no public report of active exploitation at time of analysis.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Linked Data Signature forgery in Fedify (the @fedify/fedify ActivityPub server framework) before 2.2.3 lets remote unauthenticated attackers reshape a third-party-signed activity so it is interpreted differently while its signature still verifies. Because the signature covers the canonical RDF graph rather than the JSON-LD serialization, an attacker who has received a signed activity can use JSON-LD keywords (@graph, @reverse, @included) or context-alias tricks to promote, hide, or rewrite fields and have the forged result accepted as authentic. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the GitHub Security Advisory documents the exact restructuring techniques in detail.

RCE Canonical
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary package installation leading to code execution affects the yeoman-environment npm library (the runtime behind the Yeoman/`yo` scaffolding CLI) in versions >= 2.9.0 and < 6.0.1. The vulnerable `installLocalGenerators()` method silently calls `repository.install()` on caller-supplied package names without any user confirmation, so a downstream CLI that passes attacker-controlled project configuration into this path will install and execute attacker-chosen packages during bootstrap. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; CVSS is 8.6 (high) but exploitation is contingent on how consumers feed configuration into the library.

RCE Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attackers to run arbitrary commands on the host by submitting a malicious Spindle extension whose package.json defines lifecycle scripts. The Spindle build pipeline invokes bun install before its static safety scan and without script execution disabled, so code runs at install time on the server rather than at runtime in any sandboxed bundle. No public exploit identified at time of analysis.

Command Injection RCE Lumiverse
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.

RCE Lumiverse
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metacharacters into server-generated Docker Compose YAML files and MQTT publish commands via the /api/v1/provision endpoint's getGatewayDockerComposeFile and getMqttPublishCommand functions. Device credential fields - including clientId, userName, password, and credentialsId - are passed unsanitized into YAML and shell command construction, enabling injection of shell special characters such as $, backtick, and double-quote. No public exploit has been identified at time of analysis; SSVC rates exploitation as none and EPSS is 0.04%, though the RCE tag warrants scrutiny given the CVSS 4.0 score of only 2.3.

Code Injection RCE Thingsboard
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution and denial of service in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 stem from improper input validation (CWE-444 HTTP Request Smuggling). Unauthenticated network attackers can send crafted requests that desynchronize the plug-in's request parsing, potentially achieving full compromise of the application tier. No public exploit identified at time of analysis, and EPSS remains low (0.06%), but the vendor confirms a patch and CISA SSVC rates the technical impact as total with automatable exploitation.

Denial Of Service IBM Request Smuggling +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Local privilege escalation and code execution in NVIDIA Virtual GPU Manager arises from a use-after-free on stack memory within the vGPU hypervisor component. Authenticated local attackers on the host or guest side of an affected vGPU deployment (vGPU branches 16.x through 20.x) can trigger memory corruption that may yield DoS, info disclosure, data tampering, or arbitrary code execution. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC rates technical impact as total.

Nvidia Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest drivers) allows an authenticated local user to abuse improper permission handling in a kernel mode layer handler, enabling code execution, privilege elevation, and data tampering. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, but the attack vector is local and authenticated. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC marks technical impact as total.

Nvidia RCE Linux +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in NVIDIA Display Driver for Windows (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest/manager components) stems from a time-of-check time-of-use (TOCTOU) race condition that can be abused by a low-privileged local user. Successful exploitation may yield code execution, privilege escalation, denial of service, information disclosure, or data tampering with scope change beyond the driver's security boundary. No public exploit identified at time of analysis; EPSS is 0.01% and SSVC exploitation status is 'none', so the practical risk is contingent on local access and winning a high-complexity race.

Nvidia RCE Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Windows and Linux allows authenticated low-privilege users to improperly access GPU resources via a kernel mode layer flaw, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service. The issue affects GeForce, RTX/Quadro/NVS, and Tesla product lines across multiple driver branches and carries a CVSS 7.8 (High) score. No public exploit identified at time of analysis, and EPSS probability is very low (0.01%), but the breadth of affected hardware and total technical impact warrant prompt patching.

Nvidia RCE Linux +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the NVIDIA Display Driver for Windows and Linux allows an authenticated low-privileged user to trigger an out-of-bounds write (CWE-787) in the kernel-mode driver, potentially leading to code execution, privilege escalation, information disclosure, data tampering, or denial of service. The flaw affects GeForce, RTX/Quadro/NVS, and Tesla product lines, with NVIDIA confirming the vulnerability and releasing patched driver versions. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.01%.

Nvidia Memory Corruption RCE +4
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows unauthenticated network attackers to execute arbitrary code via a specially crafted HTTP request. The CVSS 9.8 rating reflects complete confidentiality, integrity, and availability impact with no authentication or user interaction required, though EPSS scores it at only 0.20% probability and CISA SSVC reports no current exploitation. No public exploit has been identified at time of analysis, but IBM has released a patch.

Code Injection IBM RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and Virtual GPU Manager branches) stems from an incorrect numeric type conversion (CWE-681) that produces a heap buffer overflow. A locally authenticated attacker with low privileges can trigger the flaw to achieve code execution, privilege escalation, information disclosure, data tampering, or denial of service. No public exploit identified at time of analysis, and EPSS is very low (0.01%, 1st percentile), but technical impact per SSVC is total.

Nvidia RCE Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation and code execution in the NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest/Manager components) stems from a use-after-free memory corruption flaw (CWE-416) that a local low-privileged user can trigger to compromise the kernel-level driver. The scope-changed CVSS 8.8 score reflects that successful exploitation crosses a trust boundary, potentially yielding code execution, privilege escalation, information disclosure, data tampering, or denial of service. EPSS is 0.01% (1st percentile) and there is no public exploit identified at time of analysis, but a vendor patch is available across all affected branches.

Nvidia Memory Corruption RCE +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL (VRML) file, leading to memory corruption that runs attacker-controlled code in the context of the current user. The flaw requires user interaction to open a malicious file and has no public exploit identified at time of analysis, with EPSS estimating only a 0.01% exploitation probability over the next 30 days. SSVC rates technical impact as total but classifies exploitation as 'none' and not automatable, consistent with a client-side file-format attack rather than a wormable internet-facing flaw.

Buffer Overflow RCE 3ds Max
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.

Buffer Overflow RCE 3ds Max
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.

RCE SQLi PostgreSQL +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution and denial of service in IBM HTTP Server 8.5 and 9.0 affects deployments configured with TLS mutual (client certificate) authentication, where an attacker can trigger code injection (CWE-94) over the network without prior authentication. The flaw carries a CVSS 8.1 score with high attack complexity, and IBM has published a patch (advisory node/7274065); no public exploit has been identified at time of analysis and SSVC marks exploitation as 'none' with total technical impact.

Denial Of Service Code Injection IBM +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Insecure deserialization in NVIDIA Merlin Transformers4Rec on Linux allows a local attacker to achieve code execution, data tampering, and information disclosure by tricking a user into loading a malicious serialized object. The flaw affects all Main-branch commits prior to March 11, 2026, and currently has no public exploit identified at time of analysis, with a very low EPSS score (0.02%) reflecting limited real-world activity. CISA SSVC classifies exploitation as 'none' but technical impact as 'total', placing it firmly in the supply-chain/MLOps risk category rather than a mass-exploitation threat.

Information Disclosure Nvidia Deserialization +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Cleartext transmission of sensitive information in NVIDIA Isaac Launchable for Linux (all versions prior to 1.2) exposes credentials or other sensitive data to attackers on the same adjacent network, potentially enabling downstream code execution, privilege escalation, information disclosure, and data tampering. The flaw carries a CVSS 7.5 (High) rating, but exploitation requires adjacent-network access and high attack complexity, and there is no public exploit identified at time of analysis. EPSS is 0.00% and the issue is not on the CISA KEV list.

Information Disclosure Nvidia RCE +1
NVD
EPSS 0% 4.9 CVSS 9.3
CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.

PHP Adobe Deserialization +2
NVD VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Remote code execution in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) allows authenticated administrators to execute arbitrary Java/BeanShell code via the /admin/Scripting endpoint using the action=Evaluate parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), though no active exploitation has been confirmed in CISA KEV; EPSS sits at 0.42% (62th percentile), reflecting moderate-but-not-widespread interest.

Code Injection Java RCE +2
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Heap use-after-free write in libyang before 5.2.6 enables remote authenticated attackers to crash processes or potentially execute code by submitting crafted YANG XML documents to applications using the library for parsing. The flaw resides in lyd_parser_set_data_flags, which mishandles metadata list pointers when freeing non-head default metadata entries. No public exploit identified at time of analysis, EPSS is low at 0.03%, and SSVC rates technical impact as partial with no automatable exploitation.

Use After Free Memory Corruption RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Command injection in the gitoxide Rust library (gix-submodule crate before 0.82.0, gix before 0.83.0) allows attackers controlling a repository's .gitmodules file to bypass the CommandForbiddenInModulesConfiguration guard and achieve arbitrary command execution when Submodule::update() runs against a previously-initialized submodule. The flaw stems from gix_submodule::File::update() checking only whether a same-named section exists in .git/config rather than verifying that the update value itself originated from that trusted source, so an attacker-supplied 'update = !cmd' falls through to execution. Publicly available exploit code exists (PoC referenced by VulnCheck and Anthropic), though EPSS is low (0.02%) and the issue is not in CISA KEV.

RCE Command Injection Gitoxide
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Heap buffer overflow in FreeRDP versions prior to 3.26.0 allows a malicious RDP server to write out-of-bounds heap memory on connecting clients through the gdi_CacheToSurface function, potentially leading to remote code execution or client crash. The flaw stems from inconsistent rectangle validation where coordinates are clamped to UINT16_MAX but copy operations use unclamped cache entry dimensions. Publicly available exploit code exists per SSVC, though EPSS exploitation probability remains low at 0.06%.

Heap Overflow Buffer Overflow RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL POC PATCH Act Now

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.

RCE Command Injection Red Hat Enterprise Linux 10 +5
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.

Denial Of Service Heap Overflow Buffer Overflow +2
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.

RCE Buffer Overflow Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.

Buffer Overflow RCE N A
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authenticated code injection in the VideoWhisper Broadcast Live Video WordPress plugin (versions before 7.1.3) lets a high-privileged user execute arbitrary PHP on the underlying host, yielding full confidentiality, integrity, and availability loss on the WordPress instance. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.04% (14th percentile), but SSVC rates the technical impact as total. A vendor patch is available in 7.1.3.

Code Injection RCE Broadcast Live Video
NVD
EPSS 0% CVSS 8.6
HIGH POC This Week

Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Flash Slideshow Maker Professional
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow 3Gp Photo Slideshow
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Stack Overflow Buffer Overflow +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Stack Overflow Buffer Overflow +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Cuteftp
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability in the Trace Route host name field that allows local attackers to execute arbitrary code by triggering structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Stack Overflow Buffer Overflow +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.

RCE Hackney
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.

RCE Hackney
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.

Authentication Bypass RCE Mlflow Mlflow
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

Microsoft Path Traversal RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the `_attn_implementation_internal` field to an attacker-controlled Hub repository. When the victim calls the standard `AutoModelForCausalLM.from_pretrained()` API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the `trust_remote_code` safety gate. No public exploit is identified at time of analysis (EPSS 0.03%, SSVC exploitation: none), but the technical impact is total and the attack uses the documented, default usage pattern.

Python Deserialization RCE +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands through the unsanitized reference field. The GitHubRepository block concatenates user input directly into git clone commands, enabling attackers to inject malicious options that can lead to SSRF, credential theft, or remote code execution. While no active exploitation is confirmed, the straightforward attack vector and high impact make this a priority for organizations using Prefect's GitHub integration features.

Gitlab RCE SSRF
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Suse
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Audiograbber
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Network Scanner
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Stack Overflow +1
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code injection in vps-inventory-monitoring allows authenticated attackers to execute arbitrary PHP code through the VpsTest console command. The vulnerability exists in the eval() function within VpsTest.php, exploitable by manipulating the 'vf' parameter with low attack complexity. Publicly available exploit code exists (GitHub POC published), and the maintainer has not responded to early disclosure attempts. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability, with EPSS data unavailable but risk elevated by confirmed POC and unresponsive vendor.

PHP Code Injection RCE
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE +1
NVD
EPSS 0% CVSS 9.3
CRITICAL Monitor

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.

RCE Pcmanfm Qt Suse
NVD GitHub VulDB
Prev Page 15 of 355 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy