Skip to main content

RCE

31887 CVEs technique

Monthly

CVE-2026-8521 HIGH PATCH This Week

Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8518 HIGH PATCH This Week

Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Denial Of Service Use After Free Memory Corruption RCE Google +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8517 HIGH PATCH This Week

Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

RCE Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8509 HIGH PATCH This Week

Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Heap Overflow Google RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8597 PyPI MEDIUM PATCH GHSA This Month

Remote authenticated actors with S3 write access can achieve code execution in Amazon SageMaker Triton inference containers by replacing model artifacts with malicious pickle payloads that are deserialized without integrity verification. Affected versions are SDK v2 before v2.257.2 and v3 before v3.8.0. The vulnerability requires high-privilege S3 access to the model artifact path but carries severe impact including arbitrary code execution within inference containers. No public exploit code or active exploitation has been identified at time of analysis.

Python RCE
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-8596 PyPI HIGH PATCH GHSA This Week

Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.

Python RCE
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-8634 Go CRITICAL PATCH GHSA Act Now

Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command execution. When users run commands against malicious or compromised repositories, attackers exploit overly permissive environment variable allowlisting in repository-local configuration files to exfiltrate API tokens, cloud credentials, and broker tokens into the remote execution environment. The vendor released v0.12.0 on May 12, 2026 with fixes including `--allow-env` explicit allowlisting and `--env-from-profile` for safer secret forwarding. No public exploit identified at time of analysis, though the attack surface is straightforward for attackers controlling repository configuration.

Code Injection RCE Crabbox
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-43907 HIGH PATCH This Week

Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.

Integer Overflow Denial Of Service RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-43906 HIGH PATCH This Week

Heap-based buffer overflow in OpenImageIO's HEIF decoder enables arbitrary code execution via crafted image files. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. Exploitation requires local access and user interaction (opening a malicious image file), but no authentication. Attack complexity is low once the malicious file is delivered. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0. No confirmed active exploitation (not listed in CISA KEV) and no public POC identified at time of analysis, though the technical details suggest straightforward exploitation once the attacker can deliver a crafted HEIF image to a target user.

Heap Overflow RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-44968 PyPI MEDIUM PATCH GHSA This Month

Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.

Python RCE
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-15024 HIGH This Week

Remote code inclusion in Yordam Library Automation System versions 19.5 through 22.0 allows unauthenticated attackers to execute arbitrary code with high integrity and confidentiality impact via user interaction. The vulnerability was reported by Turkey's National Cyber Security Directorate (USOM), indicating potential targeting of Turkish government or educational institutions using this library management software. With network-accessible attack vector and low complexity (CVSS AV:N/AC:L), this represents a significant risk to organizations running unpatched versions despite requiring user interaction (UI:R).

Code Injection RCE
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44827 PyPI HIGH PATCH GHSA This Week

Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.

Python Code Injection RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-44881 Go HIGH PATCH GHSA This Week

Arbitrary file read in Portainer Community Edition allows authenticated low-privileged users to exfiltrate any file readable by the Portainer process — commonly root — by submitting a Git-backed stack whose docker-compose.yml is a symlink to a target like /etc/shadow or a Kubernetes service account token. The flaw stems from go-git v5 materializing Git symlink blobs as real OS symlinks during checkout combined with GetFileContent reading the entry point through os.ReadFile without resolving links, and is amplified by Portainer's scheduled stack auto-update, which lets a previously benign repository turn malicious after initial review. A fully validated proof-of-concept exists from the reporter (b-hermes), but there is no public exploit identified at time of analysis and no CISA KEV listing.

Kubernetes Docker RCE
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-46480 npm HIGH PATCH GHSA This Week

Cross-workspace evaluator takeover in FlowiseAI Flowise (npm package flowise) versions <= 3.1.1 allows an authenticated workspace member to overwrite an Evaluator entity's workspaceId via mass assignment, breaking tenant isolation. The Evaluator controller in packages/server/src/Interface.Evaluation.ts uses Object.assign(entity, body) without an allowlist, so a PUT request containing a chosen workspaceId reassigns ownership of the row to any other workspace whose UUID the attacker knows. No public exploit identified at time of analysis, but the issue is documented in detail in GHSA-wxrr-jp8m-qq7f and a vendor patch is available in release 3.1.2.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46479 npm HIGH PATCH GHSA This Week

Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign Evaluation entities to arbitrary workspaces by exploiting a mass assignment flaw in the evaluations service. The vulnerability stems from unsanitized use of Object.assign() on user-controlled request bodies, enabling clients to overwrite protected fields including workspaceId and id. No public exploit identified at time of analysis, though the GHSA advisory and patch diff provide sufficient detail to reconstruct one trivially.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46478 npm HIGH PATCH GHSA This Week

Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign DatasetRow records to arbitrary workspaces by injecting a workspaceId field into create or update request bodies. The DatasetRow service in packages/server/src/services/dataset/index.ts uses Object.assign without a field allowlist, accepting client-controlled ownership columns directly into the persisted entity. No public exploit identified at time of analysis, but the patched commit (49a2259) and source review make exploitation mechanically straightforward for anyone with edit permission.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46477 npm HIGH PATCH GHSA This Week

Cross-workspace dataset takeover in FlowiseAI Flowise (<=3.1.1) allows any authenticated workspace member to reassign Dataset entities to an arbitrary workspace by submitting a crafted workspaceId field in create/update request bodies. The flaw stems from an unfiltered Object.assign(entity, body) call in packages/server/src/services/dataset/index.ts, breaking tenant isolation in this multi-workspace LLM orchestration platform. No public exploit identified at time of analysis, though the GHSA-5h9v-837x-m97r advisory includes step-by-step exploitation details and the vendor confirms PoC verification via source inspection.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46476 npm HIGH PATCH GHSA This Week

Cross-workspace data takeover in FlowiseAI Flowise <= 3.1.1 allows any authenticated workspace member to reassign CustomTemplate entities to arbitrary workspaces by injecting a `workspaceId` field in the request body, exploiting mass assignment in the marketplaces controller. The flaw breaks tenant isolation and enables IDOR-style template hijacking. No public exploit identified at time of analysis, though the GHSA advisory contains a fully documented exploit chain.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46475 npm HIGH PATCH GHSA This Week

Cross-workspace assistant takeover in FlowiseAI Flowise <= 3.1.1 allows any authenticated workspace member to reassign Assistant entities (including their system prompts, tool configurations, and embedded credentials) to arbitrary other workspaces by submitting a client-controlled workspaceId in create or update request bodies. The flaw stems from unfiltered Object.assign() on user input in packages/server/src/services/assistants/index.ts, enabling tenant-isolation bypass and IDOR. No public exploit identified at time of analysis, though the vendor advisory GHSA-78pr-c5x5-jggc includes a detailed PoC walkthrough making weaponization straightforward.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-42881 HIGH PATCH This Week

Path traversal in STIGQter 0.1.2 through 1.2.6 allows local code execution when users open malicious .stigqter files and explicitly run the 'Export HTML' action. The CWE-22 path traversal flaw enables attackers to write arbitrary files with the victim's privileges, achieving code execution. User interaction is mandatory - victims must both open a crafted file and trigger the specific export function. No public exploit code or active exploitation has been identified at time of analysis, though the attack path is straightforward for targeted social engineering. Fixed in version 1.2.7 per vendor advisory.

RCE Path Traversal
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-69443 MEDIUM This Month

Remote code execution in Archon 0.1.0 enables attackers to execute arbitrary commands and steal API keys when victims access a malicious HTML page. The attack exploits insufficient input validation (CWE-94) to control the Archon UI, run prompts on behalf of authenticated users, and exfiltrate all information displayed in the interface. With EPSS score of 0.04% (13th percentile) and no confirmed active exploitation, this represents a web-to-client attack requiring social engineering but offering significant post-exploitation capabilities once triggered.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-62628 HIGH This Week

Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.

Amd RCE OpenSSL
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-41249 PHP HIGH GHSA This Week

Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.

PHP Code Injection RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-24000 Go MEDIUM PATCH GHSA This Month

Fleet trusts untrusted client-supplied IP address headers (X-Forwarded-For, X-Real-IP, True-Client-IP) when determining source IP for incoming requests, allowing both authenticated and unauthenticated attackers to spoof their apparent IP address and bypass per-IP rate limiting controls. This enables brute-force and password-spraying attacks against authentication endpoints to scale without triggering rate-limit protections, though the vulnerability does not itself enable authentication bypass, privilege escalation, data exposure, or remote code execution.

Authentication Bypass Privilege Escalation Information Disclosure RCE
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-6637 HIGH PATCH This Week

Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Stack Overflow SQLi Buffer Overflow PostgreSQL RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6473 HIGH PATCH This Week

Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.

Integer Overflow PostgreSQL RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6271 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

File Upload WordPress RCE Career Section
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6335 MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE 18.11.x (before 18.11.3) enables an authenticated low-privilege attacker to inject unsanitized content that executes arbitrary JavaScript within another user's browser session. The CVSS Scope Changed (S:C) flag reflects the cross-user impact boundary: the vulnerability allows one GitLab principal to affect a distinct security context belonging to a different user, including potentially higher-privileged accounts such as project owners or instance administrators. No public exploit code exists and no active exploitation has been identified - EPSS at 0.02% (5th percentile) and SSVC exploitation status of 'none' both confirm low immediate urgency - though GitLab's wide enterprise deployment makes patching to 18.11.3 advisable.

XSS Gitlab RCE
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-12669 MEDIUM PATCH This Month

HTML and JavaScript injection via email notifications in GitLab CE/EE (versions 15.11 through 18.11.2) allows an authenticated low-privileged user to deliver malicious content to other users' inboxes by embedding unsanitized markup into platform-generated notifications. The attack crosses a scope boundary (S:C in CVSS) because the injected code executes in the recipient's email client or browser context rather than GitLab itself, enabling phishing, credential harvesting, or session theft against targeted users. No public exploit has been identified at time of analysis and SSVC signals no active exploitation, though the broad version range - spanning over three years of releases - expands the exposed population significantly.

Code Injection Gitlab RCE
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45158 CRITICAL PATCH Act Now

Remote code execution in OPNsense firewall (core versions prior to 26.1.8) allows authenticated administrators to execute arbitrary commands as root by injecting shell metacharacters into DHCP interface configuration fields that are passed unsanitized to an underlying shell script. The flaw carries a 9.1 CVSS score with scope change reflecting privilege escalation from the web UI context to OS root, though no public exploit has been identified at time of analysis and EPSS estimates only a 0.23% probability of near-term exploitation.

RCE Opnsense
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-44194 CRITICAL PATCH Act Now

Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.

PHP RCE Command Injection Opnsense
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-44193 CRITICAL PATCH Act Now

Remote code execution in OPNsense firewall versions prior to 26.1.7 allows authenticated high-privileged users to execute arbitrary code via the opnsense.restore_config_section XMLRPC method, which fails to sanitize user-supplied input. The flaw carries a CVSS 9.1 with scope change and total impact, and while publicly available exploit code exists per SSVC, EPSS rates real-world exploitation probability at only 0.23%, suggesting niche rather than mass-scale risk. The vendor has shipped a fix in 26.1.7 and the issue is tracked as GHSA-xxp9-93cr-x54p and EUVD-2026-30183.

RCE Opnsense
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-45708 HIGH PATCH This Week

Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.

PHP Code Injection RCE V6
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-45714 CRITICAL PATCH Act Now

Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. Currently no public exploit identified at time of analysis, EPSS is very low at 0.04%, and the issue is not on CISA KEV.

Code Injection RCE V6
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-45053 CRITICAL PATCH Act Now

Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).

PHP File Upload RCE V6
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-44377 CRITICAL PATCH Act Now

Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.

PHP Information Disclosure Code Injection RCE V6
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-22599 npm CRITICAL PATCH GHSA Act Now

{ isRaw: true }]` tuple, which is passed directly into Knex's `db.connection.raw()` without sanitization. Affected versions are @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4), with impact ranging from arbitrary file read and denial of service to remote code execution on database engines that permit external program execution. No public exploit identified at time of analysis; EPSS is low at 0.13% and CISA SSVC notes exploitation status of 'none', though vendor-confirmed remediation is available.

Denial Of Service SQLi RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-64526 npm MEDIUM PATCH GHSA This Month

Rate limit bypass in Strapi's users-permissions plugin (all versions <=5.44.0) allows unauthenticated remote attackers to conduct unlimited credential brute-force, password-reset code enumeration, and credential-stuffing attacks against /auth/local, /auth/reset-password, and /auth/change-password endpoints. The middleware incorrectly incorporated an attacker-supplied email field into its rate-limit key on routes where email is not a valid request parameter, meaning each request with a distinct email value obtained a fresh throttle window - rendering per-IP throttling entirely ineffective. No public exploit or KEV listing exists at time of analysis, but the SSVC assessment flags this as automatable, lowering the bar for scripted abuse.

RCE
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-0246 MEDIUM PATCH This Month

Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.

Google RCE Apple Paloalto Microsoft +2
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-0250 MEDIUM PATCH This Month

Buffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker positioned as a man-in-the-middle to corrupt memory during Portal/Gateway message processing, potentially executing arbitrary code with SYSTEM privileges on affected endpoints. Affected platforms include Windows (including the UWP variant), macOS, and other non-iOS clients; iOS is explicitly excluded by the vendor. No public exploit identified at time of analysis - EPSS stands at 0.01% and SSVC confirms no current exploitation - however the SSVC technical impact rating of 'total' and potential for full SYSTEM-level compromise justify prioritized patching for endpoints connecting from untrusted networks.

Memory Corruption RCE Apple Buffer Overflow Paloalto +2
NVD VulDB
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-0236 HIGH PATCH This Week

Local code injection in Palo Alto Networks Prisma Browser on macOS lets an authenticated non-admin user abuse an exposed AppleScript/Apple Event handler to send unauthorized commands to the browser, with high impact on confidentiality and integrity. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but SSVC rates the technical impact as total once the local foothold exists. Affects all Prisma Browser releases prior to 146.16.6.165 on macOS.

Apple Paloalto Code Injection RCE Prisma Browser
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-0263 HIGH PATCH NEWS This Week

Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IKEv2 processing path, allowing unauthenticated network attackers to either crash the firewall or run arbitrary code with elevated privileges. The flaw affects multiple PAN-OS branches (11.1.x, 11.2.x, and 12.1.x) while Panorama, Cloud NGFW, and Prisma Access remain unaffected. There is no public exploit identified at time of analysis, EPSS sits at a low 0.06% (19th percentile), and CISA SSVC currently lists exploitation as 'none'.

Memory Corruption RCE Buffer Overflow Denial Of Service Paloalto +3
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-0264 HIGH PATCH NEWS This Week

Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated remote attackers to trigger a denial-of-service condition across all PAN-OS platforms (except Cloud NGFW and Prisma Access) and potentially achieve arbitrary code execution on PA-Series hardware appliances via specially crafted network traffic. The flaw is rated CVSS 7.2 with high attack complexity; no public exploit identified at time of analysis and EPSS is 0.07%, but the technical impact is rated total by SSVC.

Heap Overflow RCE Buffer Overflow Denial Of Service Paloalto +3
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-44467 HIGH PATCH This Week

Man-in-the-middle attacks against Claude Desktop's SSH remote development feature are possible in versions 1.2581.0 through 1.4303.x because the client only checks that a hostname exists in ~/.ssh/known_hosts without verifying that the server's presented host key matches the stored key. A network-positioned adversary can substitute an arbitrary host key during an SSH handshake and have the connection silently accepted, allowing interception or modification of remote developer sessions. No public exploit identified at time of analysis, and EPSS (0.02%) plus SSVC (Exploitation: none) indicate no active exploitation despite the high CVSS 4.0 score of 7.4.

RCE Claude Desktop
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-45152 Go HIGH PATCH GHSA This Week

Command injection in uniget (gitlab.com/uniget-org/cli) before v0.27.1 enables arbitrary shell command execution when the CLI processes attacker-controlled tool metadata. The `check` field from JSON metadata is concatenated into a `/bin/bash -c` invocation by `RunVersionCheck()` in tool.go, so common operations like `describe`, `install`, `update`, or `inspect` trigger execution under the invoking user's privileges. Publicly available exploit code exists (vendor PoC in GHSA-qqq4-5773-pmw5); EPSS is low at 0.03% (10th percentile) and the issue is not in CISA KEV.

Docker RCE Command Injection
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45137 Cargo HIGH PATCH GHSA This Week

Account validation bypass in Solana's Anchor framework (anchor-lang 1.0.0 through 1.0.1) allows attackers to substitute arbitrary program IDs where the System program is expected, enabling arbitrary cross-program invocation (CPI) and payment bypass in downstream on-chain programs. The flaw stems from Program<'a, System> resolving to the same Pubkey::default() check as the untyped Program<'a, ()> variant, so anchor never enforces the expected system program id. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis as a weaponized tool, EPSS is 0.04% (13th percentile), and the issue is not in CISA KEV.

RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-45136 npm HIGH PATCH GHSA This Week

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

Python Node.js Command Injection RCE
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2020-37221 HIGH POC This Week

Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Stack Overflow Atomic Alarm Clock
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2020-37169 MEDIUM POC This Month

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI
NVD Exploit-DB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-42945 CRITICAL POC PATCH CISA NEWS Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.

Heap Overflow RCE Buffer Overflow Nginx Nginx Plus +1
NVD GitHub VulDB HeroDevs
CVSS 4.0
9.2
EPSS
0.2%
Threat
5.3
CVE-2026-41957 HIGH PATCH NEWS This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-3425 HIGH This Week

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI RCE WordPress Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4782 MEDIUM This Month

Arbitrary file read in Avada Builder plugin for WordPress versions up to 3.15.2 allows authenticated attackers with Subscriber-level access to read arbitrary files on the server via the 'fusion_get_svg_from_file' function in the 'fusion_section_separator' shortcode. Sensitive information including configuration files, database credentials, and private keys can be exposed. The vulnerability was partially patched in 3.15.2 and fully patched in version 3.15.3.

RCE WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-47091 MEDIUM PATCH This Month

Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity.

Microsoft RCE Privilege Escalation
NVD VulDB
CVSS 4.0
5.2
EPSS
0.0%
CVE-2026-44612 HIGH This Week

DLL hijacking in Bytello Share (Windows Edition) installer prior to version 5.13.0.4246 allows local attackers to execute arbitrary code with the privileges of the installing user. The installer insecurely loads DLLs from its current directory, enabling attackers who can place a malicious DLL in the same location to achieve code execution when a user runs the installer. EPSS probability is very low (0.01%, 3rd percentile) with no active exploitation identified, suggesting this requires significant local access prerequisites that limit real-world risk despite the high CVSS score.

Microsoft RCE
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-32661 CRITICAL Act Now

Remote code execution in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud allows unauthenticated network attackers to execute arbitrary code via stack-based buffer overflow when pop3wallpasswd runs with grdnwww user privileges. Canon Marketing Japan has released patches for both on-premises (versions 1.4.00-2.4.26 affected) and SaaS deployments (pre-April 30, 2026 maintenance). CVSS 9.3 indicates critical severity with network vector and no authentication required, though EPSS score of 0.14% (33rd percentile) suggests limited real-world exploitation probability at time of analysis. SSVC assessment marks this as automatable with total technical impact but no confirmed exploitation.

Stack Overflow RCE Buffer Overflow Guardianwall Mailsuite On Premises Version Guardianwall Mail Security Cloud Saas Version
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-21019 HIGH This Week

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with system-level privileges by exploiting improper input validation in the FacAtFunction component. Affects Galaxy Watch devices running Android Watch 14 and 16 prior to Samsung's May 2026 security release (SMR May-2026 Release 1). EPSS score of 0.03% indicates low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis. Attack requires physical or ADB access to the device.

RCE Samsung Mobile Devices
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-21018 MEDIUM This Month

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.

RCE Buffer Overflow Memory Corruption Samsung Mobile Devices
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-61972 HIGH This Week

Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to gain arbitrary System Management Network (SMN) access, potentially resulting in arbitrary code execution in AMD Secure Processor (ASP) and loss of the SEV-SNP guest's confidentiality and integrity.

RCE Amd
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-62624 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Heap Overflow Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-62623 HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Privilege Escalation RCE Buffer Overflow
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-44672 Maven CRITICAL PATCH GHSA Act Now

Unauthenticated remote code execution in Mapfish Print (org.mapfish.print) allows attackers to execute arbitrary code via a code injection flaw in the Dynamic table feature. The vulnerability carries a CVSS 4.0 score of 9.3 with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the GHSA advisory and four parallel patched release lines indicate vendor-confirmed severity.

Code Injection RCE
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-37430 HIGH This Week

Arbitrary file upload in qihang-wms (启航电商WMS) allows unauthenticated remote attackers to execute arbitrary code by uploading malicious files through the ShopOrderImportController component. The vulnerability affects commit 75c15a and potentially other versions of this warehouse management system. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV at time of analysis. Public exploit documentation exists via GitHub/Gist references.

Java RCE File Upload N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-8053 HIGH PATCH This Week

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. EPSS score of 0.06% (20th percentile) suggests low widespread exploitation probability despite high CVSS 8.7, but requires authentication and database privileges, limiting attack surface to insider threats or compromised application credentials. No public exploit code or CISA KEV listing identified at time of analysis.

Memory Corruption Buffer Overflow RCE Mongodb Server
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42288 CRITICAL Act Now

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.

Code Injection RCE Crm
NVD GitHub
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-43680 HIGH PATCH This Week

Authenticated administrators with Admin Console access to FileMaker Cloud can execute arbitrary operating system commands on the underlying host by bypassing front-end restrictions on OS Script schedule types. This vulnerability affects all FileMaker Cloud versions prior to 2.22.0.5 and requires high-privilege administrative credentials to exploit. Despite the network attack vector and total technical impact (full system compromise), the low EPSS score (0.13%, 32nd percentile) and SSVC assessment indicating no observed exploitation suggest this is not being actively exploited in the wild, likely due to the high privilege requirement limiting the attacker pool to malicious insiders or compromised admin accounts.

Code Injection RCE Filemaker Cloud
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-43685 HIGH PATCH This Week

Remote code execution in Claris FileMaker Cloud allows authenticated administrators to execute arbitrary operating system commands via command injection in the External ODBC Data Source connection test feature. The vulnerability requires Admin Console privileges (PR:H) but no user interaction, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. EPSS score of 0.23% (46th percentile) indicates low observed exploitation probability despite the RCE capability. Fixed in FileMaker Cloud version 2.22.0.5.

Command Injection RCE Filemaker Cloud
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-15463 MEDIUM This Month

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Code Injection WordPress RCE Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-44593 Go HIGH PATCH GHSA This Week

### Impact - Arbitrary File Write - An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE - By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ### Exploit The legacy router first retrieves a response from `legacyServer`, parses the incoming request path, and ultimately writes the data to storage via `buildStorage.Put` (see <https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291>). For a URL such as: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` the router concatenates the path components without sanitizing them, producing a storage key like: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` When this key is used, the underlying file system resolves the relative segments and writes the file to `/tmp/pwned`. Thus an attacker can craft a request that writes data to arbitrary locations on the server. ### Details 1. **URL Construction** A crafted request is sent to the server: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` 2. **Proxy to Legacy Server** The request is forwarded to: ``` http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned ``` which resolves to: ``` http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md ``` 3. **File Retrieval** The server fetches `foo.md` from the GitHub repository `https://github.com/<attacker>/exp`. 4. **Path Normalisation & Storage** The storage path derived from the request is: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` Normalising this path yields `/tmp/pwned`. The retrieved file content is then written to that location. 5. **Result** By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution. ### Credit Discovery To splitline (@\_splitline\_) from DEVCORE Research Team

Privilege Escalation RCE Path Traversal
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42854 CRITICAL PATCH Act Now

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Stack Overflow RCE Buffer Overflow Arduino Esp32
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-8449 HIGH PATCH This Week

Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, denial of service, or potentially achieve privilege escalation to kernel code execution.

Denial Of Service Buffer Overflow RCE Linux Privilege Escalation +3
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-44403 HIGH POC This Week

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Code Injection RCE Wing Ftp Server
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-65088 HIGH This Week

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a specially crafted VC6 file is being parsed.

Information Disclosure RCE Buffer Overflow Cobalt Xenon +3
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-65087 HIGH This Week

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a specially crafted VC6 file is being parsed.

Information Disclosure RCE Buffer Overflow Cobalt Xenon +3
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-65086 HIGH This Week

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to execute arbitrary code when a specially crafted VC6 file is being parsed.

Memory Corruption Buffer Overflow RCE Cobalt Xenon +3
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-34690 HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Stack Overflow RCE Buffer Overflow After Effects
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-7474 Go HIGH PATCH GHSA This Week

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

RCE Hashicorp Path Traversal
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44859 HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-44858 HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-44857 HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-44856 HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-44855 HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-44854 HIGH This Week

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user.

Command Injection RCE Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-44853 HIGH This Week

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user.

Command Injection RCE Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-44852 HIGH This Week

An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system by exploiting improper input validation in the file path parameter. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system as a privileged user.

RCE Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-23827 HIGH This Week

A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged user on the underlying operating system, potentially leading to a system compromise. Exploitation may also result in a denial-of-service (DoS) condition affecting the impacted system process.

RCE Buffer Overflow Heap Overflow Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8430 CRITICAL PATCH Act Now

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.

Nginx Code Injection RCE
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-34659 CRITICAL Act Now

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Adobe RCE Deserialization
NVD VulDB
CVSS 3.1
9.6
EPSS
1.5%
CVE-2026-34660 CRITICAL Act Now

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Authentication Bypass Adobe RCE
NVD
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-8429 HIGH PATCH This Week

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.

Code Injection RCE Spip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

RCE Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Heap Overflow Google RCE +4
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Remote authenticated actors with S3 write access can achieve code execution in Amazon SageMaker Triton inference containers by replacing model artifacts with malicious pickle payloads that are deserialized without integrity verification. Affected versions are SDK v2 before v2.257.2 and v3 before v3.8.0. The vulnerability requires high-privilege S3 access to the model artifact path but carries severe impact including arbitrary code execution within inference containers. No public exploit code or active exploitation has been identified at time of analysis.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command execution. When users run commands against malicious or compromised repositories, attackers exploit overly permissive environment variable allowlisting in repository-local configuration files to exfiltrate API tokens, cloud credentials, and broker tokens into the remote execution environment. The vendor released v0.12.0 on May 12, 2026 with fixes including `--allow-env` explicit allowlisting and `--env-from-profile` for safer secret forwarding. No public exploit identified at time of analysis, though the attack surface is straightforward for attackers controlling repository configuration.

Code Injection RCE Crabbox
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.

Integer Overflow Denial Of Service RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Heap-based buffer overflow in OpenImageIO's HEIF decoder enables arbitrary code execution via crafted image files. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. Exploitation requires local access and user interaction (opening a malicious image file), but no authentication. Attack complexity is low once the malicious file is delivered. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0. No confirmed active exploitation (not listed in CISA KEV) and no public POC identified at time of analysis, though the technical details suggest straightforward exploitation once the attacker can deliver a crafted HEIF image to a target user.

Heap Overflow RCE Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.

Python RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code inclusion in Yordam Library Automation System versions 19.5 through 22.0 allows unauthenticated attackers to execute arbitrary code with high integrity and confidentiality impact via user interaction. The vulnerability was reported by Turkey's National Cyber Security Directorate (USOM), indicating potential targeting of Turkish government or educational institutions using this library management software. With network-accessible attack vector and low complexity (CVSS AV:N/AC:L), this represents a significant risk to organizations running unpatched versions despite requiring user interaction (UI:R).

Code Injection RCE
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.

Python Code Injection RCE
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary file read in Portainer Community Edition allows authenticated low-privileged users to exfiltrate any file readable by the Portainer process — commonly root — by submitting a Git-backed stack whose docker-compose.yml is a symlink to a target like /etc/shadow or a Kubernetes service account token. The flaw stems from go-git v5 materializing Git symlink blobs as real OS symlinks during checkout combined with GetFileContent reading the entry point through os.ReadFile without resolving links, and is amplified by Portainer's scheduled stack auto-update, which lets a previously benign repository turn malicious after initial review. A fully validated proof-of-concept exists from the reporter (b-hermes), but there is no public exploit identified at time of analysis and no CISA KEV listing.

Kubernetes Docker RCE
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-workspace evaluator takeover in FlowiseAI Flowise (npm package flowise) versions <= 3.1.1 allows an authenticated workspace member to overwrite an Evaluator entity's workspaceId via mass assignment, breaking tenant isolation. The Evaluator controller in packages/server/src/Interface.Evaluation.ts uses Object.assign(entity, body) without an allowlist, so a PUT request containing a chosen workspaceId reassigns ownership of the row to any other workspace whose UUID the attacker knows. No public exploit identified at time of analysis, but the issue is documented in detail in GHSA-wxrr-jp8m-qq7f and a vendor patch is available in release 3.1.2.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign Evaluation entities to arbitrary workspaces by exploiting a mass assignment flaw in the evaluations service. The vulnerability stems from unsanitized use of Object.assign() on user-controlled request bodies, enabling clients to overwrite protected fields including workspaceId and id. No public exploit identified at time of analysis, though the GHSA advisory and patch diff provide sufficient detail to reconstruct one trivially.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign DatasetRow records to arbitrary workspaces by injecting a workspaceId field into create or update request bodies. The DatasetRow service in packages/server/src/services/dataset/index.ts uses Object.assign without a field allowlist, accepting client-controlled ownership columns directly into the persisted entity. No public exploit identified at time of analysis, but the patched commit (49a2259) and source review make exploitation mechanically straightforward for anyone with edit permission.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-workspace dataset takeover in FlowiseAI Flowise (<=3.1.1) allows any authenticated workspace member to reassign Dataset entities to an arbitrary workspace by submitting a crafted workspaceId field in create/update request bodies. The flaw stems from an unfiltered Object.assign(entity, body) call in packages/server/src/services/dataset/index.ts, breaking tenant isolation in this multi-workspace LLM orchestration platform. No public exploit identified at time of analysis, though the GHSA-5h9v-837x-m97r advisory includes step-by-step exploitation details and the vendor confirms PoC verification via source inspection.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-workspace data takeover in FlowiseAI Flowise <= 3.1.1 allows any authenticated workspace member to reassign CustomTemplate entities to arbitrary workspaces by injecting a `workspaceId` field in the request body, exploiting mass assignment in the marketplaces controller. The flaw breaks tenant isolation and enables IDOR-style template hijacking. No public exploit identified at time of analysis, though the GHSA advisory contains a fully documented exploit chain.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-workspace assistant takeover in FlowiseAI Flowise <= 3.1.1 allows any authenticated workspace member to reassign Assistant entities (including their system prompts, tool configurations, and embedded credentials) to arbitrary other workspaces by submitting a client-controlled workspaceId in create or update request bodies. The flaw stems from unfiltered Object.assign() on user input in packages/server/src/services/assistants/index.ts, enabling tenant-isolation bypass and IDOR. No public exploit identified at time of analysis, though the vendor advisory GHSA-78pr-c5x5-jggc includes a detailed PoC walkthrough making weaponization straightforward.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Path traversal in STIGQter 0.1.2 through 1.2.6 allows local code execution when users open malicious .stigqter files and explicitly run the 'Export HTML' action. The CWE-22 path traversal flaw enables attackers to write arbitrary files with the victim's privileges, achieving code execution. User interaction is mandatory - victims must both open a crafted file and trigger the specific export function. No public exploit code or active exploitation has been identified at time of analysis, though the attack path is straightforward for targeted social engineering. Fixed in version 1.2.7 per vendor advisory.

RCE Path Traversal
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Remote code execution in Archon 0.1.0 enables attackers to execute arbitrary commands and steal API keys when victims access a malicious HTML page. The attack exploits insufficient input validation (CWE-94) to control the Archon UI, run prompts on behalf of authenticated users, and exfiltrate all information displayed in the interface. With EPSS score of 0.04% (13th percentile) and no confirmed active exploitation, this represents a web-to-client attack requiring social engineering but offering significant post-exploitation capabilities once triggered.

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.

Amd RCE OpenSSL
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.

PHP Code Injection RCE
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Fleet trusts untrusted client-supplied IP address headers (X-Forwarded-For, X-Real-IP, True-Client-IP) when determining source IP for incoming requests, allowing both authenticated and unauthenticated attackers to spoof their apparent IP address and bypass per-IP rate limiting controls. This enables brute-force and password-spraying attacks against authentication endpoints to scale without triggering rate-limit protections, though the vulnerability does not itself enable authentication bypass, privilege escalation, data exposure, or remote code execution.

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Stack Overflow SQLi Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.

Integer Overflow PostgreSQL RCE
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

File Upload WordPress RCE +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in GitLab CE/EE 18.11.x (before 18.11.3) enables an authenticated low-privilege attacker to inject unsanitized content that executes arbitrary JavaScript within another user's browser session. The CVSS Scope Changed (S:C) flag reflects the cross-user impact boundary: the vulnerability allows one GitLab principal to affect a distinct security context belonging to a different user, including potentially higher-privileged accounts such as project owners or instance administrators. No public exploit code exists and no active exploitation has been identified - EPSS at 0.02% (5th percentile) and SSVC exploitation status of 'none' both confirm low immediate urgency - though GitLab's wide enterprise deployment makes patching to 18.11.3 advisable.

XSS Gitlab RCE
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

HTML and JavaScript injection via email notifications in GitLab CE/EE (versions 15.11 through 18.11.2) allows an authenticated low-privileged user to deliver malicious content to other users' inboxes by embedding unsanitized markup into platform-generated notifications. The attack crosses a scope boundary (S:C in CVSS) because the injected code executes in the recipient's email client or browser context rather than GitLab itself, enabling phishing, credential harvesting, or session theft against targeted users. No public exploit has been identified at time of analysis and SSVC signals no active exploitation, though the broad version range - spanning over three years of releases - expands the exposed population significantly.

Code Injection Gitlab RCE
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in OPNsense firewall (core versions prior to 26.1.8) allows authenticated administrators to execute arbitrary commands as root by injecting shell metacharacters into DHCP interface configuration fields that are passed unsanitized to an underlying shell script. The flaw carries a 9.1 CVSS score with scope change reflecting privilege escalation from the web UI context to OS root, though no public exploit has been identified at time of analysis and EPSS estimates only a 0.23% probability of near-term exploitation.

RCE Opnsense
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.

PHP RCE Command Injection +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in OPNsense firewall versions prior to 26.1.7 allows authenticated high-privileged users to execute arbitrary code via the opnsense.restore_config_section XMLRPC method, which fails to sanitize user-supplied input. The flaw carries a CVSS 9.1 with scope change and total impact, and while publicly available exploit code exists per SSVC, EPSS rates real-world exploitation probability at only 0.23%, suggesting niche rather than mass-scale risk. The vendor has shipped a fix in 26.1.7 and the issue is tracked as GHSA-xxp9-93cr-x54p and EUVD-2026-30183.

RCE Opnsense
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.

PHP Code Injection RCE +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. Currently no public exploit identified at time of analysis, EPSS is very low at 0.04%, and the issue is not on CISA KEV.

Code Injection RCE V6
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).

PHP File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.

PHP Information Disclosure Code Injection +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

{ isRaw: true }]` tuple, which is passed directly into Knex's `db.connection.raw()` without sanitization. Affected versions are @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4), with impact ranging from arbitrary file read and denial of service to remote code execution on database engines that permit external program execution. No public exploit identified at time of analysis; EPSS is low at 0.13% and CISA SSVC notes exploitation status of 'none', though vendor-confirmed remediation is available.

Denial Of Service SQLi RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Rate limit bypass in Strapi's users-permissions plugin (all versions <=5.44.0) allows unauthenticated remote attackers to conduct unlimited credential brute-force, password-reset code enumeration, and credential-stuffing attacks against /auth/local, /auth/reset-password, and /auth/change-password endpoints. The middleware incorrectly incorporated an attacker-supplied email field into its rate-limit key on routes where email is not a valid request parameter, meaning each request with a distinct email value obtained a fresh throttle window - rendering per-IP throttling entirely ineffective. No public exploit or KEV listing exists at time of analysis, but the SSVC assessment flags this as automatable, lowering the bar for scripted abuse.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.

Google RCE Apple +4
NVD VulDB
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Buffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker positioned as a man-in-the-middle to corrupt memory during Portal/Gateway message processing, potentially executing arbitrary code with SYSTEM privileges on affected endpoints. Affected platforms include Windows (including the UWP variant), macOS, and other non-iOS clients; iOS is explicitly excluded by the vendor. No public exploit identified at time of analysis - EPSS stands at 0.01% and SSVC confirms no current exploitation - however the SSVC technical impact rating of 'total' and potential for full SYSTEM-level compromise justify prioritized patching for endpoints connecting from untrusted networks.

Memory Corruption RCE Apple +4
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local code injection in Palo Alto Networks Prisma Browser on macOS lets an authenticated non-admin user abuse an exposed AppleScript/Apple Event handler to send unauthorized commands to the browser, with high impact on confidentiality and integrity. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but SSVC rates the technical impact as total once the local foothold exists. Affects all Prisma Browser releases prior to 146.16.6.165 on macOS.

Apple Paloalto Code Injection +2
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IKEv2 processing path, allowing unauthenticated network attackers to either crash the firewall or run arbitrary code with elevated privileges. The flaw affects multiple PAN-OS branches (11.1.x, 11.2.x, and 12.1.x) while Panorama, Cloud NGFW, and Prisma Access remain unaffected. There is no public exploit identified at time of analysis, EPSS sits at a low 0.06% (19th percentile), and CISA SSVC currently lists exploitation as 'none'.

Memory Corruption RCE Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated remote attackers to trigger a denial-of-service condition across all PAN-OS platforms (except Cloud NGFW and Prisma Access) and potentially achieve arbitrary code execution on PA-Series hardware appliances via specially crafted network traffic. The flaw is rated CVSS 7.2 with high attack complexity; no public exploit identified at time of analysis and EPSS is 0.07%, but the technical impact is rated total by SSVC.

Heap Overflow RCE Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Man-in-the-middle attacks against Claude Desktop's SSH remote development feature are possible in versions 1.2581.0 through 1.4303.x because the client only checks that a hostname exists in ~/.ssh/known_hosts without verifying that the server's presented host key matches the stored key. A network-positioned adversary can substitute an arbitrary host key during an SSH handshake and have the connection silently accepted, allowing interception or modification of remote developer sessions. No public exploit identified at time of analysis, and EPSS (0.02%) plus SSVC (Exploitation: none) indicate no active exploitation despite the high CVSS 4.0 score of 7.4.

RCE Claude Desktop
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in uniget (gitlab.com/uniget-org/cli) before v0.27.1 enables arbitrary shell command execution when the CLI processes attacker-controlled tool metadata. The `check` field from JSON metadata is concatenated into a `/bin/bash -c` invocation by `RunVersionCheck()` in tool.go, so common operations like `describe`, `install`, `update`, or `inspect` trigger execution under the invoking user's privileges. Publicly available exploit code exists (vendor PoC in GHSA-qqq4-5773-pmw5); EPSS is low at 0.03% (10th percentile) and the issue is not in CISA KEV.

Docker RCE Command Injection
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Account validation bypass in Solana's Anchor framework (anchor-lang 1.0.0 through 1.0.1) allows attackers to substitute arbitrary program IDs where the System program is expected, enabling arbitrary cross-program invocation (CPI) and payment bypass in downstream on-chain programs. The flaw stems from Program<'a, System> resolving to the same Pubkey::default() check as the untyped Program<'a, ()> variant, so anchor never enforces the expected system program id. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis as a weaponized tool, EPSS is 0.04% (13th percentile), and the issue is not in CISA KEV.

RCE
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

Python Node.js Command Injection +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Stack Overflow +1
NVD Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +1
NVD Exploit-DB
EPSS 0% 5.3 CVSS 9.2
CRITICAL POC PATCH Act Now

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.

Heap Overflow RCE Buffer Overflow +3
NVD GitHub VulDB HeroDevs
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI RCE +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file read in Avada Builder plugin for WordPress versions up to 3.15.2 allows authenticated attackers with Subscriber-level access to read arbitrary files on the server via the 'fusion_get_svg_from_file' function in the 'fusion_section_separator' shortcode. Sensitive information including configuration files, database credentials, and private keys can be exposed. The vulnerability was partially patched in 3.15.2 and fully patched in version 3.15.3.

RCE WordPress
NVD VulDB
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity.

Microsoft RCE Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

DLL hijacking in Bytello Share (Windows Edition) installer prior to version 5.13.0.4246 allows local attackers to execute arbitrary code with the privileges of the installing user. The installer insecurely loads DLLs from its current directory, enabling attackers who can place a malicious DLL in the same location to achieve code execution when a user runs the installer. EPSS probability is very low (0.01%, 3rd percentile) with no active exploitation identified, suggesting this requires significant local access prerequisites that limit real-world risk despite the high CVSS score.

Microsoft RCE
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud allows unauthenticated network attackers to execute arbitrary code via stack-based buffer overflow when pop3wallpasswd runs with grdnwww user privileges. Canon Marketing Japan has released patches for both on-premises (versions 1.4.00-2.4.26 affected) and SaaS deployments (pre-April 30, 2026 maintenance). CVSS 9.3 indicates critical severity with network vector and no authentication required, though EPSS score of 0.14% (33rd percentile) suggests limited real-world exploitation probability at time of analysis. SSVC assessment marks this as automatable with total technical impact but no confirmed exploitation.

Stack Overflow RCE Buffer Overflow +2
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with system-level privileges by exploiting improper input validation in the FacAtFunction component. Affects Galaxy Watch devices running Android Watch 14 and 16 prior to Samsung's May 2026 security release (SMR May-2026 Release 1). EPSS score of 0.03% indicates low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis. Attack requires physical or ADB access to the device.

RCE Samsung Mobile Devices
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.

RCE Buffer Overflow Memory Corruption +1
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to gain arbitrary System Management Network (SMN) access, potentially resulting in arbitrary code execution in AMD Secure Processor (ASP) and loss of the SEV-SNP guest's confidentiality and integrity.

RCE Amd
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Heap Overflow Privilege Escalation +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

VMware Privilege Escalation RCE +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Mapfish Print (org.mapfish.print) allows attackers to execute arbitrary code via a code injection flaw in the Dynamic table feature. The vulnerability carries a CVSS 4.0 score of 9.3 with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the GHSA advisory and four parallel patched release lines indicate vendor-confirmed severity.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Arbitrary file upload in qihang-wms (启航电商WMS) allows unauthenticated remote attackers to execute arbitrary code by uploading malicious files through the ShopOrderImportController component. The vulnerability affects commit 75c15a and potentially other versions of this warehouse management system. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV at time of analysis. Public exploit documentation exists via GitHub/Gist references.

Java RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. EPSS score of 0.06% (20th percentile) suggests low widespread exploitation probability despite high CVSS 8.7, but requires authentication and database privileges, limiting attack surface to insider threats or compromised application credentials. No public exploit code or CISA KEV listing identified at time of analysis.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.

Code Injection RCE Crm
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authenticated administrators with Admin Console access to FileMaker Cloud can execute arbitrary operating system commands on the underlying host by bypassing front-end restrictions on OS Script schedule types. This vulnerability affects all FileMaker Cloud versions prior to 2.22.0.5 and requires high-privilege administrative credentials to exploit. Despite the network attack vector and total technical impact (full system compromise), the low EPSS score (0.13%, 32nd percentile) and SSVC assessment indicating no observed exploitation suggest this is not being actively exploited in the wild, likely due to the high privilege requirement limiting the attacker pool to malicious insiders or compromised admin accounts.

Code Injection RCE Filemaker Cloud
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in Claris FileMaker Cloud allows authenticated administrators to execute arbitrary operating system commands via command injection in the External ODBC Data Source connection test feature. The vulnerability requires Admin Console privileges (PR:H) but no user interaction, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. EPSS score of 0.23% (46th percentile) indicates low observed exploitation probability despite the RCE capability. Fixed in FileMaker Cloud version 2.22.0.5.

Command Injection RCE Filemaker Cloud
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Impact - Arbitrary File Write - An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE - By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ### Exploit The legacy router first retrieves a response from `legacyServer`, parses the incoming request path, and ultimately writes the data to storage via `buildStorage.Put` (see <https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291>). For a URL such as: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` the router concatenates the path components without sanitizing them, producing a storage key like: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` When this key is used, the underlying file system resolves the relative segments and writes the file to `/tmp/pwned`. Thus an attacker can craft a request that writes data to arbitrary locations on the server. ### Details 1. **URL Construction** A crafted request is sent to the server: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` 2. **Proxy to Legacy Server** The request is forwarded to: ``` http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned ``` which resolves to: ``` http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md ``` 3. **File Retrieval** The server fetches `foo.md` from the GitHub repository `https://github.com/<attacker>/exp`. 4. **Path Normalisation & Storage** The storage path derived from the request is: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` Normalising this path yields `/tmp/pwned`. The retrieved file content is then written to that location. 5. **Result** By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution. ### Credit Discovery To splitline (@\_splitline\_) from DEVCORE Research Team

Privilege Escalation RCE Path Traversal
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Stack Overflow RCE Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID containing an inflated num_subauth field. Attackers can exploit this vulnerability by creating a directory, setting the malicious DACL via SMB2_SET_INFO, and creating child entries to cause kernel instability, denial of service, or potentially achieve privilege escalation to kernel code execution.

Denial Of Service Buffer Overflow RCE +5
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

Code Injection RCE Wing Ftp Server
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.4
HIGH This Week

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a specially crafted VC6 file is being parsed.

Information Disclosure RCE Buffer Overflow +5
NVD
EPSS 0% CVSS 8.4
HIGH This Week

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a specially crafted VC6 file is being parsed.

Information Disclosure RCE Buffer Overflow +5
NVD
EPSS 0% CVSS 8.4
HIGH This Week

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to execute arbitrary code when a specially crafted VC6 file is being parsed.

Memory Corruption Buffer Overflow RCE +5
NVD
EPSS 0% CVSS 7.8
HIGH This Week

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Stack Overflow RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

RCE Hashicorp Path Traversal
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.

RCE Buffer Overflow Stack Overflow +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user.

Command Injection RCE Hpe Aruba Networking Wireless Operating System Aos
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user.

Command Injection RCE Hpe Aruba Networking Wireless Operating System Aos
NVD
EPSS 0% CVSS 7.2
HIGH This Week

An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system by exploiting improper input validation in the file path parameter. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system as a privileged user.

RCE Hpe Aruba Networking Wireless Operating System Aos
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged user on the underlying operating system, potentially leading to a system compromise. Exploitation may also result in a denial-of-service (DoS) condition affecting the impacted system process.

RCE Buffer Overflow Heap Overflow +1
NVD
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.

Nginx Code Injection RCE
NVD VulDB
EPSS 2% CVSS 9.6
CRITICAL Act Now

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Adobe RCE Deserialization
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Authentication Bypass Adobe RCE
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.

Code Injection RCE Spip
NVD VulDB
Prev Page 18 of 355 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy