RCE
Monthly
Remote code execution in Hitachi's JP1/IT Desktop Management suite allows authenticated network attackers to execute arbitrary code on Windows systems running Manager, Operations Director, and Client components. Affects multiple product generations spanning versions 9.x through 13.x across nine distinct product lines. CVSS score of 8.8 reflects network-accessible attack surface with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though CWE-73 (external control of file name or path) indicates potential for path traversal-based exploitation. Hitachi has released patches addressing versions 13-50-02, 13-11-04, 13-10-07, 13-01-07, 13-00-05, and 12-60-12 for actively supported products.
Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.
Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Arbitrary file write via path traversal in PraisonAI's Action Orchestrator allows compromised agents to overwrite critical system files and achieve remote code execution. The vulnerability affects the praisonai pip package, where unsanitized user input in file operation targets enables directory traversal attacks using '../' sequences. Public exploit code exists with detailed proof-of-concept demonstrating overwrite of SSH keys and shell configuration files. Despite CVSS 9.0 (Critical), EPSS score is 2% (4th percentile), indicating low observed exploitation probability in the wild. Vendor patch released in version 4.5.113.
Arbitrary file write in PraisonAI's template installation feature allows remote attackers to overwrite system files when users install malicious templates via social engineering. The vulnerability stems from unsafe ZIP extraction in templates.py using Python's zipfile.extractall() without path validation, enabling classic Zip Slip attacks. Public exploit code exists with proof-of-concept demonstrating /tmp file creation via path traversal. EPSS probability is low (0.04%, 13th percentile) indicating limited observed exploitation attempts, though the attack requires only user interaction (CVSS UI:R) to achieve high integrity and availability impact. Vendor patch released in version 4.5.113 per GitHub advisory GHSA-4ph2-f6pf-79wv.
Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.
Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.
Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.
Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.
Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. EPSS data unavailable, no confirmed active exploitation (not in CISA KEV), but upstream fix is available via GitHub commit and version 2.0.6 release. Attack complexity is low with network-accessible vector requiring no privileges or user interaction, making this a critical exposure for internet-facing BraveCMS installations.
Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).
Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.
Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.
Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.
Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Xlight FTP Server 3.9.1 contains a structured exception handler (SEH) overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
RealTerm Serial Terminal 2.0.0.70 contains a structured exception handling (SEH) buffer overflow vulnerability in the Echo Port tab that allows local attackers to execute arbitrary code by supplying. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.
Remote code execution in Fosowl agenticSeek 0.1.0 allows unauthenticated attackers to inject arbitrary Python code via the PyInterpreter.execute function in the query endpoint, enabling full system compromise. The vulnerability exploits unsafe code execution in the component responsible for interpreting user-supplied queries. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.
Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.
Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.
10-Strike LANState 8.8 contains a local buffer overflow vulnerability in structured exception handling that allows local attackers to execute arbitrary code by crafting malicious LSM map files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Snes9K 0.0.9z contains a buffer overflow vulnerability in the Netplay Socket Port Number field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated arbitrary media upload in Listeo Core plugin for WordPress (versions up to 2.0.27) allows remote attackers to upload arbitrary files to the site's media library via the unprotected listeo_core_handle_dropped_media AJAX endpoint. The vulnerability stems from missing authorization checks and does not directly enable code execution, but significantly degrades site integrity by enabling malicious file storage and potential downstream attacks.
Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.
Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.
Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.
Arbitrary Android intent execution in mobile-mcp npm package (versions <0.0.50) allows remote attackers to trigger USSD codes, phone calls, SMS drafting, and content provider access through unvalidated URL schemes passed to adb shell commands. Attack vector exploits AI agent prompt injection: malicious documents can instruct connected AI systems to execute dangerous intents on paired Android devices. CVSS 8.3 (Network/Low complexity/No privileges/User interaction required). Publicly available exploit code exists. Vendor-released patch available (version 0.0.50+).
Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.
SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.
Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.
Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execut
Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, but the attack surface is well-documented in the vendor advisory. CVSS score unavailable; however, the combination of RCE capability and authentication bypass warrants immediate remediation for all LiteLLM deployments.
Sandbox escape in SandboxJS npm package allows unauthenticated remote attackers to mutate host JavaScript global objects (Math, JSON, etc.) and persist malicious code across sandbox instances. The vulnerability bypasses intended global-write protections by exploiting an exposed constructor callable path (this.constructor.call), enabling arbitrary property injection into host runtime globals. Exploitation probability is HIGH (EPSS not available for recent CVE), with publicly available exploit code demonstrating both immediate host contamination and cross-execution persistence. Critical impact: attacker-controlled globals can hijack application control flow when host code consumes mutated built-ins, escalating to arbitrary command execution when chained with application sinks like execSync().
Hirschmann HiSecOS devices versions prior to 05.3.03 contain a buffer overflow vulnerability in the HTTPS login interface when RADIUS authentication is enabled that allows remote attackers to crash. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary code or hijack authentication flows through malicious connection parameters during user-initiated database connections. With a CVSS 7.3 rating, the vulnerability requires user interaction but no authentication (CVSS:4.0 AV:L/PR:N/UI:P), enabling high impact to confidentiality, integrity, and availability on the local system. Vendor-released patches are available across all platforms (Windows, Linux, macOS). No public exploit or active exploitation confirmed at time of analysis, though EPSS data not available for risk calibration.
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.
MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without credentials (CVSS 9.8, CWE-306). Affects mlflow/mlflow latest version when MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true and job functions are allowlisted. Public POC exists per SSVC framework. EPSS score of 0.20% (42nd percentile) indicates low observed exploitation probability despite critical CVSS, suggesting targeted rather than widespread risk. Vendor-released patch not confirmed at time of analysis - remediation relies on configuration changes and service hardening.
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). A vendor-released patch is available in version 3.33.4, with the fix publicly documented in GitHub pull request #18238 and commit f0c731b4.
AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.
Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a
Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.
Electron's setAsDefaultProtocolClient() on Windows fails to validate protocol names before writing to the Windows registry, allowing local authenticated attackers to hijack protocol handlers by writing to arbitrary HKCU\Software\Classes\ subkeys when apps pass untrusted input as the protocol parameter. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and requires local access and low privileges; no public exploit has been identified at time of analysis.
Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.
Remote code execution in BizTalk360 before version 11.5 allows any authenticated user to upload a malicious DLL and trigger its execution on the server through an unprotected DLL-loading endpoint. The vulnerability stems from missing access controls on a method that loads and executes DLL files, enabling attackers with valid domain credentials to achieve arbitrary code execution without requiring elevated privileges.
JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace-a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid
Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient impleme
Unauthenticated remote code execution in OneUptime monitoring platform (versions < 10.0.42) allows attackers to trigger arbitrary workflow execution with controlled input data via exposed Worker service ManualAPI endpoints. The vulnerability enables JavaScript code execution, notification system abuse, and data manipulation without any authentication requirement. CVSS 9.2 (Critical) with network attack vector and low complexity; no public exploit identified at time of analysis, though the authentication bypass combined with RCE capability presents immediate risk to exposed instances.
Arbitrary code execution in AWS Kiro IDE versions prior to 0.8.140 occurs when a local user opens a maliciously crafted workspace containing an unsanitized color theme name, exploiting improper neutralization of input during webview generation. The attack requires user interaction (trusting the workspace when prompted) and can deliver full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though SSVC framework rates technical impact as total with manual (non-automatable) exploitation potential.
Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.
A permissions issue was addressed with additional restrictions. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. CISA KEV status and active exploitation data not confirmed in provided intelligence.
Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.
Remote code execution in Progress ShareFile Storage Zones Controller versions up to 5.12.3 allows high-privileged authenticated users to upload and execute malicious files on the server. The CVSS 9.1 score reflects scope change and total system compromise. Publicly available exploit code exists (confirmed by Italian CERT), though EPSS probability remains low at 0.19% and no active exploitation is confirmed by CISA KEV. Real-world risk depends heavily on authentication controls and privileged account management in ShareFile deployments.
Unauthenticated remote code execution affects Progress ShareFile Storage Zones Controller versions up to 5.12.3 via unauthorized access to restricted configuration pages. Attackers can modify system configuration remotely without authentication, leading to complete system compromise. Publicly available exploit code exists (watchTowr Labs GitHub). EPSS score of 0.41% suggests relatively low observed exploitation despite critical CVSS 9.8 rating and POC availability. Vendor patch released per ShareFile security advisory.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.
Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.
TOCTOU race condition in Balena Etcher for Windows (versions prior to 2.1.4) enables local privilege escalation to arbitrary code execution when attackers replace legitimate scripts with malicious payloads during disk flashing operations. The vulnerability requires low privileges and user interaction but achieves high impact across confidentiality, integrity, and availability with scope change. No public exploit identified at time of analysis, though technical details are available via researcher disclosure (B1tBreaker). EPSS data not available, but the local attack vector and high complexity reduce immediate remote exploitation risk.
Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profile
Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code execution when processing malicious V7 project files. Local attackers can exploit this via social engineering to deliver weaponized files requiring user interaction to open. CVSS 8.4 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with EPSS data unavailable for this newly-assigned CVE. Japanese vulnerability coordination (JPCERT/JVN) indicates regional industrial control system exposure.
Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arbitrary code execution when opening a maliciously crafted V7 project file. An attacker must convince a user to open a weaponized file, requiring no authentication but user interaction. EPSS data not available; no public exploit identified at time of analysis, though the specific function (CV7BaseMap::WriteV7DataToRom) and vulnerability class (stack overflow) provide sufficient technical detail for skilled attackers to develop exploits.
Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl
Remote code execution in WatchGuard Fireware OS versions 12.6.1 through 12.11.8 and 2025.1 through 2026.1.2 allows privileged authenticated attackers to execute arbitrary code with elevated system privileges via path traversal in the Web UI. The vulnerability requires high-level administrative access (CVSS PR:H) but presents a direct RCE path once authenticated. WatchGuard self-reported this issue with an official advisory available. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Heap buffer overflow in OpenEXR 3.4.0 through 3.4.6 allows remote code execution when processing maliciously crafted EXR image files with HTJ2K compression and specific channel width configurations. The vulnerability enables controlled heap overwrites of 2-4 bytes per iteration beyond allocated buffer boundaries, exploitable through user interaction with weaponized .exr files. Attack vector is local (AV:L) requiring user action (UI:A) but no privileges (PR:N), with CVSS 8.4 severity. Vendor-released patch available in version 3.4.7. No public exploit identified at time of analysis, though the precise technical details in the security advisory lower exploitation complexity for capable adversaries.
Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary memory read/write and full ASLR bypass. The vulnerability stems from missing bounds validation in deserialize_tensor() when processing GRAPH_COMPUTE messages with zero-valued buffer fields. Attackers can leverage pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE operations to reliably exploit this flaw. Fixed in version b8492 (commit 39bf0d3c). CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No public exploit identified at time of analysis, though the detailed advisory provides sufficient technical context for weaponization.
Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Replicator npm package version 1.0.5 allows unauthenticated attackers to execute arbitrary code by supplying malicious serialized objects that the library deserializes without validation. Applications using Replicator to process untrusted input are vulnerable to immediate compromise; no public exploit code availability or active exploitation status is confirmed at time of analysis, but the unauthenticated attack vector and ease of object deserialization attacks suggest practical exploitability.
Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.
Tinybeans Private Family Album App v5.9.5-prod contains an arbitrary file overwrite vulnerability in its file import process that enables remote attackers to overwrite critical internal files, resulting in arbitrary code execution or information disclosure. No CVSS score, EPSS data, or KEV status is available for this vulnerability, and no public exploit code has been independently confirmed at the time of analysis.
Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 contains an arbitrary file overwrite vulnerability in its file import process that permits attackers to overwrite critical internal files, resulting in remote code execution or information disclosure. The vulnerability affects a mobile application distributed via Google Play Store. No CVSS score, active exploitation status, or patch information is currently available from vendor sources.
Local file inclusion in VertiGIS FM's upload/download mechanism allows authenticated attackers to read arbitrary server files by manipulating file paths during upload, with potential for remote code execution if web.config is obtained and NTLM-relay attacks via UNC path resolution. VertiGIS FM version 10.5.00119 and earlier are affected, and the vulnerability requires valid application credentials to exploit.
MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.
Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.
Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.
Remote code execution in Hitachi's JP1/IT Desktop Management suite allows authenticated network attackers to execute arbitrary code on Windows systems running Manager, Operations Director, and Client components. Affects multiple product generations spanning versions 9.x through 13.x across nine distinct product lines. CVSS score of 8.8 reflects network-accessible attack surface with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though CWE-73 (external control of file name or path) indicates potential for path traversal-based exploitation. Hitachi has released patches addressing versions 13-50-02, 13-11-04, 13-10-07, 13-01-07, 13-00-05, and 12-60-12 for actively supported products.
Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable.
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.
Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Arbitrary file write via path traversal in PraisonAI's Action Orchestrator allows compromised agents to overwrite critical system files and achieve remote code execution. The vulnerability affects the praisonai pip package, where unsanitized user input in file operation targets enables directory traversal attacks using '../' sequences. Public exploit code exists with detailed proof-of-concept demonstrating overwrite of SSH keys and shell configuration files. Despite CVSS 9.0 (Critical), EPSS score is 2% (4th percentile), indicating low observed exploitation probability in the wild. Vendor patch released in version 4.5.113.
Arbitrary file write in PraisonAI's template installation feature allows remote attackers to overwrite system files when users install malicious templates via social engineering. The vulnerability stems from unsafe ZIP extraction in templates.py using Python's zipfile.extractall() without path validation, enabling classic Zip Slip attacks. Public exploit code exists with proof-of-concept demonstrating /tmp file creation via path traversal. EPSS probability is low (0.04%, 13th percentile) indicating limited observed exploitation attempts, though the attack requires only user interaction (CVSS UI:R) to achieve high integrity and availability impact. Vendor patch released in version 4.5.113 per GitHub advisory GHSA-4ph2-f6pf-79wv.
Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.
Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.
Path traversal in Chyrp Lite administration console allows privileged users with Change Settings permissions to manipulate the uploads path, enabling arbitrary file read (including database credentials from config.json.php) and arbitrary file write leading to remote code execution. Affects all versions prior to 2026.01. CVSS 9.1 (Critical) reflects post-authentication impact with scope change. EPSS data not available; no public exploit identified at time of analysis, no CISA KEV listing.
Remote code execution in Brave CMS versions prior to 2.0.6 allows authenticated users to upload and execute arbitrary PHP scripts through the CKEditor upload functionality. The vulnerability stems from unrestricted file upload in the ckupload method of CkEditorController.php, which fails to validate uploaded file types. No public exploit identified at time of analysis, though the attack requires only low-privilege authentication (PR:L) with low complexity (AC:L). CVSS 8.8 High severity reflects the complete system compromise possible post-authentication.
Unrestricted file upload in BraveCMS 2.0 (prior to 2.0.6) enables remote attackers to execute arbitrary code on the server without authentication. The CKEditor endpoint accepts malicious file uploads including executable scripts, leading to full remote code execution with CVSS 9.3 severity. EPSS data unavailable, no confirmed active exploitation (not in CISA KEV), but upstream fix is available via GitHub commit and version 2.0.6 release. Attack complexity is low with network-accessible vector requiring no privileges or user interaction, making this a critical exposure for internet-facing BraveCMS installations.
Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).
Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.
Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.
Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.
Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Xlight FTP Server 3.9.1 contains a structured exception handler (SEH) overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
RealTerm Serial Terminal 2.0.0.70 contains a structured exception handling (SEH) buffer overflow vulnerability in the Echo Port tab that allows local attackers to execute arbitrary code by supplying. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.
Remote code execution in Fosowl agenticSeek 0.1.0 allows unauthenticated attackers to inject arbitrary Python code via the PyInterpreter.execute function in the query endpoint, enabling full system compromise. The vulnerability exploits unsafe code execution in the component responsible for interpreting user-supplied queries. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.
Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.
Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.
10-Strike LANState 8.8 contains a local buffer overflow vulnerability in structured exception handling that allows local attackers to execute arbitrary code by crafting malicious LSM map files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Snes9K 0.0.9z contains a buffer overflow vulnerability in the Netplay Socket Port Number field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated arbitrary media upload in Listeo Core plugin for WordPress (versions up to 2.0.27) allows remote attackers to upload arbitrary files to the site's media library via the unprotected listeo_core_handle_dropped_media AJAX endpoint. The vulnerability stems from missing authorization checks and does not directly enable code execution, but significantly degrades site integrity by enabling malicious file storage and potential downstream attacks.
Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.
Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.
Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.
Arbitrary Android intent execution in mobile-mcp npm package (versions <0.0.50) allows remote attackers to trigger USSD codes, phone calls, SMS drafting, and content provider access through unvalidated URL schemes passed to adb shell commands. Attack vector exploits AI agent prompt injection: malicious documents can instruct connected AI systems to execute dangerous intents on paired Android devices. CVSS 8.3 (Network/Low complexity/No privileges/User interaction required). Publicly available exploit code exists. Vendor-released patch available (version 0.0.50+).
Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.
SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.
Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.
Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execut
Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, but the attack surface is well-documented in the vendor advisory. CVSS score unavailable; however, the combination of RCE capability and authentication bypass warrants immediate remediation for all LiteLLM deployments.
Sandbox escape in SandboxJS npm package allows unauthenticated remote attackers to mutate host JavaScript global objects (Math, JSON, etc.) and persist malicious code across sandbox instances. The vulnerability bypasses intended global-write protections by exploiting an exposed constructor callable path (this.constructor.call), enabling arbitrary property injection into host runtime globals. Exploitation probability is HIGH (EPSS not available for recent CVE), with publicly available exploit code demonstrating both immediate host contamination and cross-execution persistence. Critical impact: attacker-controlled globals can hijack application control flow when host code consumes mutated built-ins, escalating to arbitrary command execution when chained with application sinks like execSync().
Hirschmann HiSecOS devices versions prior to 05.3.03 contain a buffer overflow vulnerability in the HTTPS login interface when RADIUS authentication is enabled that allows remote attackers to crash. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary code or hijack authentication flows through malicious connection parameters during user-initiated database connections. With a CVSS 7.3 rating, the vulnerability requires user interaction but no authentication (CVSS:4.0 AV:L/PR:N/UI:P), enabling high impact to confidentiality, integrity, and availability on the local system. Vendor-released patches are available across all platforms (Windows, Linux, macOS). No public exploit or active exploitation confirmed at time of analysis, though EPSS data not available for risk calibration.
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.
MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without credentials (CVSS 9.8, CWE-306). Affects mlflow/mlflow latest version when MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true and job functions are allowlisted. Public POC exists per SSVC framework. EPSS score of 0.20% (42nd percentile) indicates low observed exploitation probability despite critical CVSS, suggesting targeted rather than widespread risk. Vendor-released patch not confirmed at time of analysis - remediation relies on configuration changes and service hardening.
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). A vendor-released patch is available in version 3.33.4, with the fix publicly documented in GitHub pull request #18238 and commit f0c731b4.
AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.
Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a
Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.
Electron's setAsDefaultProtocolClient() on Windows fails to validate protocol names before writing to the Windows registry, allowing local authenticated attackers to hijack protocol handlers by writing to arbitrary HKCU\Software\Classes\ subkeys when apps pass untrusted input as the protocol parameter. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and requires local access and low privileges; no public exploit has been identified at time of analysis.
Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.
Remote code execution in BizTalk360 before version 11.5 allows any authenticated user to upload a malicious DLL and trigger its execution on the server through an unprotected DLL-loading endpoint. The vulnerability stems from missing access controls on a method that loads and executes DLL files, enabling attackers with valid domain credentials to achieve arbitrary code execution without requiring elevated privileges.
JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace-a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid
Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient impleme
Unauthenticated remote code execution in OneUptime monitoring platform (versions < 10.0.42) allows attackers to trigger arbitrary workflow execution with controlled input data via exposed Worker service ManualAPI endpoints. The vulnerability enables JavaScript code execution, notification system abuse, and data manipulation without any authentication requirement. CVSS 9.2 (Critical) with network attack vector and low complexity; no public exploit identified at time of analysis, though the authentication bypass combined with RCE capability presents immediate risk to exposed instances.
Arbitrary code execution in AWS Kiro IDE versions prior to 0.8.140 occurs when a local user opens a maliciously crafted workspace containing an unsanitized color theme name, exploiting improper neutralization of input during webview generation. The attack requires user interaction (trusting the workspace when prompted) and can deliver full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though SSVC framework rates technical impact as total with manual (non-automatable) exploitation potential.
Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.
A permissions issue was addressed with additional restrictions. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. CISA KEV status and active exploitation data not confirmed in provided intelligence.
Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.
Remote code execution in Progress ShareFile Storage Zones Controller versions up to 5.12.3 allows high-privileged authenticated users to upload and execute malicious files on the server. The CVSS 9.1 score reflects scope change and total system compromise. Publicly available exploit code exists (confirmed by Italian CERT), though EPSS probability remains low at 0.19% and no active exploitation is confirmed by CISA KEV. Real-world risk depends heavily on authentication controls and privileged account management in ShareFile deployments.
Unauthenticated remote code execution affects Progress ShareFile Storage Zones Controller versions up to 5.12.3 via unauthorized access to restricted configuration pages. Attackers can modify system configuration remotely without authentication, leading to complete system compromise. Publicly available exploit code exists (watchTowr Labs GitHub). EPSS score of 0.41% suggests relatively low observed exploitation despite critical CVSS 9.8 rating and POC availability. Vendor patch released per ShareFile security advisory.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.
Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.
TOCTOU race condition in Balena Etcher for Windows (versions prior to 2.1.4) enables local privilege escalation to arbitrary code execution when attackers replace legitimate scripts with malicious payloads during disk flashing operations. The vulnerability requires low privileges and user interaction but achieves high impact across confidentiality, integrity, and availability with scope change. No public exploit identified at time of analysis, though technical details are available via researcher disclosure (B1tBreaker). EPSS data not available, but the local attack vector and high complexity reduce immediate remote exploitation risk.
Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profile
Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code execution when processing malicious V7 project files. Local attackers can exploit this via social engineering to deliver weaponized files requiring user interaction to open. CVSS 8.4 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with EPSS data unavailable for this newly-assigned CVE. Japanese vulnerability coordination (JPCERT/JVN) indicates regional industrial control system exposure.
Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arbitrary code execution when opening a maliciously crafted V7 project file. An attacker must convince a user to open a weaponized file, requiring no authentication but user interaction. EPSS data not available; no public exploit identified at time of analysis, though the specific function (CV7BaseMap::WriteV7DataToRom) and vulnerability class (stack overflow) provide sufficient technical detail for skilled attackers to develop exploits.
Stored XSS in DbGate npm package escalates to remote code execution in Electron desktop app via unsanitized SVG icon rendering. Attackers who inject malicious SVG payloads into application definition files can execute arbitrary JavaScript when victims view matching database entries. In the Electron desktop client, insecure configuration (nodeIntegration: true, contextIsolation: false) allows XSS payloads to invoke Node.js APIs, enabling local code execution including file system access. Web depl
Remote code execution in WatchGuard Fireware OS versions 12.6.1 through 12.11.8 and 2025.1 through 2026.1.2 allows privileged authenticated attackers to execute arbitrary code with elevated system privileges via path traversal in the Web UI. The vulnerability requires high-level administrative access (CVSS PR:H) but presents a direct RCE path once authenticated. WatchGuard self-reported this issue with an official advisory available. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Heap buffer overflow in OpenEXR 3.4.0 through 3.4.6 allows remote code execution when processing maliciously crafted EXR image files with HTJ2K compression and specific channel width configurations. The vulnerability enables controlled heap overwrites of 2-4 bytes per iteration beyond allocated buffer boundaries, exploitable through user interaction with weaponized .exr files. Attack vector is local (AV:L) requiring user action (UI:A) but no privileges (PR:N), with CVSS 8.4 severity. Vendor-released patch available in version 3.4.7. No public exploit identified at time of analysis, though the precise technical details in the security advisory lower exploitation complexity for capable adversaries.
Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary memory read/write and full ASLR bypass. The vulnerability stems from missing bounds validation in deserialize_tensor() when processing GRAPH_COMPUTE messages with zero-valued buffer fields. Attackers can leverage pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE operations to reliably exploit this flaw. Fixed in version b8492 (commit 39bf0d3c). CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No public exploit identified at time of analysis, though the detailed advisory provides sufficient technical context for weaponization.
Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Replicator npm package version 1.0.5 allows unauthenticated attackers to execute arbitrary code by supplying malicious serialized objects that the library deserializes without validation. Applications using Replicator to process untrusted input are vulnerable to immediate compromise; no public exploit code availability or active exploitation status is confirmed at time of analysis, but the unauthenticated attack vector and ease of object deserialization attacks suggest practical exploitability.
Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.
Tinybeans Private Family Album App v5.9.5-prod contains an arbitrary file overwrite vulnerability in its file import process that enables remote attackers to overwrite critical internal files, resulting in arbitrary code execution or information disclosure. No CVSS score, EPSS data, or KEV status is available for this vulnerability, and no public exploit code has been independently confirmed at the time of analysis.
Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 contains an arbitrary file overwrite vulnerability in its file import process that permits attackers to overwrite critical internal files, resulting in remote code execution or information disclosure. The vulnerability affects a mobile application distributed via Google Play Store. No CVSS score, active exploitation status, or patch information is currently available from vendor sources.
Local file inclusion in VertiGIS FM's upload/download mechanism allows authenticated attackers to read arbitrary server files by manipulating file paths during upload, with potential for remote code execution if web.config is obtained and NTLM-relay attacks via UNC path resolution. VertiGIS FM version 10.5.00119 and earlier are affected, and the vulnerability requires valid application credentials to exploit.
MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.
Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.
Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.