Skip to main content

RCE

31891 CVEs technique

Monthly

CVE-2026-30957 npm CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.

RCE Oneuptime
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-2273 HIGH CISA Act Now

CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.

Code Injection RCE Ecostruxure Automation Expert
NVD VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-26738 HIGH This Week

Arbitrary code execution in Uderzo Software SpaceSniffer v.2.0.5.18 results from a buffer overflow vulnerability triggered by processing malicious .sns snapshot files. An attacker with local access can craft a specially formatted file to achieve code execution with high privileges. No patch is currently available for this vulnerability.

Buffer Overflow RCE Stack Overflow Spacesniffer
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-25570 HIGH CISA Act Now

Insufficient input validation in SICAM SIAPP SDK versions prior to V2.1.7 enables stack overflow attacks, permitting local attackers to execute arbitrary code or trigger denial of service. The vulnerability affects all versions below the patched release, with no currently available remediation for deployed systems. Attackers with local access can leverage malformed input to corrupt the stack and gain code execution privileges.

Stack Overflow Denial Of Service RCE Buffer Overflow Sicam Siapp Sdk
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-25569 HIGH CISA Act Now

Out-of-bounds write vulnerability in SICAM SIAPP SDK versions prior to V2.1.7 allows local attackers to corrupt memory and achieve arbitrary code execution or denial of service. The vulnerability requires local access and specific conditions to trigger, but no patch is currently available. Affected organizations using vulnerable SDK versions should immediately implement compensating controls or upgrade to V2.1.7 or later.

Denial Of Service RCE Buffer Overflow Memory Corruption Sicam Siapp Sdk
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-1286 HIGH CISA Act Now

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file.

RCE Deserialization Ecostruxure Foxboro Dcs Control Software
NVD VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2025-56422 CRITICAL Act Now

LimeSurvey before v6.15.0 has an insecure deserialization enabling remote code execution through crafted survey data.

Deserialization RCE Limesurvey
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13957 CISA This Week

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

PostgreSQL RCE Information Disclosure
NVD
EPSS
0.3%
CVE-2025-11739 HIGH CISA Act Now

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

Deserialization RCE Ecostruxure Power Monitoring Expert Ecostruxure Power Operation
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-30921 npm CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.

RCE AI / ML Oneuptime
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-30869 Go CRITICAL PATCH Act Now

SiYuan prior to 3.5.10 has a path traversal vulnerability enabling arbitrary file access through crafted API requests.

RCE Path Traversal Siyuan Suse
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-3288 HIGH POC This Week

Arbitrary code execution in ingress-nginx controllers via malicious rewrite-target annotations allows authenticated attackers to execute commands and exfiltrate cluster secrets. Kubernetes administrators using ingress-nginx are at risk, particularly in default configurations where the controller has cluster-wide secret access. No patch is currently available.

Nginx Kubernetes RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-70038 HIGH This Week

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. [CVSS 8.8 HIGH]

RCE XSS Twake
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-70037 MEDIUM This Month

An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code. [CVSS 6.1 MEDIUM]

RCE Open Redirect Twake
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-15568 HIGH This Week

Command injection in TP-Link Archer AXE75 router's web module allows authenticated adjacent-network attackers to execute arbitrary code with root privileges when configured in Access Point mode (sysmode=ap). Affects hardware versions v1.6 and v1.0 running firmware through 1.3.2 Build 20250107. EPSS score of 0.13% (32nd percentile) suggests limited observed exploitation attempts, and no public exploit code or CISA KEV listing identified at time of analysis. Attack requires high-privilege authentication and adjacent network position, limiting opportunistic exploitation but creating significant risk in environments with compromised or malicious insiders.

RCE Command Injection Archer Axe75 Firmware
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-25866 HIGH This Week

Local privilege escalation in MobaXterm before 26.1 allows authenticated users with file system write access to execute arbitrary code by DLL hijacking the Notepad++ launch process. When opening remote files, MobaXterm calls WinExec without a fully qualified path, enabling attackers to place malicious executables in the search path to achieve code execution in the victim user's context. EPSS score of 0.01% (2nd percentile) indicates low probability of imminent widespread exploitation, consistent with the local attack vector requiring pre-existing system access. No active exploitation confirmed in CISA KEV; public exploit code status unknown.

RCE Mobaxterm
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-69648 MEDIUM PATCH This Month

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]

RCE Denial Of Service Buffer Overflow Binutils Red Hat +1
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-69219 PyPI HIGH PATCH This Week

Airflow Providers Http is affected by improper control of dynamically-managed code resources (CVSS 8.8).

RCE Airflow Providers Http
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3823 CRITICAL Act Now

Remote code execution in Atop Technologies EHG2408-series industrial Ethernet switches (including the EHG2408 and EHG2408-2SFP firmware) allows unauthenticated attackers to hijack the device's execution flow via a stack-based buffer overflow and run arbitrary code. The flaw was reported through Taiwan's CERT (TWCERT) and carries a CVSS 4.0 base score of 9.3, reflecting fully unauthenticated network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS score is low (0.14%, 34th percentile), suggesting exploitation has not yet been observed at scale.

Buffer Overflow Stack Overflow Atop Ehg2408 2sfp Firmware Atop Ehg2408 Firmware RCE
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-30896 HIGH This Week

Arbitrary code execution with administrative privileges in Qsee Client 1.0.1 and earlier through insecure DLL loading in the installer. An attacker can exploit this by placing a malicious DLL in the same directory as the installer and tricking a user into executing it. No patch is currently available.

Privilege Escalation RCE Qsee Client
NVD VulDB
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-30861 Go CRITICAL POC PATCH Act Now

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

RCE Command Injection AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-30860 Go CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi AI / ML Weknora +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-29186 npm CRITICAL PATCH Act Now

Arbitrary code execution in Backstage's @backstage/plugin-techdocs-node (versions <= 1.14.2) allows attackers who can influence an mkdocs.yml file to run arbitrary Python during the documentation build, bypassing TechDocs' allowlist-based configuration filtering. The flaw stems from MkDocs configuration keys (notably the hooks feature) that the security allowlist failed to block, meaning any contributor able to merge or supply a crafted mkdocs.yml gains code execution on the build host. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS 9.8 rating and trivial exploitation primitive make this a high-priority patch for self-hosted developer portals.

Python Backstage Plugin Techdocs Node RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14675 PHP HIGH PATCH This Week

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

WordPress PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-30821 npm CRITICAL POC PATCH Act Now

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.

RCE AI / ML Flowise
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3352 HIGH This Week

Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.

WordPress PHP Code Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-25070 CRITICAL Act Now

OS command injection in XikeStor SKS8310-8X network switch firmware 1.04.B07 and prior via management interface. Unauthenticated RCE on network infrastructure.

RCE Command Injection Zikestor Sks8310 8x Firmware
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2026-29091 npm HIGH PATCH This Week

Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. No patch is currently available for affected deployments.

RCE Code Injection Locutus
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-29089 HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29783 npm HIGH PATCH This Week

Arbitrary code execution in GitHub Copilot CLI versions <=0.0.422 allows attackers to bypass the agent's shell command safety classifier using bash parameter expansion operators (${var@P}, ${var=value}, ${!var}, and nested $(cmd)/<(cmd)). Attackers influencing agent inputs via prompt injection through repository files, MCP server responses, or user instructions can execute hidden commands disguised as read-only operations on the user's workstation. A detailed proof-of-concept is published in the GHSA advisory; EPSS is low (0.10%, 28th percentile) and the issue is not in CISA KEV, so no public exploit identified at time of analysis beyond the vendor-published PoC.

RCE Command Injection Copilot Command Line Interface
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.1%
CVE-2018-25176 HIGH POC This Week

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. [CVSS 8.2 HIGH]

RCE SQLi CSRF
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25162 HIGH POC This Week

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]

PHP RCE File Upload
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-2830 MEDIUM This Month

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

WordPress XSS Code Injection Google RCE
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-29039 PyPI HIGH POC PATCH This Week

Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.

RCE Code Injection Information Disclosure Changedetection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28801 MEDIUM This Month

Natro Macro versions prior to 1.1.0 execute arbitrary AutoHotkey code embedded in shared pattern and path files, allowing attackers to achieve code execution with the privileges of the logged-in user. Since these configuration files are commonly distributed among users, malicious actors can inject code that executes silently in the background alongside legitimate macro functionality. The vulnerability affects users who load untrusted pattern or path files from external sources.

RCE Code Injection Natro Macro
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-28794 npm CRITICAL POC PATCH Act Now

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

Node.js RCE Denial Of Service Authentication Bypass Deserialization +1
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-28785 CRITICAL PATCH Act Now

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

RCE SQLi Ghostfolio
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28507 PHP HIGH PATCH This Week

Unauthenticated attackers can achieve remote code execution in Idno social publishing platform versions before 1.6.4 by exploiting a chain of import file write and template path traversal vulnerabilities. An attacker with high privileges can leverage command injection to execute arbitrary code on affected systems. A patch is available in version 1.6.4 and should be applied immediately as this vulnerability carries a 7.2 CVSS score.

RCE Path Traversal Command Injection Known
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-25888 HIGH POC This Week

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code through a vulnerable API endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can achieve full system compromise including data exfiltration and integrity violations.

RCE Chartbrew
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-25887 HIGH POC This Week

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execute arbitrary code through malicious MongoDB dataset queries. The vulnerability affects users connecting Chartbrew to MongoDB databases for chart creation and has active public exploit code available. No patch is currently available for affected versions.

MongoDB RCE Chartbrew
NVD GitHub
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-29041 HIGH This Week

Authenticated arbitrary code execution in Chamilo LMS versions prior to 1.11.34 allows low-privileged users to bypass file upload restrictions through MIME-type spoofing and execute malicious commands on the server. The vulnerability stems from insufficient validation of file extensions and improper storage restrictions, enabling attackers to upload and execute arbitrary files. No patch is currently available for affected deployments.

RCE Chamilo Lms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-28502 PHP HIGH This Week

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

PHP RCE File Upload Avideo
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-21536 CRITICAL PATCH Act Now

RCE in Microsoft Devices Pricing Program.

Microsoft RCE File Upload Devices Pricing Program
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-28485 HIGH PATCH This Week

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).

Authentication Bypass RCE Openclaw
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-28466 npm CRITICAL PATCH Act Now

Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.

Authentication Bypass RCE Openclaw
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-0848 PyPI CRITICAL PATCH Act Now

Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.

Java RCE
NVD
CVSS 3.0
10.0
EPSS
0.5%
CVE-2025-70995 HIGH This Week

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. [CVSS 8.8 HIGH]

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-28343 npm MEDIUM PATCH This Month

CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.

XSS RCE Ckeditor5
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3459 HIGH This Week

Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.

WordPress RCE File Upload
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27749 HIGH This Week

Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.

Deserialization RCE Internet Security
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21628 CRITICAL Act Now

Unauthenticated RCE via file upload in industrial/enterprise application.

RCE File Upload Astroid Framework
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-2743 CRITICAL Act Now

Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.

RCE Path Traversal Seppmail
NVD VulDB
CVSS 4.0
10.0
EPSS
0.5%
CVE-2026-28134 HIGH This Week

Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.

Code Injection RCE
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-27984 CRITICAL Act Now

Code injection in Widget Options WordPress plugin.

Code Injection RCE
NVD
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-22390 CRITICAL Act Now

Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).

WordPress Code Injection RCE
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-26034 HIGH This Week

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) is affected by incorrect default permissions (CVSS 7.8).

Privilege Escalation RCE Ups Multi Ups Management Console
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-26033 MEDIUM This Month

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) contains a security vulnerability (CVSS 6.7).

RCE Ups Multi Ups Management Console
NVD
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-0847 PyPI HIGH PATCH GHSA This Week

Path traversal in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows remote unauthenticated attackers to read arbitrary files from the server hosting NLP applications. Multiple CorpusReader classes (WordListCorpusReader, TaggedCorpusReader, BracketParseCorpusReader) fail to sanitize file paths, enabling directory traversal to access sensitive files including SSH keys, API tokens, and system configurations. This poses critical risk in machine learning APIs, chatbots, and NLP pipelines that process user-controlled file inputs. EPSS score of 0.25% (48th percentile) suggests low widespread exploitation probability despite public disclosure via huntr.com bounty, though the unauthenticated network vector (AV:N/PR:N) and zero attack complexity make this readily exploitable once targets are identified.

RCE Path Traversal Authentication Bypass Nltk
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-20131 CRITICAL POC KEV THREAT Emergency

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.

Cisco Java Deserialization RCE
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.6%
Threat
6.0
CVE-2026-20008 MEDIUM This Month

Insufficient input sanitization in select CLI commands on Cisco Secure Firewall ASA and FTD Software allows authenticated local administrators to execute arbitrary code as root by injecting malicious Lua code. An attacker with valid administrator credentials can craft specially formatted parameters to achieve code execution with elevated privileges. No patch is currently available.

Cisco RCE Command Injection
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-28784 PHP HIGH PATCH This Week

Remote code execution in Craft CMS versions before 5.8.22 and 4.16.18 can be achieved by authenticated administrators or users with System Messages access by injecting malicious Twig payloads through the map filter in configurable text fields. An attacker with admin-level privileges and allowAdminChanges enabled, or non-admin access to System Messages utilities, can execute arbitrary code on the affected server. A patch is available and users should update immediately to mitigate this risk.

RCE Craft Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-28697 PHP CRITICAL POC PATCH Act Now

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.

PHP RCE Craft Cms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-28695 PHP HIGH POC PATCH This Week

Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.

PHP RCE Craft Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-23808 MEDIUM This Month

Malicious actors can install unauthorized Group Temporal Keys on ArubaOS wireless clients through a standardized roaming protocol vulnerability, enabling frame injection and network segmentation bypass. An attacker positioned on the local network could leverage this to intercept traffic, bypass client isolation, and compromise network integrity and confidentiality. No patch is currently available.

RCE Code Injection Arubaos
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69969 CRITICAL POC Act Now

Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.

RCE Information Disclosure Pebble Prism Ultra Firmware
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-66678 CRITICAL POC Act Now

Code execution via HwRwDrv.sys in Nil Hardware Editor. PoC available.

RCE SQLi Hardware Read Write Utility
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28778 CRITICAL Act Now

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Authentication Bypass RCE Sfx2100 Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-28775 CRITICAL POC Act Now

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

SNMP RCE Sfx2100 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-3452 PHP HIGH PATCH This Week

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

PHP RCE Deserialization Concrete Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-28289 CRITICAL POC PATCH Act Now

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

PHP Laravel RCE Race Condition Freescout
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-27971 npm CRITICAL POC PATCH THREAT Act Now

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

RCE Deserialization Qwik
NVD GitHub
CVSS 3.1
9.8
EPSS
13.4%
CVE-2026-26279 PHP CRITICAL POC PATCH Act Now

Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.

RCE Froxlor
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2026-24848 CRITICAL POC Act Now

Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.

PHP RCE Openemr
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2025-66945 CRITICAL POC Act Now

Zip slip to arbitrary file write in Zdir Pro 4.x ZIP extraction API. PoC available.

RCE Path Traversal Zdir
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-55026 CRITICAL Act Now

Command execution via reset_pj.cgi in Weintek cMT-3072XH2.

RCE Easyweb Cmt 3072xh2 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69765 HIGH POC This Week

Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formGetIptv function and the list parameter, which can cause memory corruption and enable remote code execution. [CVSS 7.5 HIGH]

RCE Stack Overflow Memory Corruption Ax3 Firmware Tenda
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-67840 HIGH POC This Week

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). [CVSS 7.2 HIGH]

RCE Command Injection Tranzman
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-63910 HIGH POC This Week

Tranzman versions up to 4.0 is affected by insufficient verification of data authenticity (CVSS 7.2).

File Upload Authentication Bypass RCE Tranzman
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2023-31044 LOW Monitor

An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. [CVSS 2.0 LOW]

RCE Code Injection Impact Mobile
NVD
CVSS 3.1
2.0
EPSS
0.0%
CVE-2026-3342 HIGH This Week

WatchGuard Fireware OS contains an out-of-bounds write vulnerability in its management interface that permits authenticated administrators to achieve root-level code execution. The flaw affects versions 11.9 through 11.12.4_Update1, 12.0 through 12.11.7, and 2025.1 through 2026.1.1, with no patch currently available. While exploitation requires high-level administrative privileges, successful attacks grant complete system compromise.

Buffer Overflow RCE Fireware
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-59059 Maven CRITICAL PATCH Act Now

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

Apache RCE Ranger
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-2448 HIGH This Week

Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).

WordPress PHP Path Traversal RCE Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2269 HIGH This Week

Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.

WordPress RCE SSRF File Upload
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-21853 HIGH This Week

Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.

RCE Code Injection Affine
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0006 CRITICAL Act Now

Android has a heap buffer overflow in multiple locations enabling privilege escalation through out-of-bounds read and write operations.

RCE Buffer Overflow Android Google
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3132 HIGH This Week

Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).

WordPress RCE Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26720 CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-66880 MEDIUM This Month

Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. [CVSS 6.1 MEDIUM]

XSS RCE
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-50187 CRITICAL POC Act Now

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

RCE Chamilo Lms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-47886 HIGH POC This Week

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]

RCE Deserialization Chamilo Lms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.

RCE Oneuptime
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH Act Now

CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.

Code Injection RCE Ecostruxure Automation Expert
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Uderzo Software SpaceSniffer v.2.0.5.18 results from a buffer overflow vulnerability triggered by processing malicious .sns snapshot files. An attacker with local access can craft a specially formatted file to achieve code execution with high privileges. No patch is currently available for this vulnerability.

Buffer Overflow RCE Stack Overflow +1
NVD VulDB
EPSS 0% CVSS 7.4
HIGH Act Now

Insufficient input validation in SICAM SIAPP SDK versions prior to V2.1.7 enables stack overflow attacks, permitting local attackers to execute arbitrary code or trigger denial of service. The vulnerability affects all versions below the patched release, with no currently available remediation for deployed systems. Attackers with local access can leverage malformed input to corrupt the stack and gain code execution privileges.

Stack Overflow Denial Of Service RCE +2
NVD VulDB
EPSS 0% CVSS 7.4
HIGH Act Now

Out-of-bounds write vulnerability in SICAM SIAPP SDK versions prior to V2.1.7 allows local attackers to corrupt memory and achieve arbitrary code execution or denial of service. The vulnerability requires local access and specific conditions to trigger, but no patch is currently available. Affected organizations using vulnerable SDK versions should immediately implement compensating controls or upgrade to V2.1.7 or later.

Denial Of Service RCE Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.0
HIGH Act Now

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file.

RCE Deserialization Ecostruxure Foxboro Dcs Control Software
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

LimeSurvey before v6.15.0 has an insecure deserialization enabling remote code execution through crafted survey data.

Deserialization RCE Limesurvey
NVD GitHub VulDB
EPSS 0%
This Week

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

PostgreSQL RCE Information Disclosure
NVD
EPSS 0% CVSS 8.5
HIGH Act Now

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

Deserialization RCE Ecostruxure Power Monitoring Expert +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.

RCE AI / ML Oneuptime
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SiYuan prior to 3.5.10 has a path traversal vulnerability enabling arbitrary file access through crafted API requests.

RCE Path Traversal Siyuan +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Arbitrary code execution in ingress-nginx controllers via malicious rewrite-target annotations allows authenticated attackers to execute commands and exfiltrate cluster secrets. Kubernetes administrators using ingress-nginx are at risk, particularly in default configurations where the controller has cluster-wide secret access. No patch is currently available.

Nginx Kubernetes RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. [CVSS 8.8 HIGH]

RCE XSS Twake
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code. [CVSS 6.1 MEDIUM]

RCE Open Redirect Twake
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Command injection in TP-Link Archer AXE75 router's web module allows authenticated adjacent-network attackers to execute arbitrary code with root privileges when configured in Access Point mode (sysmode=ap). Affects hardware versions v1.6 and v1.0 running firmware through 1.3.2 Build 20250107. EPSS score of 0.13% (32nd percentile) suggests limited observed exploitation attempts, and no public exploit code or CISA KEV listing identified at time of analysis. Attack requires high-privilege authentication and adjacent network position, limiting opportunistic exploitation but creating significant risk in environments with compromised or malicious insiders.

RCE Command Injection Archer Axe75 Firmware
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in MobaXterm before 26.1 allows authenticated users with file system write access to execute arbitrary code by DLL hijacking the Notepad++ launch process. When opening remote files, MobaXterm calls WinExec without a fully qualified path, enabling attackers to place malicious executables in the search path to achieve code execution in the victim user's context. EPSS score of 0.01% (2nd percentile) indicates low probability of imminent widespread exploitation, consistent with the local attack vector requiring pre-existing system access. No active exploitation confirmed in CISA KEV; public exploit code status unknown.

RCE Mobaxterm
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]

RCE Denial Of Service Buffer Overflow +3
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Airflow Providers Http is affected by improper control of dynamically-managed code resources (CVSS 8.8).

RCE Airflow Providers Http
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in Atop Technologies EHG2408-series industrial Ethernet switches (including the EHG2408 and EHG2408-2SFP firmware) allows unauthenticated attackers to hijack the device's execution flow via a stack-based buffer overflow and run arbitrary code. The flaw was reported through Taiwan's CERT (TWCERT) and carries a CVSS 4.0 base score of 9.3, reflecting fully unauthenticated network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS score is low (0.14%, 34th percentile), suggesting exploitation has not yet been observed at scale.

Buffer Overflow Stack Overflow Atop Ehg2408 2sfp Firmware +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution with administrative privileges in Qsee Client 1.0.1 and earlier through insecure DLL loading in the installer. An attacker can exploit this by placing a malicious DLL in the same directory as the installer and tricking a user into executing it. No patch is currently available.

Privilege Escalation RCE Qsee Client
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

RCE Command Injection AI / ML +2
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi +3
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary code execution in Backstage's @backstage/plugin-techdocs-node (versions <= 1.14.2) allows attackers who can influence an mkdocs.yml file to run arbitrary Python during the documentation build, bypassing TechDocs' allowlist-based configuration filtering. The flaw stems from MkDocs configuration keys (notably the hooks feature) that the security allowlist failed to block, meaning any contributor able to merge or supply a crafted mkdocs.yml gains code execution on the build host. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS 9.8 rating and trivial exploitation primitive make this a high-priority patch for self-hosted developer portals.

Python Backstage Plugin Techdocs Node RCE
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

WordPress PHP RCE +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.

RCE AI / ML Flowise
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.

WordPress PHP Code Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

OS command injection in XikeStor SKS8310-8X network switch firmware 1.04.B07 and prior via management interface. Unauthenticated RCE on network infrastructure.

RCE Command Injection Zikestor Sks8310 8x Firmware
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. No patch is currently available for affected deployments.

RCE Code Injection Locutus
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary code execution in GitHub Copilot CLI versions <=0.0.422 allows attackers to bypass the agent's shell command safety classifier using bash parameter expansion operators (${var@P}, ${var=value}, ${!var}, and nested $(cmd)/<(cmd)). Attackers influencing agent inputs via prompt injection through repository files, MCP server responses, or user instructions can execute hidden commands disguised as read-only operations on the user's workstation. A detailed proof-of-concept is published in the GHSA advisory; EPSS is low (0.10%, 28th percentile) and the issue is not in CISA KEV, so no public exploit identified at time of analysis beyond the vendor-published PoC.

RCE Command Injection Copilot Command Line Interface
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. [CVSS 8.2 HIGH]

RCE SQLi CSRF
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]

PHP RCE File Upload
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

WordPress XSS Code Injection +2
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.

RCE Code Injection Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

Natro Macro versions prior to 1.1.0 execute arbitrary AutoHotkey code embedded in shared pattern and path files, allowing attackers to achieve code execution with the privileges of the logged-in user. Since these configuration files are commonly distributed among users, malicious actors can inject code that executes silently in the background alongside legitimate macro functionality. The vulnerability affects users who load untrusted pattern or path files from external sources.

RCE Code Injection Natro Macro
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

Node.js RCE Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

RCE SQLi Ghostfolio
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unauthenticated attackers can achieve remote code execution in Idno social publishing platform versions before 1.6.4 by exploiting a chain of import file write and template path traversal vulnerabilities. An attacker with high privileges can leverage command injection to execute arbitrary code on affected systems. A patch is available in version 1.6.4 and should be applied immediately as this vulnerability carries a 7.2 CVSS score.

RCE Path Traversal Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code through a vulnerable API endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can achieve full system compromise including data exfiltration and integrity violations.

RCE Chartbrew
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execute arbitrary code through malicious MongoDB dataset queries. The vulnerability affects users connecting Chartbrew to MongoDB databases for chart creation and has active public exploit code available. No patch is currently available for affected versions.

MongoDB RCE Chartbrew
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated arbitrary code execution in Chamilo LMS versions prior to 1.11.34 allows low-privileged users to bypass file upload restrictions through MIME-type spoofing and execute malicious commands on the server. The vulnerability stems from insufficient validation of file extensions and improper storage restrictions, enabling attackers to upload and execute arbitrary files. No patch is currently available for affected deployments.

RCE Chamilo Lms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

PHP RCE File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

RCE in Microsoft Devices Pricing Program.

Microsoft RCE File Upload +1
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).

Authentication Bypass RCE Openclaw
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.

Authentication Bypass RCE Openclaw
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.

Java RCE
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. [CVSS 8.8 HIGH]

RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.

XSS RCE Ckeditor5
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.

WordPress RCE File Upload
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.

Deserialization RCE Internet Security
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated RCE via file upload in industrial/enterprise application.

RCE File Upload Astroid Framework
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.

RCE Path Traversal Seppmail
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.

Code Injection RCE
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Code injection in Widget Options WordPress plugin.

Code Injection RCE
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).

WordPress Code Injection RCE
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) is affected by incorrect default permissions (CVSS 7.8).

Privilege Escalation RCE Ups Multi Ups Management Console
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) contains a security vulnerability (CVSS 6.7).

RCE Ups Multi Ups Management Console
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows remote unauthenticated attackers to read arbitrary files from the server hosting NLP applications. Multiple CorpusReader classes (WordListCorpusReader, TaggedCorpusReader, BracketParseCorpusReader) fail to sanitize file paths, enabling directory traversal to access sensitive files including SSH keys, API tokens, and system configurations. This poses critical risk in machine learning APIs, chatbots, and NLP pipelines that process user-controlled file inputs. EPSS score of 0.25% (48th percentile) suggests low widespread exploitation probability despite public disclosure via huntr.com bounty, though the unauthenticated network vector (AV:N/PR:N) and zero attack complexity make this readily exploitable once targets are identified.

RCE Path Traversal Authentication Bypass +1
NVD VulDB
EPSS 1% 6.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.

Cisco Java Deserialization +1
NVD VulDB GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Insufficient input sanitization in select CLI commands on Cisco Secure Firewall ASA and FTD Software allows authenticated local administrators to execute arbitrary code as root by injecting malicious Lua code. An attacker with valid administrator credentials can craft specially formatted parameters to achieve code execution with elevated privileges. No patch is currently available.

Cisco RCE Command Injection
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in Craft CMS versions before 5.8.22 and 4.16.18 can be achieved by authenticated administrators or users with System Messages access by injecting malicious Twig payloads through the map filter in configurable text fields. An attacker with admin-level privileges and allowAdminChanges enabled, or non-admin access to System Messages utilities, can execute arbitrary code on the affected server. A patch is available and users should update immediately to mitigate this risk.

RCE Craft Cms
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.

PHP RCE Craft Cms
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.

PHP RCE Craft Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Malicious actors can install unauthorized Group Temporal Keys on ArubaOS wireless clients through a standardized roaming protocol vulnerability, enabling frame injection and network segmentation bypass. An attacker positioned on the local network could leverage this to intercept traffic, bypass client isolation, and compromise network integrity and confidentiality. No patch is currently available.

RCE Code Injection Arubaos
NVD
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.

RCE Information Disclosure Pebble Prism Ultra Firmware
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Code execution via HwRwDrv.sys in Nil Hardware Editor. PoC available.

RCE SQLi Hardware Read Write Utility
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Authentication Bypass RCE Sfx2100 Firmware
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

SNMP RCE Sfx2100 Firmware
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

PHP RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

PHP Laravel RCE +2
NVD GitHub
EPSS 13% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

RCE Deserialization Qwik
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.

RCE Froxlor
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC Act Now

Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.

PHP RCE Openemr
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Zip slip to arbitrary file write in Zdir Pro 4.x ZIP extraction API. PoC available.

RCE Path Traversal Zdir
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Command execution via reset_pj.cgi in Weintek cMT-3072XH2.

RCE Easyweb Cmt 3072xh2 Firmware
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formGetIptv function and the list parameter, which can cause memory corruption and enable remote code execution. [CVSS 7.5 HIGH]

RCE Stack Overflow Memory Corruption +2
NVD
EPSS 0% CVSS 7.2
HIGH POC This Week

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). [CVSS 7.2 HIGH]

RCE Command Injection Tranzman
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

Tranzman versions up to 4.0 is affected by insufficient verification of data authenticity (CVSS 7.2).

File Upload Authentication Bypass RCE +1
NVD GitHub
EPSS 0% CVSS 2.0
LOW Monitor

An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. [CVSS 2.0 LOW]

RCE Code Injection Impact Mobile
NVD
EPSS 0% CVSS 7.2
HIGH This Week

WatchGuard Fireware OS contains an out-of-bounds write vulnerability in its management interface that permits authenticated administrators to achieve root-level code execution. The flaw affects versions 11.9 through 11.12.4_Update1, 12.0 through 12.11.7, and 2025.1 through 2026.1.1, with no patch currently available. While exploitation requires high-level administrative privileges, successful attacks grant complete system compromise.

Buffer Overflow RCE Fireware
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

Apache RCE Ranger
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).

WordPress PHP Path Traversal +2
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.

WordPress RCE SSRF +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.

RCE Code Injection Affine
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Android has a heap buffer overflow in multiple locations enabling privilege escalation through out-of-bounds read and write operations.

RCE Buffer Overflow Android +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. [CVSS 6.1 MEDIUM]

XSS RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

RCE Chamilo Lms
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]

RCE Deserialization Chamilo Lms
NVD GitHub
Prev Page 34 of 355 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy