RCE
Monthly
Mattermost Desktop is affected by inclusion of functionality from untrusted control sphere (CVSS 4.6).
DobryCMS has an unauthenticated file upload vulnerability allowing remote attackers to upload and execute arbitrary files on the web server.
IDExpert Windows Logon Agent has a second RCE vulnerability through another unsigned code download path.
IDExpert Windows Logon Agent by Changing has an RCE vulnerability through download of code without integrity check, allowing malicious update injection.
Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
Path traversal in Kaniko 1.25.4 through 1.25.9 allows attackers to extract tar archives outside the intended destination directory, enabling arbitrary file writes on the build system. When combined with Docker credential helpers in registry authentication scenarios, this vulnerability can be leveraged for code execution within the Kaniko executor process. Docker and Kubernetes environments using the affected Kaniko versions are at risk.
Group Office versions before 26.0.9, 25.0.87, and 6.8.154 allow authenticated attackers to execute arbitrary commands through maliciously crafted TNEF attachments, where attacker-controlled filenames in winmail.dat are processed unsafely with zip wildcard expansion. An attacker with valid credentials can exploit this to achieve remote code execution with full system privileges. No patch is currently available for affected deployments.
Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.
Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.
Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.
Remote code execution in Red Hat Satellite's rubyipmi BMC component allows authenticated users with host creation or update permissions to execute arbitrary code by injecting malicious input into the BMC username field. An attacker with these privileges can compromise the underlying system through command injection. No patch is currently available for this vulnerability.
Soliton Systems installers for Securebrowser For Onegate, Secureworkspace, and Securebrowser II fail to set proper file permissions during installation, enabling local authenticated users to execute arbitrary code with SYSTEM privileges. An attacker with user-level access can exploit this misconfiguration to achieve full system compromise. No patch is currently available.
Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.
Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.
Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).
Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by submitting a malicious firmware update file through the update mechanism. The vulnerability affects multiple XWEB Pro models (300d, 500d, and 500b) and requires high-level privileges to exploit. No patch is currently available for this high-severity command injection flaw (CVSS 8.0).
Remote code execution in XWEB Pro versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands via malicious input submitted to the restore functionality. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro firmware versions, with no patch currently available. An attacker with valid credentials could compromise the affected device and gain full system control.
Remote code execution in Xweb 300d Pro, 500d Pro, and 500b Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field in the setup route. An attacker with valid credentials can exploit this command injection vulnerability to gain complete system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the devices field during firmware updates. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d/500b/500d Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the firmware update endpoint. The vulnerability stems from insufficient input validation in command processing and requires high privileges but affects the entire system scope. No patch is currently available for this HIGH severity issue.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by submitting malicious input through the contacts import endpoint. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high-level privileges but can compromise the entire system. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field during firmware update operations. The vulnerability affects multiple Xweb Pro models (500d, 500b, and 300d) and requires high-level privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d Pro, 500b Pro, and 500d Pro firmware (version 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the map filename field during file upload operations. An attacker with valid credentials can exploit this command injection flaw to gain full system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the templates route. Affected versions include Xweb 500d Pro, 300d Pro, and 500b Pro. No patch is currently available for this vulnerability.
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
SQL injection in SPIP prior to 4.4.10 enables authenticated users with low privileges to execute arbitrary SQL commands and achieve remote code execution through union-based injection combined with PHP tag processing. The vulnerability affects SPIP and PHP environments, requiring only network access and valid credentials to exploit. No patch is currently available, presenting significant risk to production SPIP installations.
Remote control vulnerability in Unitree Go2 robot dog firmware 1.1.7-1.1.11. The companion Android app allows remote attackers to take control of the robot. PoC available.
Arbitrary file upload in User Frontend plugin for WordPress (versions up to 4.2.8) allows authenticated users with Author-level privileges to bypass file type validation and upload malicious files to the server. This can lead to remote code execution if an attacker uploads executable files to web-accessible directories. The vulnerability remains unpatched and affects all versions through 4.2.8.
FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.
Arbitrary code execution in FinalCode Client installer (Digital Arts Inc.) results from unsafe DLL loading that allows an attacker to place a malicious library in the same directory as the installer and execute it with elevated privileges when a user runs the installation. This local attack requires user interaction to place the malicious file and execute the installer, but poses significant risk as there is currently no available patch.
FinalCode Client installer by Digital Arts Inc. improperly configures file permissions, enabling local non-administrative users to execute arbitrary code with SYSTEM-level privileges. This privilege escalation affects all users of the affected installer versions and allows attackers to achieve complete system compromise. No patch is currently available for this vulnerability.
Remote code execution in WordPress Worry Proof Backup plugin through path traversal in the backup upload feature allows authenticated users with Subscriber privileges or higher to write arbitrary files, including PHP executables, to the server by uploading specially crafted ZIP archives. The vulnerability affects all versions up to 0.2.4 and currently has no available patch, enabling attackers to achieve full server compromise.
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.
Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]
Remote code execution in Manyfold prior to version 0.133.0 allows authenticated users to execute arbitrary commands by uploading a ZIP archive with specially crafted filenames containing shell metacharacters that are passed unsanitized to Ruby backtick execution. The vulnerability affects the model render generation feature and requires an attacker to be logged in, with public exploit code currently available. A patch is available in version 0.133.0 and later.
Unauthenticated command injection in TinyWeb HTTP/HTTPS server for Win32 before 2.01 allows remote attackers to execute arbitrary commands. Patch available.
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Remote code execution in n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to execute arbitrary shell commands by chaining file write operations with git functions to manipulate configuration files. Versions prior to 2.2.0 and 1.123.8 are affected, and administrators should upgrade immediately or restrict workflow editing permissions to trusted users only.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Second-order expression injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Crafted workflow data triggers expression evaluation leading to code execution. Patch available.
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass path traversal protections and upload malicious files to arbitrary server locations. An attacker can leverage the uploaded file to achieve code execution on the underlying system, though read-only server configurations may prevent actual execution. The vulnerability affects versions prior to 26.0.5, 27.0.2, and 28.0.0, with no patch currently available.
ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.
VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment.
SQL injection in OpenEMR's Immunization module prior to version 8.0.0 enables authenticated users to execute arbitrary database queries through unparameterized patient_id inputs. This allows attackers to exfiltrate protected health information, steal credentials, and potentially achieve remote code execution with complete database compromise. Public exploit code exists for this vulnerability; organizations should upgrade to version 8.0.0 immediately.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Arbitrary file upload via subtitle loading in asbplayer v1.13.0 allows execution of malicious files through crafted subtitle files.
Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.
Arbitrary file write vulnerability in Data Master ADM versions 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.2.RE51 allows remote or man-in-the-middle attackers to bypass filename sanitization in FTP backup operations and place malicious files outside the intended directory. An attacker can exploit this path traversal flaw to overwrite critical system files and potentially execute code with elevated privileges. No patch is currently available, and exploitation requires moderate attack complexity but no user interaction.
Remote code execution in SPIP's interface_traduction_objets plugin prior to version 2.2.2 allows authenticated editors to execute arbitrary code by injecting malicious content into unfiltered form fields that bypass output protection mechanisms. The vulnerability exploits how underscore-prefixed fields circumvent SPIP's security filters and are processed through the template engine without sanitization. An attacker with editor-level privileges can leverage this to achieve full code execution within the web server context.
Unauthenticated RCE in SPIP tickets plugin before 4.3.3 via code injection. Allows executing arbitrary PHP code without authentication. Patch available.
Path traversal and extension bypass in Flask-Reuploaded file upload library. Allows uploading files with arbitrary extensions to arbitrary directories. PoC and patch available.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.
Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the escape allows agents to execute arbitrary code outside the sandbox. CVSS 10.0, PoC and patch available.
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available.
Arbitrary file write via path traversal in the Rollup JavaScript module bundler lets an attacker who can influence build inputs write or overwrite files anywhere the build process can reach, escalating to persistent remote code execution by clobbering system or user configuration files. Affected are 4.x releases before 4.59.0 (and the 2.x/3.x lines before 2.80.0 and 3.30.0), where insecure output filename sanitization permits `../` traversal through CLI named inputs, manual chunk aliases, or malicious plugins. Publicly available exploit code exists (GitHub Security Advisory GHSA-mw96-cpmx-2vgc), though no public exploit is identified as active in-the-wild use; EPSS is modest at 0.62% (70th percentile).
Arbitrary file write in Dagu workflow engine up to version 1.16.7 allows authenticated users with DAG write permissions to place malicious YAML files anywhere on the filesystem due to insufficient name validation in the CreateNewDAG API endpoint. Since Dagu executes DAG files as shell commands, an attacker can achieve remote code execution by overwriting existing DAGs or configuration files. Public exploit code exists for this vulnerability, and a patch is available.
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]
Insecure .NET Remoting deserialization in Altec DocLink (Beyond Limits) 4.0.336.0. Exposed TCP endpoints allow unauthenticated remote code execution via .NET Remoting deserialization attacks.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Memory safety bugs in Firefox 147 and Thunderbird 147 with evidence of memory corruption. Mainline-only bugs not present in ESR branches.
Memory safety bugs in Firefox ESR 115.32, ESR 140.7, and Firefox 147. Broader set of memory corruption issues than CVE-2026-2792.
Memory safety bugs in Firefox ESR 140.7 and Firefox 147 with evidence of memory corruption and potential code execution exploitability.
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]
Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. Users processing untrusted image files are at risk of code execution, though no patch is currently available.
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.
Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.
A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. [CVSS 7.2 HIGH]
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]
eAI Technologies' ERP application is vulnerable to DLL hijacking attacks that enable authenticated local users to achieve arbitrary code execution by placing a malicious DLL in the application directory. The vulnerability affects any system where non-administrative users have local access and can write to the ERP installation folder. No patch is currently available to remediate this issue.
Prototype pollution in Webaudiorecorder.js versions 0.1 and 0.1.1 allows authenticated remote attackers to modify object properties through the extend function in Dynamic Config Handling, potentially leading to information disclosure or data manipulation. Public exploit code exists for this vulnerability, though exploitation requires high complexity and specific preconditions. The vendor has not released a patch and did not respond to disclosure attempts.
Mattermost Desktop is affected by inclusion of functionality from untrusted control sphere (CVSS 4.6).
DobryCMS has an unauthenticated file upload vulnerability allowing remote attackers to upload and execute arbitrary files on the web server.
IDExpert Windows Logon Agent has a second RCE vulnerability through another unsigned code download path.
IDExpert Windows Logon Agent by Changing has an RCE vulnerability through download of code without integrity check, allowing malicious update injection.
Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
Path traversal in Kaniko 1.25.4 through 1.25.9 allows attackers to extract tar archives outside the intended destination directory, enabling arbitrary file writes on the build system. When combined with Docker credential helpers in registry authentication scenarios, this vulnerability can be leveraged for code execution within the Kaniko executor process. Docker and Kubernetes environments using the affected Kaniko versions are at risk.
Group Office versions before 26.0.9, 25.0.87, and 6.8.154 allow authenticated attackers to execute arbitrary commands through maliciously crafted TNEF attachments, where attacker-controlled filenames in winmail.dat are processed unsafely with zip wildcard expansion. An attacker with valid credentials can exploit this to achieve remote code execution with full system privileges. No patch is currently available for affected deployments.
Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.
Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.
Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.
Remote code execution in Red Hat Satellite's rubyipmi BMC component allows authenticated users with host creation or update permissions to execute arbitrary code by injecting malicious input into the BMC username field. An attacker with these privileges can compromise the underlying system through command injection. No patch is currently available for this vulnerability.
Soliton Systems installers for Securebrowser For Onegate, Secureworkspace, and Securebrowser II fail to set proper file permissions during installation, enabling local authenticated users to execute arbitrary code with SYSTEM privileges. An attacker with user-level access can exploit this misconfiguration to achieve full system compromise. No patch is currently available.
Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.
Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.
Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).
Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by submitting a malicious firmware update file through the update mechanism. The vulnerability affects multiple XWEB Pro models (300d, 500d, and 500b) and requires high-level privileges to exploit. No patch is currently available for this high-severity command injection flaw (CVSS 8.0).
Remote code execution in XWEB Pro versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands via malicious input submitted to the restore functionality. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro firmware versions, with no patch currently available. An attacker with valid credentials could compromise the affected device and gain full system control.
Remote code execution in Xweb 300d Pro, 500d Pro, and 500b Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field in the setup route. An attacker with valid credentials can exploit this command injection vulnerability to gain complete system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the devices field during firmware updates. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d/500b/500d Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the firmware update endpoint. The vulnerability stems from insufficient input validation in command processing and requires high privileges but affects the entire system scope. No patch is currently available for this HIGH severity issue.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by submitting malicious input through the contacts import endpoint. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high-level privileges but can compromise the entire system. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field during firmware update operations. The vulnerability affects multiple Xweb Pro models (500d, 500b, and 300d) and requires high-level privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d Pro, 500b Pro, and 500d Pro firmware (version 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the map filename field during file upload operations. An attacker with valid credentials can exploit this command injection flaw to gain full system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the templates route. Affected versions include Xweb 500d Pro, 300d Pro, and 500b Pro. No patch is currently available for this vulnerability.
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
SQL injection in SPIP prior to 4.4.10 enables authenticated users with low privileges to execute arbitrary SQL commands and achieve remote code execution through union-based injection combined with PHP tag processing. The vulnerability affects SPIP and PHP environments, requiring only network access and valid credentials to exploit. No patch is currently available, presenting significant risk to production SPIP installations.
Remote control vulnerability in Unitree Go2 robot dog firmware 1.1.7-1.1.11. The companion Android app allows remote attackers to take control of the robot. PoC available.
Arbitrary file upload in User Frontend plugin for WordPress (versions up to 4.2.8) allows authenticated users with Author-level privileges to bypass file type validation and upload malicious files to the server. This can lead to remote code execution if an attacker uploads executable files to web-accessible directories. The vulnerability remains unpatched and affects all versions through 4.2.8.
FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.
Arbitrary code execution in FinalCode Client installer (Digital Arts Inc.) results from unsafe DLL loading that allows an attacker to place a malicious library in the same directory as the installer and execute it with elevated privileges when a user runs the installation. This local attack requires user interaction to place the malicious file and execute the installer, but poses significant risk as there is currently no available patch.
FinalCode Client installer by Digital Arts Inc. improperly configures file permissions, enabling local non-administrative users to execute arbitrary code with SYSTEM-level privileges. This privilege escalation affects all users of the affected installer versions and allows attackers to achieve complete system compromise. No patch is currently available for this vulnerability.
Remote code execution in WordPress Worry Proof Backup plugin through path traversal in the backup upload feature allows authenticated users with Subscriber privileges or higher to write arbitrary files, including PHP executables, to the server by uploading specially crafted ZIP archives. The vulnerability affects all versions up to 0.2.4 and currently has no available patch, enabling attackers to achieve full server compromise.
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.
Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]
Remote code execution in Manyfold prior to version 0.133.0 allows authenticated users to execute arbitrary commands by uploading a ZIP archive with specially crafted filenames containing shell metacharacters that are passed unsanitized to Ruby backtick execution. The vulnerability affects the model render generation feature and requires an attacker to be logged in, with public exploit code currently available. A patch is available in version 0.133.0 and later.
Unauthenticated command injection in TinyWeb HTTP/HTTPS server for Win32 before 2.01 allows remote attackers to execute arbitrary commands. Patch available.
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Remote code execution in n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to execute arbitrary shell commands by chaining file write operations with git functions to manipulate configuration files. Versions prior to 2.2.0 and 1.123.8 are affected, and administrators should upgrade immediately or restrict workflow editing permissions to trusted users only.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Second-order expression injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Crafted workflow data triggers expression evaluation leading to code execution. Patch available.
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass path traversal protections and upload malicious files to arbitrary server locations. An attacker can leverage the uploaded file to achieve code execution on the underlying system, though read-only server configurations may prevent actual execution. The vulnerability affects versions prior to 26.0.5, 27.0.2, and 28.0.0, with no patch currently available.
ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.
VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment.
SQL injection in OpenEMR's Immunization module prior to version 8.0.0 enables authenticated users to execute arbitrary database queries through unparameterized patient_id inputs. This allows attackers to exfiltrate protected health information, steal credentials, and potentially achieve remote code execution with complete database compromise. Public exploit code exists for this vulnerability; organizations should upgrade to version 8.0.0 immediately.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Arbitrary file upload via subtitle loading in asbplayer v1.13.0 allows execution of malicious files through crafted subtitle files.
Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.
Arbitrary file write vulnerability in Data Master ADM versions 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.2.RE51 allows remote or man-in-the-middle attackers to bypass filename sanitization in FTP backup operations and place malicious files outside the intended directory. An attacker can exploit this path traversal flaw to overwrite critical system files and potentially execute code with elevated privileges. No patch is currently available, and exploitation requires moderate attack complexity but no user interaction.
Remote code execution in SPIP's interface_traduction_objets plugin prior to version 2.2.2 allows authenticated editors to execute arbitrary code by injecting malicious content into unfiltered form fields that bypass output protection mechanisms. The vulnerability exploits how underscore-prefixed fields circumvent SPIP's security filters and are processed through the template engine without sanitization. An attacker with editor-level privileges can leverage this to achieve full code execution within the web server context.
Unauthenticated RCE in SPIP tickets plugin before 4.3.3 via code injection. Allows executing arbitrary PHP code without authentication. Patch available.
Path traversal and extension bypass in Flask-Reuploaded file upload library. Allows uploading files with arbitrary extensions to arbitrary directories. PoC and patch available.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.
Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the escape allows agents to execute arbitrary code outside the sandbox. CVSS 10.0, PoC and patch available.
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available.
Arbitrary file write via path traversal in the Rollup JavaScript module bundler lets an attacker who can influence build inputs write or overwrite files anywhere the build process can reach, escalating to persistent remote code execution by clobbering system or user configuration files. Affected are 4.x releases before 4.59.0 (and the 2.x/3.x lines before 2.80.0 and 3.30.0), where insecure output filename sanitization permits `../` traversal through CLI named inputs, manual chunk aliases, or malicious plugins. Publicly available exploit code exists (GitHub Security Advisory GHSA-mw96-cpmx-2vgc), though no public exploit is identified as active in-the-wild use; EPSS is modest at 0.62% (70th percentile).
Arbitrary file write in Dagu workflow engine up to version 1.16.7 allows authenticated users with DAG write permissions to place malicious YAML files anywhere on the filesystem due to insufficient name validation in the CreateNewDAG API endpoint. Since Dagu executes DAG files as shell commands, an attacker can achieve remote code execution by overwriting existing DAGs or configuration files. Public exploit code exists for this vulnerability, and a patch is available.
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]
Insecure .NET Remoting deserialization in Altec DocLink (Beyond Limits) 4.0.336.0. Exposed TCP endpoints allow unauthenticated remote code execution via .NET Remoting deserialization attacks.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Memory safety bugs in Firefox 147 and Thunderbird 147 with evidence of memory corruption. Mainline-only bugs not present in ESR branches.
Memory safety bugs in Firefox ESR 115.32, ESR 140.7, and Firefox 147. Broader set of memory corruption issues than CVE-2026-2792.
Memory safety bugs in Firefox ESR 140.7 and Firefox 147 with evidence of memory corruption and potential code execution exploitability.
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]
Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. Users processing untrusted image files are at risk of code execution, though no patch is currently available.
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data.
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.
Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.
A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. [CVSS 7.2 HIGH]
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]
eAI Technologies' ERP application is vulnerable to DLL hijacking attacks that enable authenticated local users to achieve arbitrary code execution by placing a malicious DLL in the application directory. The vulnerability affects any system where non-administrative users have local access and can write to the ERP installation folder. No patch is currently available to remediate this issue.
Prototype pollution in Webaudiorecorder.js versions 0.1 and 0.1.1 allows authenticated remote attackers to modify object properties through the extend function in Dynamic Config Handling, potentially leading to information disclosure or data manipulation. Public exploit code exists for this vulnerability, though exploitation requires high complexity and specific preconditions. The vendor has not released a patch and did not respond to disclosure attempts.