RCE
Monthly
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product.
Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.
A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.
This issue affects Apache Spark: before 3.5.7 and 4.0.1.
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that allows a malicious BST device to trigger a buffer overflow by reporting an oversized dev_name_len parameter without bounds checking. An attacker with physical access to inject a malicious BST device can crash the autopilot task or potentially achieve arbitrary code execution, impacting drone flight safety and control systems. No active KEV exploitation data or public POC is currently documented, but the vulnerability is patched in version 1.17.0-rc2.
Code injection in SimpleEval when objects with dangerous attrs are passed. PoC available.
A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
CVE-2026-3084 is an integer underflow vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malicious media files. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and can be exploited through user interaction with specially crafted H.266 video content, allowing attackers to execute arbitrary code in the context of the application. No active exploitation (not in KEV) or public POC has been reported, and the relatively high CVSS score (7.8) is tempered by the local attack vector and user interaction requirement.
CVE-2026-2921 is an integer overflow vulnerability in GStreamer's RIFF palette handling for AVI files that allows remote code execution with a CVSS score of 7.8. The vulnerability affects all versions of GStreamer (based on CPE wildcard) and requires user interaction to exploit, such as opening a malicious AVI file. No evidence of active exploitation (not in KEV), no public POC mentioned, and EPSS data not provided.
Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.
CVE-2026-3086 is an out-of-bounds write vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malformed APS (Adaptation Parameter Set) units. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, such as processing a malicious H.266 video file. No evidence of active exploitation (not in KEV), no public POC, and no EPSS score available yet.
Heap-based buffer overflow vulnerability in GStreamer's rtpqdm2depay component that allows remote attackers to execute arbitrary code when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary based on implementation. No active exploitation is known (not in KEV), and no EPSS score is available to assess real-world exploitation probability.
Heap-based buffer overflow vulnerability in the GStreamer multimedia framework's JPEG parser that allows remote code execution when processing malicious Huffman tables. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, with a CVSS score of 7.8. No active exploitation in the wild has been reported (not in KEV), and no EPSS data is available.
Stack-based buffer overflow in GStreamer's H.266 codec parser that allows remote code execution when processing malicious video files. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to trigger, such as opening a malicious media file. No active exploitation (not in KEV) or public PoC has been reported, with EPSS data unavailable.
CVE-2026-2923 is an out-of-bounds write vulnerability in GStreamer's DVB Subtitles handling that allows remote code execution when processing malformed subtitle coordinates. This vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary by implementation. No evidence of active exploitation (not in KEV), no public POC available, and no EPSS data provided.
Critical remote code execution vulnerability in GStreamer's RealMedia demuxer component, allowing attackers to execute arbitrary code via malformed video packets that trigger an out-of-bounds write. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and requires user interaction to process malicious media files. While no active exploitation is reported (not in KEV), the availability of a vendor patch and ZDI advisory suggests this vulnerability has been responsibly disclosed and addressed.
Heap-based buffer overflow vulnerability in GStreamer's ASF Demuxer component that allows remote attackers to execute arbitrary code when processing malicious ASF media files. The vulnerability requires user interaction (opening/processing a malicious file) and affects all versions of GStreamer based on the CPE data. No evidence of active exploitation (not in KEV) or public proof-of-concept exists, though Zero Day Initiative tracked it as ZDI-CAN-28843.
Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.
CVE-2026-3562 is an authentication bypass vulnerability in Philips Hue Bridge's HAP (HomeKit Accessory Protocol) implementation, specifically within the ed25519_sign_open function that fails to properly verify Ed25519 cryptographic signatures. Network-adjacent attackers can exploit this flaw without authentication to execute arbitrary code on affected Hue Bridge installations. The CVSS score of 6.3 reflects moderate severity with local network access requirements, though the authentication bypass nature elevates real-world risk for smart home environments.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.
Heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated network-adjacent attackers to execute arbitrary code. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restrictions) through the hk_hap_pair_storage_put function on TCP port 8080. No EPSS data or KEV listing is available, and while ZDI has published an advisory, no public POC or active exploitation has been reported.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authentication (which can be bypassed) to achieve remote code execution as root. The vulnerability affects the HomeKit Accessory Protocol (HAP) implementation on TCP port 8080 and has a high CVSS score of 8.0, though no active exploitation or public PoC has been reported.
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.
Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers to execute arbitrary code when users initiate device pairing. The vulnerability affects all versions of Philips Hue Bridge and has a CVSS score of 8.0, requiring physical proximity and user interaction to exploit. No EPSS data or KEV listing is available, suggesting this is not actively exploited in the wild.
XSS in AnythingLLM 1.11.1 and earlier.
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.
SQL injection in OneUptime telemetry API before 10.0.23.
Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.
HMS Networks' industrial IoT gateways (Ewon Flexy and Cosy+) contain a command injection vulnerability that allows authenticated attackers to execute arbitrary OS commands remotely. This affects Flexy devices before firmware 15.0s4 and Cosy+ devices before 22.1s6 (22.x branch) or 23.0s3 (23.x branch). With a CVSS score of 8.8 but low EPSS of 0.06%, this vulnerability requires valid credentials but enables full system compromise.
JumpServer contains a Server-Side Template Injection (SSTI) vulnerability in its Applet and VirtualApp upload functionality that allows authenticated administrators to execute arbitrary code within the JumpServer Core container. The vulnerability affects JumpServer versions vulnerable to unsafe Jinja2 template rendering of user-uploaded YAML manifest files. While requiring high privilege level (Application Applet Management or Virtual Application Management permissions), successful exploitation results in complete container compromise with high confidentiality, integrity, and availability impact.
Unauthenticated attackers can trigger out-of-bounds memory access in the web interface of multiple Omada switches through improper input validation, potentially achieving remote code execution or causing denial-of-service. Affected products include Sg2005p PD 1.x, Sg2008 4.2x/4.3x, and Sg2008p 3.2x/3.3x, which require only network access to the vulnerable interface. A patch is available to address this high-severity vulnerability (CVSS 7.7).
create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.
SandboxJS sandbox escape before 0.8.34 via Function access through arrays. CVSS 10.0.
Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that occurs when processing maliciously crafted files, potentially allowing attackers to leak sensitive information or execute arbitrary code. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab software that allows attackers to achieve information disclosure or arbitrary code execution through specially crafted files. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation (not in KEV) or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab that allows attackers to execute arbitrary code or steal information by tricking users into opening malicious files. The vulnerability has a CVSS score of 7.8 (High) and requires user interaction, with no evidence of active exploitation (not in KEV) or publicly available proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that allows attackers to achieve arbitrary code execution or information disclosure by tricking users into opening malicious .DSB files. With a CVSS score of 7.8 and requiring only user interaction, this out-of-bounds write vulnerability poses significant risk, though no active exploitation or public POCs have been reported.
A code injection vulnerability in ILLID Advanced Woo Labels WordPress plugin (versions up to 2.36) allows authenticated administrators to execute arbitrary code through improper input validation, potentially leading to full site compromise. The vulnerability requires high privileges to exploit (CVSS 7.2), has no known active exploitation in the wild (not in CISA KEV), and carries a very low EPSS score of 0.00043 (0.043%), indicating minimal real-world exploitation likelihood despite the high CVSS score.
RCE via code injection in Modal Dialog WordPress plugin.
Arbitrary file upload in Pix for WooCommerce WordPress plugin.
Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mai...
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.
Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.
Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.
Veeam Backup & Replication allows Backup Administrators to achieve RCE in high-availability deployments. While requiring admin-level access, the scope change to the HA infrastructure makes this critical for organizations running Veeam in HA mode.
Yet another Veeam Backup & Replication RCE vulnerability allowing authenticated domain users to execute code on the Backup Server with scope change (CVSS 9.9). Part of a cluster of related Veeam vulnerabilities disclosed together.
A second RCE vulnerability in Veeam Backup & Replication allows any authenticated domain user to execute code on the Backup Server with scope change. Same impact as CVE-2026-21666 but through a different attack vector.
Veeam Backup & Replication allows an authenticated domain user to achieve remote code execution on the Backup Server. With a scope change to CVSS 9.9, a compromised domain account can fully take over the backup infrastructure.
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.
An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.
Lenovo Filez fails to properly validate SSL/TLS certificates, enabling network-positioned attackers to intercept traffic and execute arbitrary code on affected systems. An attacker with the ability to perform man-in-the-middle attacks can exploit this weakness to compromise user devices without authentication. No patch is currently available to remediate this vulnerability.
ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]
RCE in NetGain EM Plus 10.1.68. PoC available.
OGNL injection in Epross AVCON6 management platform. PoC available.
Arbitrary OS command execution in Cloud CLI versions prior to 1.24.0 allows authenticated users to inject malicious commands through improperly sanitized git configuration parameters passed to shell execution functions. The /api/user/git-config endpoint fails to properly escape bash metacharacters like backticks and $() substitutions, enabling attackers to execute arbitrary operating system commands with application privileges. No patch is currently available for affected deployments.
Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.
Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.
Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.
RCE in OpenClaw Agent Platform v2026.2.6 via prompt injection.
Arbitrary plugin installation and remote code execution in ExactMetrics WordPress plugin versions 8.6.0-9.0.2 allows authenticated users with report-viewing permissions to bypass administrative capability checks via parameter manipulation. An attacker can exploit an Insecure Direct Object Reference in the onboarding process to install malicious plugins and execute arbitrary code on vulnerable WordPress installations. This vulnerability requires the site administrator to have previously granted non-admin users report access permissions.
LFI to RCE in IFTOP by WellChoose.
Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated attackers can execute arbitrary OS commands on AOS-CX Switches through improper input validation in the CLI, potentially compromising network infrastructure. This command injection flaw (CWE-78) affects high-privileged users with network access and carries a CVSS score of 7.2, with no patch currently available.
Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.
Modem has a fifth OOB write enabling remote privilege escalation.
Samsung/Google MFC driver has an OOB write in mfc_core_isr.c enabling kernel-level privilege escalation on Android devices.
Modem has a fourth OOB write due to incorrect bounds check.
IBM Trusteer Rapport 3.5.2309.290 contains an insecure DLL search path vulnerability that allows local attackers to execute arbitrary code by planting a malicious file in a compromised directory. The attack requires local system access but no user interaction or elevated privileges, making it exploitable by any local user. No patch is currently available for this high-severity vulnerability.
GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.
MCP Atlassian server has a path traversal vulnerability enabling unauthorized access to Confluence and Jira data outside the intended scope.
simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.
Arbitrary code execution in DNG SDK 1.7.1 2471 and earlier via an out-of-bounds write vulnerability that executes with user privileges when a victim opens a malicious file. The vulnerability requires user interaction but no special privileges, making it exploitable through social engineering with crafted documents. No patch is currently available for affected DNG Software Development Kit users.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can execute code with the privileges of the affected user, requiring only social engineering to deliver the malicious file. No patch is currently available for this high-severity vulnerability.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. An attacker can achieve code execution with user privileges by crafting a weaponized file and socially engineering a victim into opening it. No patch is currently available for this high-severity vulnerability.
Arbitrary code execution in Adobe Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability that executes with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but no special permissions, making it a practical attack vector for local exploitation. No patch is currently available.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. Users running affected versions face code execution at their privilege level with no available patch. This requires social engineering to trick users into opening a crafted file.
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbitrary code via unsanitized push option values that bypass internal header validation. An attacker can inject malicious metadata fields by exploiting insufficient input sanitization in the git push operation handler. This high-severity vulnerability affects GitHub Enterprise Server versions prior to 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3, with no patch currently available for all affected installations.
Gas station automation system BUK TS-G 2.9.1 has a SQL injection enabling compromise of fuel management and transaction data.
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Arbitrary code execution in Uderzo Software SpaceSniffer v.2.0.5.18 results from a buffer overflow vulnerability triggered by processing malicious .sns snapshot files. An attacker with local access can craft a specially formatted file to achieve code execution with high privileges. No patch is currently available for this vulnerability.
Insufficient input validation in SICAM SIAPP SDK versions prior to V2.1.7 enables stack overflow attacks, permitting local attackers to execute arbitrary code or trigger denial of service. The vulnerability affects all versions below the patched release, with no currently available remediation for deployed systems. Attackers with local access can leverage malformed input to corrupt the stack and gain code execution privileges.
Out-of-bounds write vulnerability in SICAM SIAPP SDK versions prior to V2.1.7 allows local attackers to corrupt memory and achieve arbitrary code execution or denial of service. The vulnerability requires local access and specific conditions to trigger, but no patch is currently available. Affected organizations using vulnerable SDK versions should immediately implement compensating controls or upgrade to V2.1.7 or later.
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product.
Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.
A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.
This issue affects Apache Spark: before 3.5.7 and 4.0.1.
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that allows a malicious BST device to trigger a buffer overflow by reporting an oversized dev_name_len parameter without bounds checking. An attacker with physical access to inject a malicious BST device can crash the autopilot task or potentially achieve arbitrary code execution, impacting drone flight safety and control systems. No active KEV exploitation data or public POC is currently documented, but the vulnerability is patched in version 1.17.0-rc2.
Code injection in SimpleEval when objects with dangerous attrs are passed. PoC available.
A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
CVE-2026-3084 is an integer underflow vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malicious media files. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and can be exploited through user interaction with specially crafted H.266 video content, allowing attackers to execute arbitrary code in the context of the application. No active exploitation (not in KEV) or public POC has been reported, and the relatively high CVSS score (7.8) is tempered by the local attack vector and user interaction requirement.
CVE-2026-2921 is an integer overflow vulnerability in GStreamer's RIFF palette handling for AVI files that allows remote code execution with a CVSS score of 7.8. The vulnerability affects all versions of GStreamer (based on CPE wildcard) and requires user interaction to exploit, such as opening a malicious AVI file. No evidence of active exploitation (not in KEV), no public POC mentioned, and EPSS data not provided.
Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.
CVE-2026-3086 is an out-of-bounds write vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malformed APS (Adaptation Parameter Set) units. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, such as processing a malicious H.266 video file. No evidence of active exploitation (not in KEV), no public POC, and no EPSS score available yet.
Heap-based buffer overflow vulnerability in GStreamer's rtpqdm2depay component that allows remote attackers to execute arbitrary code when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary based on implementation. No active exploitation is known (not in KEV), and no EPSS score is available to assess real-world exploitation probability.
Heap-based buffer overflow vulnerability in the GStreamer multimedia framework's JPEG parser that allows remote code execution when processing malicious Huffman tables. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, with a CVSS score of 7.8. No active exploitation in the wild has been reported (not in KEV), and no EPSS data is available.
Stack-based buffer overflow in GStreamer's H.266 codec parser that allows remote code execution when processing malicious video files. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to trigger, such as opening a malicious media file. No active exploitation (not in KEV) or public PoC has been reported, with EPSS data unavailable.
CVE-2026-2923 is an out-of-bounds write vulnerability in GStreamer's DVB Subtitles handling that allows remote code execution when processing malformed subtitle coordinates. This vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary by implementation. No evidence of active exploitation (not in KEV), no public POC available, and no EPSS data provided.
Critical remote code execution vulnerability in GStreamer's RealMedia demuxer component, allowing attackers to execute arbitrary code via malformed video packets that trigger an out-of-bounds write. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and requires user interaction to process malicious media files. While no active exploitation is reported (not in KEV), the availability of a vendor patch and ZDI advisory suggests this vulnerability has been responsibly disclosed and addressed.
Heap-based buffer overflow vulnerability in GStreamer's ASF Demuxer component that allows remote attackers to execute arbitrary code when processing malicious ASF media files. The vulnerability requires user interaction (opening/processing a malicious file) and affects all versions of GStreamer based on the CPE data. No evidence of active exploitation (not in KEV) or public proof-of-concept exists, though Zero Day Initiative tracked it as ZDI-CAN-28843.
Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.
CVE-2026-3562 is an authentication bypass vulnerability in Philips Hue Bridge's HAP (HomeKit Accessory Protocol) implementation, specifically within the ed25519_sign_open function that fails to properly verify Ed25519 cryptographic signatures. Network-adjacent attackers can exploit this flaw without authentication to execute arbitrary code on affected Hue Bridge installations. The CVSS score of 6.3 reflects moderate severity with local network access requirements, though the authentication bypass nature elevates real-world risk for smart home environments.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.
Heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated network-adjacent attackers to execute arbitrary code. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restrictions) through the hk_hap_pair_storage_put function on TCP port 8080. No EPSS data or KEV listing is available, and while ZDI has published an advisory, no public POC or active exploitation has been reported.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authentication (which can be bypassed) to achieve remote code execution as root. The vulnerability affects the HomeKit Accessory Protocol (HAP) implementation on TCP port 8080 and has a high CVSS score of 8.0, though no active exploitation or public PoC has been reported.
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.
Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers to execute arbitrary code when users initiate device pairing. The vulnerability affects all versions of Philips Hue Bridge and has a CVSS score of 8.0, requiring physical proximity and user interaction to exploit. No EPSS data or KEV listing is available, suggesting this is not actively exploited in the wild.
XSS in AnythingLLM 1.11.1 and earlier.
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.
SQL injection in OneUptime telemetry API before 10.0.23.
Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.
HMS Networks' industrial IoT gateways (Ewon Flexy and Cosy+) contain a command injection vulnerability that allows authenticated attackers to execute arbitrary OS commands remotely. This affects Flexy devices before firmware 15.0s4 and Cosy+ devices before 22.1s6 (22.x branch) or 23.0s3 (23.x branch). With a CVSS score of 8.8 but low EPSS of 0.06%, this vulnerability requires valid credentials but enables full system compromise.
JumpServer contains a Server-Side Template Injection (SSTI) vulnerability in its Applet and VirtualApp upload functionality that allows authenticated administrators to execute arbitrary code within the JumpServer Core container. The vulnerability affects JumpServer versions vulnerable to unsafe Jinja2 template rendering of user-uploaded YAML manifest files. While requiring high privilege level (Application Applet Management or Virtual Application Management permissions), successful exploitation results in complete container compromise with high confidentiality, integrity, and availability impact.
Unauthenticated attackers can trigger out-of-bounds memory access in the web interface of multiple Omada switches through improper input validation, potentially achieving remote code execution or causing denial-of-service. Affected products include Sg2005p PD 1.x, Sg2008 4.2x/4.3x, and Sg2008p 3.2x/3.3x, which require only network access to the vulnerable interface. A patch is available to address this high-severity vulnerability (CVSS 7.7).
create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.
SandboxJS sandbox escape before 0.8.34 via Function access through arrays. CVSS 10.0.
Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that occurs when processing maliciously crafted files, potentially allowing attackers to leak sensitive information or execute arbitrary code. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab software that allows attackers to achieve information disclosure or arbitrary code execution through specially crafted files. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation (not in KEV) or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab that allows attackers to execute arbitrary code or steal information by tricking users into opening malicious files. The vulnerability has a CVSS score of 7.8 (High) and requires user interaction, with no evidence of active exploitation (not in KEV) or publicly available proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that allows attackers to achieve arbitrary code execution or information disclosure by tricking users into opening malicious .DSB files. With a CVSS score of 7.8 and requiring only user interaction, this out-of-bounds write vulnerability poses significant risk, though no active exploitation or public POCs have been reported.
A code injection vulnerability in ILLID Advanced Woo Labels WordPress plugin (versions up to 2.36) allows authenticated administrators to execute arbitrary code through improper input validation, potentially leading to full site compromise. The vulnerability requires high privileges to exploit (CVSS 7.2), has no known active exploitation in the wild (not in CISA KEV), and carries a very low EPSS score of 0.00043 (0.043%), indicating minimal real-world exploitation likelihood despite the high CVSS score.
RCE via code injection in Modal Dialog WordPress plugin.
Arbitrary file upload in Pix for WooCommerce WordPress plugin.
Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mai...
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.
Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.
Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.
Veeam Backup & Replication allows Backup Administrators to achieve RCE in high-availability deployments. While requiring admin-level access, the scope change to the HA infrastructure makes this critical for organizations running Veeam in HA mode.
Yet another Veeam Backup & Replication RCE vulnerability allowing authenticated domain users to execute code on the Backup Server with scope change (CVSS 9.9). Part of a cluster of related Veeam vulnerabilities disclosed together.
A second RCE vulnerability in Veeam Backup & Replication allows any authenticated domain user to execute code on the Backup Server with scope change. Same impact as CVE-2026-21666 but through a different attack vector.
Veeam Backup & Replication allows an authenticated domain user to achieve remote code execution on the Backup Server. With a scope change to CVSS 9.9, a compromised domain account can fully take over the backup infrastructure.
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.
An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.
Lenovo Filez fails to properly validate SSL/TLS certificates, enabling network-positioned attackers to intercept traffic and execute arbitrary code on affected systems. An attacker with the ability to perform man-in-the-middle attacks can exploit this weakness to compromise user devices without authentication. No patch is currently available to remediate this vulnerability.
ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]
RCE in NetGain EM Plus 10.1.68. PoC available.
OGNL injection in Epross AVCON6 management platform. PoC available.
Arbitrary OS command execution in Cloud CLI versions prior to 1.24.0 allows authenticated users to inject malicious commands through improperly sanitized git configuration parameters passed to shell execution functions. The /api/user/git-config endpoint fails to properly escape bash metacharacters like backticks and $() substitutions, enabling attackers to execute arbitrary operating system commands with application privileges. No patch is currently available for affected deployments.
Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.
Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.
Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.
RCE in OpenClaw Agent Platform v2026.2.6 via prompt injection.
Arbitrary plugin installation and remote code execution in ExactMetrics WordPress plugin versions 8.6.0-9.0.2 allows authenticated users with report-viewing permissions to bypass administrative capability checks via parameter manipulation. An attacker can exploit an Insecure Direct Object Reference in the onboarding process to install malicious plugins and execute arbitrary code on vulnerable WordPress installations. This vulnerability requires the site administrator to have previously granted non-admin users report access permissions.
LFI to RCE in IFTOP by WellChoose.
Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated attackers can execute arbitrary OS commands on AOS-CX Switches through improper input validation in the CLI, potentially compromising network infrastructure. This command injection flaw (CWE-78) affects high-privileged users with network access and carries a CVSS score of 7.2, with no patch currently available.
Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.
Modem has a fifth OOB write enabling remote privilege escalation.
Samsung/Google MFC driver has an OOB write in mfc_core_isr.c enabling kernel-level privilege escalation on Android devices.
Modem has a fourth OOB write due to incorrect bounds check.
IBM Trusteer Rapport 3.5.2309.290 contains an insecure DLL search path vulnerability that allows local attackers to execute arbitrary code by planting a malicious file in a compromised directory. The attack requires local system access but no user interaction or elevated privileges, making it exploitable by any local user. No patch is currently available for this high-severity vulnerability.
GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.
MCP Atlassian server has a path traversal vulnerability enabling unauthorized access to Confluence and Jira data outside the intended scope.
simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.
Arbitrary code execution in DNG SDK 1.7.1 2471 and earlier via an out-of-bounds write vulnerability that executes with user privileges when a victim opens a malicious file. The vulnerability requires user interaction but no special privileges, making it exploitable through social engineering with crafted documents. No patch is currently available for affected DNG Software Development Kit users.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can execute code with the privileges of the affected user, requiring only social engineering to deliver the malicious file. No patch is currently available for this high-severity vulnerability.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. An attacker can achieve code execution with user privileges by crafting a weaponized file and socially engineering a victim into opening it. No patch is currently available for this high-severity vulnerability.
Arbitrary code execution in Adobe Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability that executes with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but no special permissions, making it a practical attack vector for local exploitation. No patch is currently available.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. Users running affected versions face code execution at their privilege level with no available patch. This requires social engineering to trick users into opening a crafted file.
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbitrary code via unsanitized push option values that bypass internal header validation. An attacker can inject malicious metadata fields by exploiting insufficient input sanitization in the git push operation handler. This high-severity vulnerability affects GitHub Enterprise Server versions prior to 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3, with no patch currently available for all affected installations.
Gas station automation system BUK TS-G 2.9.1 has a SQL injection enabling compromise of fuel management and transaction data.
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Arbitrary code execution in Uderzo Software SpaceSniffer v.2.0.5.18 results from a buffer overflow vulnerability triggered by processing malicious .sns snapshot files. An attacker with local access can craft a specially formatted file to achieve code execution with high privileges. No patch is currently available for this vulnerability.
Insufficient input validation in SICAM SIAPP SDK versions prior to V2.1.7 enables stack overflow attacks, permitting local attackers to execute arbitrary code or trigger denial of service. The vulnerability affects all versions below the patched release, with no currently available remediation for deployed systems. Attackers with local access can leverage malformed input to corrupt the stack and gain code execution privileges.
Out-of-bounds write vulnerability in SICAM SIAPP SDK versions prior to V2.1.7 allows local attackers to corrupt memory and achieve arbitrary code execution or denial of service. The vulnerability requires local access and specific conditions to trigger, but no patch is currently available. Affected organizations using vulnerable SDK versions should immediately implement compensating controls or upgrade to V2.1.7 or later.