Skip to main content

RCE

31871 CVEs technique

Monthly

CVE-2026-40783 CRITICAL Act Now

Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. No public exploit identified at time of analysis, but Patchstack has catalogued the issue in its WordPress vulnerability database.

Code Injection RCE Blocksy Companion Pro
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-12466 HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Heap Overflow RCE Buffer Overflow +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-12462 HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Use After Free RCE Memory Corruption Denial Of Service +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-12447 HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Heap Overflow RCE Buffer Overflow Red Hat +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-12443 HIGH PATCH This Week

Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free RCE Memory Corruption Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-12442 HIGH PATCH This Week

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free RCE Memory Corruption Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-36418 CRITICAL Act Now

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

RCE N A Code Injection
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-27783 Go MEDIUM PATCH GHSA This Month

Missing repository-unit authorization on three Gitea API endpoints allows authenticated users with only non-Code unit access (e.g., an Issues-only organization team member) to read `.gitea/ISSUE_TEMPLATE/*` and `issue_config.yaml` files from the Code default branch of a private repository. The CVSS score of 4.3 (PR:L, C:L) accurately reflects the narrow scope: exploitation is limited to those specific configuration files, not arbitrary source code. A proof of concept is publicly documented in the vendor advisory (GHSA-3fwp-p5rj-2pxf); no active exploitation is confirmed in the CISA KEV catalog at time of analysis.

Gitea Authentication Bypass RCE
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-25470 CRITICAL Act Now

Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. No public exploit has been identified at time of analysis, but the trivial attack profile (network, no auth, no UI) makes this a high-priority patching target.

Code Injection WordPress RCE Acpt Pro Custom Post Types Plugin For Wordpress
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-50574 PyPI CRITICAL POC PATCH GHSA Act Now

Arbitrary code execution in yt-dlp versions before 2026.06.09 occurs when aria2c is selected as the external downloader for fragmented HLS/DASH streams, allowing a malicious manifest or metadata server to inject options into aria2c's input file and write attacker-controlled files. On Windows this yields immediate code execution via a planted ffmpeg.exe, while on all platforms it enables code execution on the next run via a planted yt-dlp.conf with a malicious --exec. CVSS is 9.6 (critical), but there is no public exploit identified at time of analysis, EPSS is low (0.40%, 32th percentile), and CISA SSVC marks exploitation as none.

Microsoft RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-54321 Go HIGH PATCH GHSA This Week

Stale authorization caching in Daytona's preview proxy allows unauthenticated access to sandbox previews for a bounded window after their owner switches visibility from public back to private. The flaw affects versions 0.101.0 through 0.183.0 and is limited to ordinary preview ports - terminal, toolbox, and recording-dashboard ports remained protected. No public exploit identified at time of analysis, and the GitHub advisory tags suggesting RCE/Privilege Escalation contradict the advisory's own impact statement, which explicitly rules both out.

Privilege Escalation RCE
NVD GitHub
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-50023 PyPI CRITICAL PATCH GHSA Act Now

Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).

Microsoft RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-49113 HIGH PATCH This Week

Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Code Injection RCE Cornerstone
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-53753 PyPI CRITICAL PATCH GHSA Act Now

Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.

Python Code Injection RCE Docker
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-50135 Go MEDIUM PATCH GHSA This Month

Symlink confinement bypass in Hugo static site generator v0.123.0 through v0.161.1 allows an attacker who can place a symlink inside a locally-mounted directory - such as a vendored theme under `themes/` - to read arbitrary files accessible to the user running the `hugo` build process. The regression in `RootMappingFs.statRoot` (calling `Stat` instead of `Lstat`) defeats the virtual filesystem's mount boundary enforcement specifically for `resources.Get` direct lookups, while multi-directory walks remained unaffected. No public exploit is identified at time of analysis, but the patch commit and regression test scripts are publicly available on GitHub; the vulnerability is not in CISA KEV.

RCE
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-46851 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Cs Campus Community RCE Code Injection
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46850 CRITICAL Act Now

Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.

Oracle Mysql Shell Code Injection RCE
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-0164 HIGH This Week

Remote code execution in the Android Modem component (per the Pixel 2026-06-01 security bulletin) is possible via an out-of-bounds write triggered without user interaction. Authenticated remote attackers (PR:L per CVSS) can corrupt memory to execute arbitrary code at the same privilege level as the Modem process. No public exploit identified at time of analysis, EPSS is low at 0.23% (13th percentile), and the issue is not listed in CISA KEV.

RCE Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0162 HIGH This Week

In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE Memory Corruption
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0160 HIGH Awaiting Data

In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0154 HIGH This Week

In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0151 Awaiting Data

In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0149 HIGH This Week

In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-0148 Awaiting Data

In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-0147 Awaiting Data

In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-0146 Awaiting Data

In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-0139 Awaiting Data

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-0135 Awaiting Data

In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0132 Awaiting Data

In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-0126 CRITICAL Act Now

Remote code execution in the WC-Radio component on Google Android (Pixel) devices allows network-adjacent attackers to corrupt memory via an out-of-bounds write with no authentication or user interaction. The flaw carries a CVSS 9.8 rating and is addressed in the Pixel security bulletin dated 2026-06-01; no public exploit identified at time of analysis and EPSS is low at 0.15%.

RCE Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53842 npm HIGH PATCH GHSA This Week

Arbitrary Python runtime execution in OpenClaw before 2026.5.2 lets an attacker with write access to the workspace plant a malicious .env file that overrides the CLOUDSDK_PYTHON variable used during Gmail setup, redirecting gcloud invocations to an attacker-controlled Python interpreter and leading to code execution. The CVSS 4.0 vector (AV:L/AT:P/UI:A) confirms the attack is local, requires a specific attack condition, and depends on a user/operator action - no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Python RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-48775 PyPI MEDIUM PATCH GHSA This Month

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.

Checkpoint Deserialization Python RCE Langgraph +2
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-49444 npm HIGH PATCH GHSA This Week

Sandbox escape in n8n workflow automation platform allows authenticated users with workflow edit privileges to execute arbitrary code on the Python Task Runner container via a crafted Python Code Node. The flaw affects n8n versions prior to 1.123.48, 2.21.8, and 2.22.4 when the optional Python Task Runner is enabled, and no public exploit identified at time of analysis. Successful exploitation grants code execution inside the task runner container, providing a foothold for further lateral movement within the n8n deployment.

Python RCE
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-48520 PyPI MEDIUM PATCH GHSA This Month

Arbitrary file read in Langflow's Shareable Playground feature exposes local filesystem and S3 paths to unauthenticated attackers on instances where at least one public flow exists. The `/api/v1/build_public_tmp` endpoint accepts a user-controlled `files` field without path validation, causing Langflow to read attacker-specified files and pass their contents to the configured LLM. A proof-of-concept is publicly documented in the GitHub Security Advisory GHSA-rcjh-r59h-gq37; no active exploitation (CISA KEV) has been confirmed. Note: the 'RCE' tag associated with this CVE in source data is inconsistent with the described impact, which is limited to information disclosure via file read.

RCE
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-48519 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. Publicly available exploit code exists via the GitHub Security Advisory GHSA-v5ff-9q35-q26f, including a working cURL-based PoC.

Python Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-41523 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.

Python Authentication Bypass Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-47749 HIGH This Week

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.

Checkpoint RCE Memory Corruption Buffer Overflow Stable Diffusion Cpp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-47964 HIGH This Week

Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. With a CVSS 7.8 (AV:L/UI:R) and user-interaction requirement, exploitation is realistic via social-engineered file delivery rather than remote network attack.

RCE Heap Overflow Buffer Overflow Dng Sdk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-24228 HIGH This Week

Local code execution in NVIDIA NeMo Framework on Linux allows an authenticated low-privileged attacker to abuse unsafe deserialization of untrusted data (CWE-502) to run arbitrary code, escalate privileges, tamper with data, or disclose information. The CVSS 7.8 (AV:L/PR:L) profile and the typical ML-training use case mean exploitation requires existing access to the host running NeMo. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Nvidia Deserialization Information Disclosure RCE Nemo Framework
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-24155 HIGH This Week

Code injection in NVIDIA NeMo Framework across all supported platforms allows a local attacker with low privileges to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The flaw carries a CVSS 3.1 score of 7.8 with high impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Nvidia Code Injection Information Disclosure RCE Nemo Framework
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-24909 HIGH PATCH This Week

Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Microsoft RCE Dell Openmanage
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-22451 MEDIUM PATCH This Month

Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. Rated medium severity (CVSS 6.7).

RCE Dell Peripheral Manager
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-12398 PyPI HIGH GHSA This Week

Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). No public exploit identified at time of analysis.

Command Injection RCE Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-22447 MEDIUM PATCH This Month

Dell Peripheral Manager, versions prior to 1.7.3, contain an uncontrolled search path element vulnerability. Rated medium severity (CVSS 6.7).

Dell RCE Peripheral Manager
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-12328 HIGH PATCH This Week

Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.

RCE Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12327 HIGH PATCH This Week

Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Buffer Overflow Mozilla RCE Red Hat Suse
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-12326 HIGH PATCH This Week

Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.

Mozilla Buffer Overflow RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-10829 HIGH This Week

Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.

RCE Stack Overflow Buffer Overflow Nport W2150A W4 W2250A W4 Series Nport W2150A W2250A Series
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-8442 HIGH This Week

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.

Path Traversal WordPress RCE Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2026-49774 CRITICAL Act Now

Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.

Code Injection RCE Rd Station
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-50255 MEDIUM This Month

Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Privilege Escalation Microsoft RCE Optical Disc Archive Software For Windows
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-6933 HIGH This Week

Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.

File Upload PHP WordPress RCE Premmerce Dev Tools
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-48853 CRITICAL PATCH Act Now

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.

Deserialization RCE Grpc
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-48836 CRITICAL Act Now

Remote code execution in the Easy Invoice WordPress plugin (versions <= 2.1.19) allows unauthenticated attackers to run arbitrary code on the underlying server via a code injection flaw (CWE-94). The maximum CVSS 10.0 score reflects network reachability, no privileges, no user interaction, and a scope change with full confidentiality, integrity, and availability impact on the hosting WordPress site. No public exploit identified at time of analysis, but the trivial exploitability profile makes weaponization likely once technical details are published by Patchstack.

Code Injection RCE Easy Invoice
NVD
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-39465 CRITICAL Act Now

Remote code execution in the WordPress 'Responsive Slider by MetaSlider' plugin (versions ≤3.106.0) allows authenticated users with Editor-level privileges to inject and execute arbitrary code on the underlying server. The flaw is tracked as CWE-94 (Improper Control of Generation of Code) and carries a CVSS 3.1 score of 9.1 because exploitation crosses a scope boundary, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Responsive Slider By Metaslider
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2026-54271 npm HIGH PATCH GHSA This Week

Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.

Code Injection RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-52720 HIGH PATCH This Week

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a connecting client, potentially leading to remote code execution or denial of service. The flaw stems from validating rectangle area instead of individual dimensions, letting attacker-controlled rectangles extend beyond the framebuffer. No public exploit identified at time of analysis, though the issue affects GStreamer as shipped across Red Hat Enterprise Linux 6 through 10.

RCE Heap Overflow Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-53705 HIGH This Week

Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.

Buffer Overflow Integer Overflow RCE Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-49954 HIGH POC This Week

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.

File Upload RCE LFI Path Traversal PHP +1
NVD
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-54269 npm MEDIUM POC PATCH GHSA This Month

Schema-name shadowing in protobufjs (npm packages protobufjs and protobufjs-cli) enables denial of service when an attacker can supply or influence protobuf schemas containing field or service method names that collide with JavaScript runtime-significant identifiers used by the protobufjs runtime. Affected names - specifically a field named `hasOwnProperty`, a field or oneof named `$type` via JSON/reflection descriptors, and service methods whose generated helper resolves to `rpcCall` - cause the runtime to read schema-controlled data in place of expected internal helpers, producing deterministic exceptions or uncontrolled recursion (CWE-674) across decode, verification, serialization, and RPC invocation paths. No public exploit has been identified and no active exploitation is confirmed; the misleading 'RCE' tag in the intelligence metadata is directly contradicted by the vendor advisory, which explicitly states the issue is not known to allow code execution.

Denial Of Service RCE
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-53632 npm MEDIUM PATCH GHSA This Month

NTLMv2 hash disclosure in the `launch-editor` NPM package (v2.14.0 and earlier) exposes developer credentials on Windows systems when an attacker-controlled UNC path is passed to the package's file-opening HTTP middleware. The attack is achievable by tricking a developer running a local development server such as Vite into visiting an attacker-controlled webpage that issues a cross-origin request to the local `__open-in-editor` endpoint with a crafted `\\attacker-host\share` UNC path, whereupon Windows automatically initiates NTLM authentication without any user prompt, transmitting the victim's NTLMv2 hash to the attacker's SMB server. Publicly available exploit code confirmed via the advisory PoC using Impacket smbserver.py and Responder lowers the barrier significantly; no active exploitation has been confirmed via CISA KEV at time of analysis.

RCE Microsoft Node.js
NVD GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-52704 CRITICAL Act Now

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. No public exploit identified at time of analysis, but the trivial attack vector (AV:N/AC:L/PR:N/UI:N) makes mass exploitation likely once details surface.

Code Injection WordPress RCE Woocommerce Pdf Invoice Builder
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2018-25436 CRITICAL POC Act Now

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress PHP Baggage Freight Shipping Australia
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2016-20082 MEDIUM POC This Month

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI Abtest
NVD Exploit-DB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2016-20077 MEDIUM POC This Month

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI Photocart Link
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2016-20075 HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass RCE WordPress +1
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-5482 CRITICAL Act Now

Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.

File Upload PHP RCE Responsive Filemanager
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-12057 HIGH This Week

Arbitrary code execution in Foxit AI (versions before 2026-06-15) occurs when the application processes JavaScript embedded in a PDF inside its sandbox but fails to intercept dangerous interfaces, permitting remote script loading. A user must open a malicious PDF for exploitation to succeed, and no public exploit identified at time of analysis with EPSS at only 0.13%. SSVC reports total technical impact but no observed exploitation.

RCE Foxit Ai
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-11860 HIGH This Week

Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. CERT-PL reported the issue and OpenSolution shipped a patch for version 6.8 on 14.05.2026 that mitigates the flaw by forcing HTTPS.

Deserialization RCE Quick Cms
NVD
CVSS 4.0
7.5
EPSS
0.4%
CVE-2025-56814 HIGH This Week

Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.

Command Injection RCE N A
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-50872 CRITICAL Act Now

Remote code execution in fossar selfoss v2.20-SNAPSHOT allows unauthenticated attackers to execute arbitrary commands and retrieve sensitive data by sending a crafted HTTP request to the loopback request handling component. The flaw carries a CVSS 9.8 score and a public gist (likely containing proof-of-concept material) is referenced, though EPSS exploitation probability remains low at 0.19% and the issue is not listed in CISA KEV.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-50880 CRITICAL Act Now

Remote code execution in YouTransfer v1.0.6 allows unauthenticated attackers to run arbitrary code by sending a crafted request to the sendmail transport integration component. The flaw is a CWE-94 code injection issue with a critical CVSS 9.8 score and publicly available exploit code exists via a referenced GitHub gist, though no active exploitation has been confirmed by CISA KEV.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-36933 MEDIUM This Month

An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

RCE N A Authentication Bypass
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2025-68713 HIGH This Week

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

Denial Of Service Google RCE N A
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-50871 CRITICAL Act Now

Remote code execution in kanishka-linux Reminiscence v0.3.0 allows unauthenticated attackers to execute arbitrary OS commands by supplying crafted input to the media archiving and export pipeline component. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS sits at 0.67% (47th percentile) indicating limited observed exploitation pressure so far.

Command Injection Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-50873 CRITICAL Act Now

Arbitrary code execution in flatnotes v5.5.4 is achievable by uploading crafted HTML or SVG files through the attachment handling component, enabling remote attackers to run code in the context of the application. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability. Publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited in the CISA KEV catalog at time of analysis.

File Upload RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-38329 CRITICAL Act Now

{key} endpoint in bl-plugins/api/plugin.php. Publicly available exploit code exists as a gist, though EPSS rates exploitation probability at only 0.21% (11th percentile).

Authentication Bypass PHP RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-39006 CRITICAL Act Now

Remote code execution in SNMP4J-Agent 3.8.3 is enabled through the snmp4jCfgStoragePath component, allowing remote attackers to run arbitrary code on hosts running the agent. The CWE-73 (External Control of File Name or Path) classification indicates the storage path parameter can be manipulated to influence file operations, and no public exploit identified at time of analysis though a third-party advisory has been published on GitHub. EPSS is low at 0.21% (11th percentile) despite the 9.8 CVSS, suggesting limited current exploitation activity.

RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-30120 npm CRITICAL PATCH GHSA Act Now

Remote code execution affects remotion-dev's Remotion framework at version 4.0.409, enabling attackers to execute arbitrary code on systems running the affected version per CWE-94 code injection semantics. The CVSS 9.8 vector indicates network-reachable, unauthenticated exploitation without user interaction, though no public exploit identified at time of analysis and EPSS probability remains low at 0.25% (16th percentile). The vulnerability is reported by MITRE with a third-party advisory on GitHub but lacks detailed exploitation specifics.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-53836 npm HIGH PATCH This Week

Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution allowlist by submitting encoded-command flag aliases (abbreviated forms) that the allowlist parser fails to recognize. The flaw enables execution of arbitrary PowerShell payloads with full confidentiality, integrity, and availability impact on the host. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-42851 HIGH PATCH This Week

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can write bytes to the terminal - including SSH sessions, file viewers like cat or less, log tailers, and TUI applications - to execute attacker-supplied Python code inside the running kitty process with full user privileges. Exploitation requires no approval prompt, no shell integration, no clipboard interaction, and no editor involvement, making any rendered untrusted content a viable injection vector. No public exploit identified at time of analysis, but the trivial trigger conditions and broad attack surface make this a high-priority patch.

Python Code Injection RCE Kitty Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-54057 HIGH PATCH This Week

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline characters - to be reflected back into the user's shell input via the OSC 21 (color-control) escape sequence query reply. An attacker who can cause arbitrary bytes to be written to the terminal (malicious file contents, SSH banner, log entry, web page) can inject and execute shell commands at the victim's privilege level. No public exploit identified at time of analysis, but the underlying class of terminal-escape-injection bugs is well documented and exploitation is straightforward once the unsanitized reply path is known.

Code Injection RCE Kitty Suse
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-54056 HIGH PATCH This Week

Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite files writable by the local kitty user via a TOCTOU symlink race in kitten dnd staging. The flaw stems from openat() calls lacking O_NOFOLLOW when handling duplicate remote basenames on case-sensitive filesystems, letting an attacker-staged symlink redirect writes outside the staging directory. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though user interaction via drag-and-drop is the gating factor.

RCE Kitty Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-12043 HIGH PATCH This Week

Client-side memory corruption in the AWS Common Runtime aws-c-http library can be triggered by a malicious HTTP/2 server that sends a crafted sequence of HEADERS frames manipulating the HPACK dynamic table size, potentially leading to arbitrary code execution in applications that use the library as an HTTP/2 client. The CVSS 4.0 score of 8.7 (High) reflects network reachability with low complexity but requires user/client interaction (initiating a connection to the attacker server). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow RCE Aws C Http
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-52465 Maven HIGH PATCH GHSA This Week

Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacker-controlled content to any absolute filesystem path the GeoServer process can write to, including JSP files in a Tomcat webapps directory. Because GeoServer enforces no maximum master password length, an admin can embed malicious JSP code into the master password and dump it to an executable location, escalating to remote code execution on the host. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Microsoft Atlassian RCE Denial Of Service Tomcat +1
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-28742 CRITICAL CISA Emergency

Cryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows remote attackers to forge arbitrary device and account API requests after extracting a single hard-coded salt shared across the entire product line. Because the same salt is embedded in every firmware image and no per-device keys, nonces, or replay protections exist, recovery from one unit compromises the whole fleet, and plain-HTTP control traffic makes interception trivial. No public exploit identified at time of analysis, and the issue was disclosed via CISA ICS-CERT advisory ICSA-26-162-02.

RCE Smart Doorbell X3 X Smart Home V720 Ix Cam
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-47965 HIGH This Week

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs through an out-of-bounds write triggered when a victim opens a malicious PDF file. Successful exploitation runs attacker code in the context of the current user, making this a classic client-side attack suitable for phishing campaigns. No public exploit identified at time of analysis, but Adobe Reader memory corruption flaws have a long history of being weaponized in targeted attacks.

RCE Memory Corruption Adobe Buffer Overflow Acrobat Reader
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45833 CRITICAL Act Now

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the UPDATE_COLLECTION permission to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code=true to the collection update endpoint. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.4 and HiddenLayer's disclosure indicate a high-severity flaw in a widely used AI vector database. The vulnerability sits in the AI/ML supply chain layer, making it particularly relevant for organizations using ChromaDB as a backend for RAG or embedding pipelines.

Python Code Injection RCE Chromadb
NVD VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-40677 HIGH This Week

Man-in-the-middle attacks against AMD's optional desktop tools - AMD Management Console (AMC), AMD Ryzen Master, and AMD μProf - can lead to arbitrary code execution because the affected utilities transport data over plaintext HTTP rather than TLS. An attacker positioned on the network path between a victim workstation and the AMD endpoint can tamper with traffic (most plausibly update or telemetry channels) to substitute malicious content that is then executed by the tool. No public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS data was not provided.

RCE Amd Amd Management Console Amc Amd Ryzen Master Amd Prof
NVD VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-53787 CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.

Adobe RCE XSS File Upload Path Traversal +2
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
0.2%
EPSS 1% CVSS 9.9
CRITICAL Act Now

Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. No public exploit identified at time of analysis, but Patchstack has catalogued the issue in its WordPress vulnerability database.

Code Injection RCE Blocksy Companion Pro
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Heap Overflow +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Use After Free RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Heap Overflow RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free RCE +4
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.

RCE N A Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Missing repository-unit authorization on three Gitea API endpoints allows authenticated users with only non-Code unit access (e.g., an Issues-only organization team member) to read `.gitea/ISSUE_TEMPLATE/*` and `issue_config.yaml` files from the Code default branch of a private repository. The CVSS score of 4.3 (PR:L, C:L) accurately reflects the narrow scope: exploitation is limited to those specific configuration files, not arbitrary source code. A proof of concept is publicly documented in the vendor advisory (GHSA-3fwp-p5rj-2pxf); no active exploitation is confirmed in the CISA KEV catalog at time of analysis.

Gitea Authentication Bypass RCE
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. No public exploit has been identified at time of analysis, but the trivial attack profile (network, no auth, no UI) makes this a high-priority patching target.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Arbitrary code execution in yt-dlp versions before 2026.06.09 occurs when aria2c is selected as the external downloader for fragmented HLS/DASH streams, allowing a malicious manifest or metadata server to inject options into aria2c's input file and write attacker-controlled files. On Windows this yields immediate code execution via a planted ffmpeg.exe, while on all platforms it enables code execution on the next run via a planted yt-dlp.conf with a malicious --exec. CVSS is 9.6 (critical), but there is no public exploit identified at time of analysis, EPSS is low (0.40%, 32th percentile), and CISA SSVC marks exploitation as none.

Microsoft RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stale authorization caching in Daytona's preview proxy allows unauthenticated access to sandbox previews for a bounded window after their owner switches visibility from public back to private. The flaw affects versions 0.101.0 through 0.183.0 and is limited to ordinary preview ports - terminal, toolbox, and recording-dashboard ports remained protected. No public exploit identified at time of analysis, and the GitHub advisory tags suggesting RCE/Privilege Escalation contradict the advisory's own impact statement, which explicitly rules both out.

Privilege Escalation RCE
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).

Microsoft RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Code Injection RCE Cornerstone
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.

Python Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Symlink confinement bypass in Hugo static site generator v0.123.0 through v0.161.1 allows an attacker who can place a symlink inside a locally-mounted directory - such as a vendored theme under `themes/` - to read arbitrary files accessible to the user running the `hugo` build process. The regression in `RootMappingFs.statRoot` (calling `Stat` instead of `Lstat`) defeats the virtual filesystem's mount boundary enforcement specifically for `resources.Get` direct lookups, while multi-directory walks remained unaffected. No public exploit is identified at time of analysis, but the patch commit and regression test scripts are publicly available on GitHub; the vulnerability is not in CISA KEV.

RCE
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Cs Campus Community RCE +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.

Oracle Mysql Shell Code Injection +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Android Modem component (per the Pixel 2026-06-01 security bulletin) is possible via an out-of-bounds write triggered without user interaction. Authenticated remote attackers (PR:L per CVSS) can corrupt memory to execute arbitrary code at the same privilege level as the Modem process. No public exploit identified at time of analysis, EPSS is low at 0.23% (13th percentile), and the issue is not listed in CISA KEV.

RCE Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE Memory Corruption
NVD VulDB
EPSS 0% CVSS 8.8
HIGH Awaiting Data

In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
HIGH This Week

In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
Awaiting Data

In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
HIGH This Week

In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
Awaiting Data

In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
Awaiting Data

In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
Awaiting Data

In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
Awaiting Data

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 7.8
Awaiting Data

In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 8.8
Awaiting Data

In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Buffer Overflow RCE
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in the WC-Radio component on Google Android (Pixel) devices allows network-adjacent attackers to corrupt memory via an out-of-bounds write with no authentication or user interaction. The flaw carries a CVSS 9.8 rating and is addressed in the Pixel security bulletin dated 2026-06-01; no public exploit identified at time of analysis and EPSS is low at 0.15%.

RCE Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary Python runtime execution in OpenClaw before 2026.5.2 lets an attacker with write access to the workspace plant a malicious .env file that overrides the CLOUDSDK_PYTHON variable used during Gmail setup, redirecting gcloud invocations to an attacker-controlled Python interpreter and leading to code execution. The CVSS 4.0 vector (AV:L/AT:P/UI:A) confirms the attack is local, requires a specific attack condition, and depends on a user/operator action - no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Python RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.

Checkpoint Deserialization Python +4
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox escape in n8n workflow automation platform allows authenticated users with workflow edit privileges to execute arbitrary code on the Python Task Runner container via a crafted Python Code Node. The flaw affects n8n versions prior to 1.123.48, 2.21.8, and 2.22.4 when the optional Python Task Runner is enabled, and no public exploit identified at time of analysis. Successful exploitation grants code execution inside the task runner container, providing a foothold for further lateral movement within the n8n deployment.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Arbitrary file read in Langflow's Shareable Playground feature exposes local filesystem and S3 paths to unauthenticated attackers on instances where at least one public flow exists. The `/api/v1/build_public_tmp` endpoint accepts a user-controlled `files` field without path validation, causing Langflow to read attacker-specified files and pass their contents to the configured LLM. A proof-of-concept is publicly documented in the GitHub Security Advisory GHSA-rcjh-r59h-gq37; no active exploitation (CISA KEV) has been confirmed. Note: the 'RCE' tag associated with this CVE in source data is inconsistent with the described impact, which is limited to information disclosure via file read.

RCE
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. Publicly available exploit code exists via the GitHub Security Advisory GHSA-v5ff-9q35-q26f, including a working cURL-based PoC.

Python Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.

Python Authentication Bypass Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.

Checkpoint RCE Memory Corruption +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. With a CVSS 7.8 (AV:L/UI:R) and user-interaction requirement, exploitation is realistic via social-engineered file delivery rather than remote network attack.

RCE Heap Overflow Buffer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in NVIDIA NeMo Framework on Linux allows an authenticated low-privileged attacker to abuse unsafe deserialization of untrusted data (CWE-502) to run arbitrary code, escalate privileges, tamper with data, or disclose information. The CVSS 7.8 (AV:L/PR:L) profile and the typical ML-training use case mean exploitation requires existing access to the host running NeMo. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Nvidia Deserialization Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Code injection in NVIDIA NeMo Framework across all supported platforms allows a local attacker with low privileges to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The flaw carries a CVSS 3.1 score of 7.8 with high impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Nvidia Code Injection Information Disclosure +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Microsoft RCE +2
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. Rated medium severity (CVSS 6.7).

RCE Dell Peripheral Manager
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). No public exploit identified at time of analysis.

Command Injection RCE Red Hat Ansible Automation Platform 2
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Dell Peripheral Manager, versions prior to 1.7.3, contain an uncontrolled search path element vulnerability. Rated medium severity (CVSS 6.7).

Dell RCE Peripheral Manager
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.

RCE Mozilla Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Buffer Overflow Mozilla RCE +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.

Mozilla Buffer Overflow RCE
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.

RCE Stack Overflow Buffer Overflow +2
NVD VulDB
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.

Path Traversal WordPress RCE +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.

Code Injection RCE Rd Station
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Privilege Escalation Microsoft RCE +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.

File Upload PHP WordPress +2
NVD VulDB
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.

Deserialization RCE Grpc
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in the Easy Invoice WordPress plugin (versions <= 2.1.19) allows unauthenticated attackers to run arbitrary code on the underlying server via a code injection flaw (CWE-94). The maximum CVSS 10.0 score reflects network reachability, no privileges, no user interaction, and a scope change with full confidentiality, integrity, and availability impact on the hosting WordPress site. No public exploit identified at time of analysis, but the trivial exploitability profile makes weaponization likely once technical details are published by Patchstack.

Code Injection RCE Easy Invoice
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Remote code execution in the WordPress 'Responsive Slider by MetaSlider' plugin (versions ≤3.106.0) allows authenticated users with Editor-level privileges to inject and execute arbitrary code on the underlying server. The flaw is tracked as CWE-94 (Improper Control of Generation of Code) and carries a CVSS 3.1 score of 9.1 because exploitation crosses a scope boundary, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Responsive Slider By Metaslider
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a connecting client, potentially leading to remote code execution or denial of service. The flaw stems from validating rectangle area instead of individual dimensions, letting attacker-controlled rectangles extend beyond the framebuffer. No public exploit identified at time of analysis, though the issue affects GStreamer as shipped across Red Hat Enterprise Linux 6 through 10.

RCE Heap Overflow Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.

Buffer Overflow Integer Overflow RCE +4
NVD VulDB
EPSS 1% CVSS 8.6
HIGH POC This Week

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.

File Upload RCE LFI +3
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Schema-name shadowing in protobufjs (npm packages protobufjs and protobufjs-cli) enables denial of service when an attacker can supply or influence protobuf schemas containing field or service method names that collide with JavaScript runtime-significant identifiers used by the protobufjs runtime. Affected names - specifically a field named `hasOwnProperty`, a field or oneof named `$type` via JSON/reflection descriptors, and service methods whose generated helper resolves to `rpcCall` - cause the runtime to read schema-controlled data in place of expected internal helpers, producing deterministic exceptions or uncontrolled recursion (CWE-674) across decode, verification, serialization, and RPC invocation paths. No public exploit has been identified and no active exploitation is confirmed; the misleading 'RCE' tag in the intelligence metadata is directly contradicted by the vendor advisory, which explicitly states the issue is not known to allow code execution.

Denial Of Service RCE
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NTLMv2 hash disclosure in the `launch-editor` NPM package (v2.14.0 and earlier) exposes developer credentials on Windows systems when an attacker-controlled UNC path is passed to the package's file-opening HTTP middleware. The attack is achievable by tricking a developer running a local development server such as Vite into visiting an attacker-controlled webpage that issues a cross-origin request to the local `__open-in-editor` endpoint with a crafted `\\attacker-host\share` UNC path, whereupon Windows automatically initiates NTLM authentication without any user prompt, transmitting the victim's NTLMv2 hash to the attacker's SMB server. Publicly available exploit code confirmed via the advisory PoC using Impacket smbserver.py and Responder lowers the barrier significantly; no active exploitation has been confirmed via CISA KEV at time of analysis.

RCE Microsoft Node.js
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. No public exploit identified at time of analysis, but the trivial attack vector (AV:N/AC:L/PR:N/UI:N) makes mass exploitation likely once details surface.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress +2
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +2
NVD Exploit-DB GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +2
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass +3
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.

File Upload PHP RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Foxit AI (versions before 2026-06-15) occurs when the application processes JavaScript embedded in a PDF inside its sandbox but fails to intercept dangerous interfaces, permitting remote script loading. A user must open a malicious PDF for exploitation to succeed, and no public exploit identified at time of analysis with EPSS at only 0.13%. SSVC reports total technical impact but no observed exploitation.

RCE Foxit Ai
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. CERT-PL reported the issue and OpenSolution shipped a patch for version 6.8 on 14.05.2026 that mitigates the flaw by forcing HTTPS.

Deserialization RCE Quick Cms
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.

Command Injection RCE N A
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in fossar selfoss v2.20-SNAPSHOT allows unauthenticated attackers to execute arbitrary commands and retrieve sensitive data by sending a crafted HTTP request to the loopback request handling component. The flaw carries a CVSS 9.8 score and a public gist (likely containing proof-of-concept material) is referenced, though EPSS exploitation probability remains low at 0.19% and the issue is not listed in CISA KEV.

Code Injection RCE N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in YouTransfer v1.0.6 allows unauthenticated attackers to run arbitrary code by sending a crafted request to the sendmail transport integration component. The flaw is a CWE-94 code injection issue with a critical CVSS 9.8 score and publicly available exploit code exists via a referenced GitHub gist, though no active exploitation has been confirmed by CISA KEV.

Code Injection RCE N A
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

RCE N A Authentication Bypass
NVD
EPSS 0% CVSS 8.0
HIGH This Week

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

Denial Of Service Google RCE +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in kanishka-linux Reminiscence v0.3.0 allows unauthenticated attackers to execute arbitrary OS commands by supplying crafted input to the media archiving and export pipeline component. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS sits at 0.67% (47th percentile) indicating limited observed exploitation pressure so far.

Command Injection Code Injection RCE +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution in flatnotes v5.5.4 is achievable by uploading crafted HTML or SVG files through the attachment handling component, enabling remote attackers to run code in the context of the application. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability. Publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited in the CISA KEV catalog at time of analysis.

File Upload RCE N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

{key} endpoint in bl-plugins/api/plugin.php. Publicly available exploit code exists as a gist, though EPSS rates exploitation probability at only 0.21% (11th percentile).

Authentication Bypass PHP RCE +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in SNMP4J-Agent 3.8.3 is enabled through the snmp4jCfgStoragePath component, allowing remote attackers to run arbitrary code on hosts running the agent. The CWE-73 (External Control of File Name or Path) classification indicates the storage path parameter can be manipulated to influence file operations, and no public exploit identified at time of analysis though a third-party advisory has been published on GitHub. EPSS is low at 0.21% (11th percentile) despite the 9.8 CVSS, suggesting limited current exploitation activity.

RCE N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution affects remotion-dev's Remotion framework at version 4.0.409, enabling attackers to execute arbitrary code on systems running the affected version per CWE-94 code injection semantics. The CVSS 9.8 vector indicates network-reachable, unauthenticated exploitation without user interaction, though no public exploit identified at time of analysis and EPSS probability remains low at 0.25% (16th percentile). The vulnerability is reported by MITRE with a third-party advisory on GitHub but lacks detailed exploitation specifics.

Code Injection RCE N A
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution allowlist by submitting encoded-command flag aliases (abbreviated forms) that the allowlist parser fails to recognize. The flaw enables execution of arbitrary PowerShell payloads with full confidentiality, integrity, and availability impact on the host. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can write bytes to the terminal - including SSH sessions, file viewers like cat or less, log tailers, and TUI applications - to execute attacker-supplied Python code inside the running kitty process with full user privileges. Exploitation requires no approval prompt, no shell integration, no clipboard interaction, and no editor involvement, making any rendered untrusted content a viable injection vector. No public exploit identified at time of analysis, but the trivial trigger conditions and broad attack surface make this a high-priority patch.

Python Code Injection RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline characters - to be reflected back into the user's shell input via the OSC 21 (color-control) escape sequence query reply. An attacker who can cause arbitrary bytes to be written to the terminal (malicious file contents, SSH banner, log entry, web page) can inject and execute shell commands at the victim's privilege level. No public exploit identified at time of analysis, but the underlying class of terminal-escape-injection bugs is well documented and exploitation is straightforward once the unsanitized reply path is known.

Code Injection RCE Kitty +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite files writable by the local kitty user via a TOCTOU symlink race in kitten dnd staging. The flaw stems from openat() calls lacking O_NOFOLLOW when handling duplicate remote basenames on case-sensitive filesystems, letting an attacker-staged symlink redirect writes outside the staging directory. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though user interaction via drag-and-drop is the gating factor.

RCE Kitty Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Client-side memory corruption in the AWS Common Runtime aws-c-http library can be triggered by a malicious HTTP/2 server that sends a crafted sequence of HEADERS frames manipulating the HPACK dynamic table size, potentially leading to arbitrary code execution in applications that use the library as an HTTP/2 client. The CVSS 4.0 score of 8.7 (High) reflects network reachability with low complexity but requires user/client interaction (initiating a connection to the attacker server). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow RCE Aws C Http
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacker-controlled content to any absolute filesystem path the GeoServer process can write to, including JSP files in a Tomcat webapps directory. Because GeoServer enforces no maximum master password length, an admin can embed malicious JSP code into the master password and dump it to an executable location, escalating to remote code execution on the host. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Microsoft Atlassian RCE +3
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL Emergency

Cryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows remote attackers to forge arbitrary device and account API requests after extracting a single hard-coded salt shared across the entire product line. Because the same salt is embedded in every firmware image and no per-device keys, nonces, or replay protections exist, recovery from one unit compromises the whole fleet, and plain-HTTP control traffic makes interception trivial. No public exploit identified at time of analysis, and the issue was disclosed via CISA ICS-CERT advisory ICSA-26-162-02.

RCE Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs through an out-of-bounds write triggered when a victim opens a malicious PDF file. Successful exploitation runs attacker code in the context of the current user, making this a classic client-side attack suitable for phishing campaigns. No public exploit identified at time of analysis, but Adobe Reader memory corruption flaws have a long history of being weaponized in targeted attacks.

RCE Memory Corruption Adobe +2
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the UPDATE_COLLECTION permission to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code=true to the collection update endpoint. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.4 and HiddenLayer's disclosure indicate a high-severity flaw in a widely used AI vector database. The vulnerability sits in the AI/ML supply chain layer, making it particularly relevant for organizations using ChromaDB as a backend for RAG or embedding pipelines.

Python Code Injection RCE +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Man-in-the-middle attacks against AMD's optional desktop tools - AMD Management Console (AMC), AMD Ryzen Master, and AMD μProf - can lead to arbitrary code execution because the affected utilities transport data over plaintext HTTP rather than TLS. An attacker positioned on the network path between a victim workstation and the AMD endpoint can tamper with traffic (most plausibly update or telemetry channels) to substitute malicious content that is then executed by the tool. No public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS data was not provided.

RCE Amd Amd Management Console Amc +2
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop arbitrary files into the store's media directory without authentication, session validation, or cart context. Where the media directory permits PHP execution, this escalates to unauthenticated remote code execution; otherwise it enables stored XSS via HTML/SVG, malware hosting, and path-traversal writes outside the intended directory. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and trivial preconditions make this a high-priority issue for any Magento 2 store running the extension.

Adobe RCE XSS +4
NVD VulDB GitHub
Prev Page 9 of 355 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy