Remote Code Execution

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.

Arbitrary code execution in Autodesk 3ds Max occurs when users open max files from maliciously crafted project directories that exploit an untrusted search path vulnerability. Local attackers can leverage this to execute arbitrary code with the privileges of the current user without requiring special permissions or interaction beyond opening a file. No patch is currently available for this high-severity vulnerability affecting 3ds Max users.

Malicious USD files trigger an out-of-bounds write vulnerability in Autodesk Arnold and 3ds Max, enabling arbitrary code execution within the affected application when a user loads or imports the crafted file. Local attackers with user interaction can exploit this to gain full system compromise with the privileges of the running process. No patch is currently available.

Arbitrary code execution in Autodesk 3ds Max occurs when processing specially crafted GIF files due to an out-of-bounds write flaw. Attackers can exploit this vulnerability locally to execute malicious code with the privileges of the application user. No patch is currently available for affected systems.

Coto versions up to 11.4.0 is affected by unrestricted upload of file with dangerous type (CVSS 6.5).

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be...

Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. [CVSS 6.7 MEDIUM]

Arbitrary command execution with system privileges in Android's FacAtFunction component allows a privileged physical attacker to bypass input validation controls prior to the February 2026 Security Maintenance Release 1. An adversary with physical access and elevated privileges can exploit this vulnerability to execute arbitrary commands at the system level. No patch is currently available.

Android versions up to 14.0 contains a vulnerability that allows attackers to execute arbitrary commands (CVSS 6.8).

WP FOFT Loader (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

file import process of Comic Book Reader v1.0.95 contains a vulnerability that allows attackers to overwrite critical internal files, potentially leading to arbitrary code executi (CVSS 6.5).

School Erp Pro versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 7.2).

CI4MS (CodeIgniter 4 CMS skeleton) has a code injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary PHP code through the CMS module system.

School ERP Pro 1.0 allows students to upload arbitrary PHP files, enabling remote code execution from a low-privileged student account.

CraftCMS 3 vCard Plugin 1.0.0 has an insecure deserialization vulnerability allowing unauthenticated remote code execution through crafted vCard data.

CloudMe 1.11.2 cloud sync application has a buffer overflow enabling remote code execution through the network sync protocol.

An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user.

A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user.

An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code.

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. [CVSS 8.4 HIGH]

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. [CVSS 6.5 MEDIUM]

FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files containing malicious code.

A950Rg Firmware versions up to 4.1.2cu.5204_b20210112 is affected by classic buffer overflow (CVSS 6.5).

TOTOLINK A950RG router firmware has a buffer overflow in setUrlFilterRules that allows remote attackers to execute code through the router's management interface.

Open Eclass Platform versions up to 1.7.3 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WCAssistantService contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Syncbreeze versions up to 12.4.18 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 7.8).

its service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

OS DataHub Maps (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Arbitrary code execution in Roland Cloud Manager installer versions 3.1.19 and earlier results from insecure DLL loading, enabling local attackers to execute malicious code with application-level privileges. An attacker with local access and user interaction can exploit this vulnerability to compromise systems running the affected installer. No patch is currently available to remediate this vulnerability.

Fabric Operating System contains a vulnerability that allows attackers to an authenticated, remote attacker with administrative credentials to execute ar (CVSS 7.2).

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the WinGUp updater. The update mechanism fails to cryptographically verify downloaded metadata and installers, allowing man-in-the-middle attackers to serve malicious executables during the update process. KEV-listed, this supply chain risk affects one of the most widely used text editors on Windows.

Sandbox escape in SandboxJS before 0.8.27 via __lookupGetter__ prototype chain access. CVSS 10.0 — complete sandbox bypass. PoC and patch available.

Remote code execution in Group Office versions prior to 6.8.150, 25.0.82, and 26.0.5 allows authenticated attackers to execute arbitrary commands through unsanitized language parameters passed to system zip operations in the MaintenanceController. The vulnerability can be exploited by combining a crafted zip file upload with command injection, and public exploit code exists. Update to patched versions immediately.

Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal endpoint cause sensitive data logging. Patch available.

Critical path traversal in Wildfire IM instant messaging server before 1.4.3 allows unauthenticated access to arbitrary files. EPSS 0.25%, patch available.

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. [CVSS 7.6 HIGH]

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). [CVSS 7.0 HIGH]

Arbitrary file write in H2O-3 machine learning platform version 3.46.0.1 allows remote attackers to write data to any file on the server.

Local File Inclusion in parisneo/lollms-webui /reinstall_extension endpoint allows authenticated users to include arbitrary local files. EPSS 0.26%.

The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. [CVSS 8.0 HIGH]

EMP_NSWLSV service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]

DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts. [CVSS 7.8 HIGH]

BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]

NetBackup INET Daemon service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).

BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. [CVSS 6.4 MEDIUM]

Pre-authentication RCE in AirControl 1.4.2 network management allows unauthenticated system command execution. PoC available.

Buffer overflow in Quick Player 1.3 via crafted .m3l playlist file allows arbitrary code execution. PoC available.

Buffer overflow in 10-Strike Bandwidth Monitor 3.9 bypasses SafeSEH, ASLR, and DEP protections. PoC available.

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. [CVSS 8.8 HIGH]

Multiple command injection vulnerabilities in CAI (Cybersecurity AI) framework up to 0.5.10 allow OS command execution through the security testing platform.

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. [CVSS 7.8 HIGH]

Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

Authenticated command injection in HIKSEMI NAS devices allows privileged users to execute arbitrary commands through improper input validation on the device interface. Attackers with valid credentials can craft malicious messages to achieve unauthenticated code execution on affected systems. No patch is currently available for this vulnerability.

Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.

Remote code execution in Crafty Controller's Backup Configuration feature results from insufficient path traversal validation, enabling authenticated attackers to manipulate files and execute arbitrary code on affected systems. The vulnerability requires valid credentials and specific conditions to exploit but carries high impact due to its ability to compromise system integrity and confidentiality. No patch is currently available.

An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions up to 2025 is affected by unrestricted upload of file with dangerous type.

Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.

Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. [CVSS 2.9 LOW]

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to achieve remote code execution on the mobile device management server. Compromising the MDM server provides access to all managed mobile device configurations, policies, and potentially the ability to push malicious profiles to enrolled devices.

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that allows unauthenticated remote attackers to execute arbitrary code. With EPSS 64.8% and KEV listing, this vulnerability in the mobile device management platform threatens the security of every managed mobile device in the organization, as EPMM has the ability to push configurations, certificates, and apps to enrolled devices.

Remote code execution in TP-Link VIGI C385 cameras results from improper input validation in the Web API that allows authenticated attackers to trigger buffer overflows and corrupt memory. An attacker with valid credentials can exploit this vulnerability to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity issue.

Remote code execution in AutoGPT Platform prior to v0.6.44 allows authenticated users to execute disabled blocks and write arbitrary Python code to the server filesystem. The vulnerability stems from insufficient validation of the disabled flag in block execution endpoints, enabling attackers to achieve code execution via the BlockInstallationBlock component. Public exploit code exists, and self-hosted instances with Supabase signup enabled are particularly vulnerable to account creation and exploitation.

CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]

Unauthenticated RCE in Tea LaTeX 1.0 via command injection in /api endpoint. EPSS 0.29% with PoC available.

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. [CVSS 8.8 HIGH]

Stack buffer overflow in Free MP3 CD Ripper 2.8 allows remote code execution via crafted WAV files. PoC available.

Erugo file-sharing platform up to version 0.2.14 has a CVSS 10.0 path traversal allowing authenticated users to read any file on the server including secrets and configuration.

Arbitrary code execution in iccDEV versions before 2.3.1.2 occurs when malformed ICC color profiles containing NaN floating-point values are parsed, causing undefined behavior during type conversion that corrupts memory structures. Local attackers can exploit this by crafting malicious ICC profiles that applications process, and public exploit code exists for this vulnerability. The issue affects any system using the iccDEV library to handle ICC profile data, with a patch available in version 2.3.1.2.

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. [CVSS 7.0 HIGH]

Explorance Blue before 8.14.13 has an authenticated remote file download vulnerability in a web service that allows downloading arbitrary files from the server.

Explorance Blue before 8.14.9 has an authenticated file upload vulnerability allowing administrators to upload executable files to the server.

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. [CVSS 6.5 MEDIUM]

Zortam Mp3 Media Studio 27.60 has a buffer overflow in the library file selection dialog that allows code execution through crafted library files.

An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator att...

Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.