Remote Code Execution

Cain \& Abel versions up to 4.9.56 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated privileges (CVSS 7.8).

its ConnectifyService executable contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 8.4).

Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 8.4 HIGH]

Cobian Backup versions up to 0.9.93 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 7.8).

Audio Conversion Wizard v2.01 has a buffer overflow in the registration code field that enables RCE through a crafted payload. PoC available.

Wow21 versions up to 5.0.1.9 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated system privileges (CVSS 7.8).

Tdarr 2.00.15 media transcoding server has unauthenticated RCE through command injection in the Help terminal. Commands can be chained without any input filtering. PoC available.

VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. [CVSS 8.4 HIGH]

Ptpublisher versions up to 2.3.4 contains a vulnerability that allows attackers to potentially execute arbitrary code with elevated privileges (CVSS 7.8).

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. [CVSS 8.8 HIGH]

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. [CVSS 7.2 HIGH]

Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 8.4 HIGH]

Dr.Fone versions up to 11.4.9 contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 8.4).

Dr.Fone versions up to 12.0.18 contains a vulnerability that allows attackers to execute arbitrary code with elevated system privileges (CVSS 8.4).

Nanocms versions up to 0.4 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

VIAVIWEB Wallpaper Admin 1.0 allows unauthenticated PHP file upload through the add_gallery_image.php endpoint. PoC available.

CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. [CVSS 8.4 HIGH]

Splashtop Software Updater Service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 8.4).

Covenant C2 framework (0.1.3-0.5) allows forging JWT tokens with admin roles due to hardcoded credentials. Attackers can upload and execute DLL payloads for RCE. PoC available.

GuardDog security scanner before 2.7.1 has a path traversal in safe_extract() that allows malicious PyPI packages to write files outside the extraction directory. Ironic vulnerability in a tool designed to detect malicious packages. Patch available.

Arbitrary code execution in Substance 3D Modeler 1.22.4 and earlier via out-of-bounds write vulnerability when processing malicious files. An attacker can execute code with the privileges of the user who opens a crafted file, requiring social engineering for successful exploitation. No patch is currently available for this vulnerability.

Arbitrary code execution in Substance 3D Modeler versions 1.22.4 and earlier results from an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can leverage this to execute code with the privileges of the current user, with no patch currently available to remediate the issue.

A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. [CVSS 7.8 HIGH]

Arbitrary code execution in Substance 3D Designer 15.0.3 and earlier results from an out-of-bounds write vulnerability triggered when users open specially crafted files. An attacker can leverage this to execute code with the privileges of the affected user, though exploitation requires social engineering to deliver the malicious file. No patch is currently available.

Arbitrary code execution in Substance 3D Sampler 5.1.0 and earlier through an out-of-bounds write vulnerability that requires a user to open a malicious file. An attacker can execute commands with the privileges of the current user on the affected system. No patch is currently available for this vulnerability.

Arbitrary code execution in Adobe Substance 3D Painter versions 11.0.3 and earlier through an out-of-bounds write flaw allows attackers to execute commands with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for affected users.

Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. [CVSS 7.2 HIGH]

Arubaos contains a vulnerability that allows attackers to an authenticated malicious actor to create or modify arbitrary files and execute (CVSS 7.2).

Arbitrary code execution in Adobe Dreamweaver 21.6 and earlier stems from an incorrect authorization flaw that allows attackers to bypass security controls when a user opens a malicious file. An attacker can execute code with the privileges of the current user, potentially compromising the system. No patch is currently available for this vulnerability.

Arbitrary code execution in Adobe Dreamweaver versions 21.6 and earlier allows local attackers to execute commands with user privileges by delivering malicious files that bypass input validation. Successful exploitation requires social engineering to convince a user to open a crafted file, with impact extending beyond the application context. No patch is currently available for this high-severity vulnerability.

Improper input validation in Adobe Dreamweaver 21.6 and earlier allows arbitrary code execution with user privileges through a malicious file. An attacker can exploit this vulnerability by tricking a user into opening a crafted file, with no special privileges required. A patch is currently unavailable, making this a significant risk for affected Dreamweaver users.

OpenC3 COSMOS (space mission control software, 5.0.0-6.10.1) has unauthenticated RCE through the JSON-RPC API. String parameters are evaluated as Ruby code via convert_to_value. Maximum CVSS 10.0 with scope change.

Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF files can be uploaded and may achieve code execution.

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

Opencode versions up to 1.0.216 is affected by missing authentication for critical function (CVSS 8.8).

Remote code execution in Emlog v2.6.1 and earlier allows authenticated attackers to upload arbitrary files through an insufficiently validated REST API endpoint (/index.php?rest-api=upload), enabling malicious PHP execution on the server. Attackers can exploit this by obtaining valid API credentials through administrator access or information disclosure flaws, then uploading executable scripts to achieve full system compromise. Public exploit code exists for this vulnerability, and affected administrators should apply available patches immediately.

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. [CVSS 5.4 MEDIUM]

Sourcecodester Covid-19 Contact Tracing System 1.0 allows unauthenticated RCE through unrestricted PHP file upload in the user image functionality. PoC available.

orval (TypeScript API client generator) before 7.18.0 has code injection via OpenAPI specification summary fields in MCP server generation. Malicious API specs can inject arbitrary code into generated TypeScript. PoC available, patch available.

Automai BotManager v25.2.0 allows unauthenticated remote code execution via the BotManager.exe component due to improper certificate validation. Attackers can execute arbitrary code on systems running the bot management agent.

Director versions up to 25.2.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deserialization by chaining unblocked ctypes and pydoc modules, bypassing the tool's safety scanner which incorrectly reports malicious files as LIKELY_SAFE. An attacker with user interaction can exploit this vulnerability to execute code with the privileges of the Python process. A patch is available in version 0.1.7 and later.

Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.

A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file. [CVSS 6.5 MEDIUM]

EDIMAX BR-6208AC V2 router allows command injection through the pppUserName field via system() without sanitization. PoC available.

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.

Unauthenticated command injection via the hostname field enabling remote code execution with CVSS 10.0 and scope change. A separate vulnerability from CVE-2025-64090.

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

Galaxy Store versions up to 4.6.02 contains a vulnerability that allows attackers to execute arbitrary script (CVSS 7.8).

RuoYi-Vue-Plus (through 5.5.1) allows arbitrary file read/write through QLExpress expression evaluation in the snailjob workflow node checker. Attackers can use the File class to access any file on the server. PoC available.

JimuReport through 2.1.3 has RCE via user-controlled H2 JDBC URLs. The application passes attacker-supplied JDBC connection strings directly to the H2 driver, which supports directives for arbitrary Java code execution. PoC available.

QloApps hotel management system (through 1.7.0) allows unauthenticated web shell upload through the hotel review feature. Attackers can achieve immediate remote code execution. PoC available.

Remote code execution in Ubiquiti airMAX and airFiber wireless products allows adjacent attackers to execute arbitrary code on affected devices via a flaw in the airMAX Wireless Protocol without requiring authentication. Vulnerable versions include airMAX AC 8.7.20 and earlier, airMAX M 6.3.22 and earlier, airFiber AF60-XG 1.2.2 and earlier, and airFiber AF60 2.6.7 and earlier. Patches are available for all affected products.

Remote code execution in Ubiquiti airMAX wireless devices (UBB, UBB-XG, UDB-Pro/UDB-Pro-Sector) allows adjacent network attackers to execute arbitrary code by exploiting a protocol vulnerability without authentication. Affected versions include UBB-XG 1.2.2 and earlier, UDB-Pro/UDB-Pro-Sector 1.4.1 and earlier, and UBB 3.1.5 and earlier. No patch is currently available, though vendors have released mitigation versions.

Veeam allows Backup Operators to execute code as postgres via malicious interval or order parameters. Another operator-to-RCE escalation path with scope change.

Veeam allows Backup Administrators to execute code as postgres via a malicious password parameter. Scope change means OS-level compromise from application-level admin access.

This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. [CVSS 7.8 HIGH]

Remote code execution in OpenMetadata versions before 1.11.4 through Server-Side Template Injection in FreeMarker email templates allows authenticated administrators to execute arbitrary code on the affected system. Public exploit code exists for this vulnerability, and attackers with admin-level access can leverage unsafe template processing to compromise the metadata platform. A patch is available in version 1.11.4 and should be applied immediately.

Openeclass versions up to 4.2 is affected by unrestricted upload of file with dangerous type (CVSS 7.2).

Arbitrary code execution in PIONEER CORPORATION product installers through DLL search path manipulation allows local attackers with user interaction to execute malicious code with installer privileges. The vulnerability affects multiple products and requires user interaction to trigger, potentially compromising system integrity during software installation. No patch is currently available.

The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently...

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.

Llama.cpp server endpoints fail to validate the n_discard parameter from JSON input, allowing negative values that trigger out-of-bounds memory writes when the context buffer fills. This memory corruption vulnerability affects LLM inference operations and can be exploited remotely without authentication to crash the service or achieve code execution; public exploit code exists and no patch is currently available.

devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. [CVSS 8.4 HIGH]

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. [CVSS 7.5 HIGH]

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". [CVSS 8.8 HIGH]

Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).

A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware [CVSS 6.8 MEDIUM]

WP Enable WebP (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the se...

undocumented proxy API is affected by inclusion of functionality from untrusted control sphere (CVSS 7.5).

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. [CVSS 7.2 HIGH]

An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. [CVSS 7.2 HIGH]

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. [CVSS 8.8 HIGH]

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. [CVSS 8.1 HIGH]

Passy v1.6.3 password manager allows authenticated administrators to execute arbitrary OS commands via crafted HTTP requests. The scope change from application to OS makes this critical despite requiring high privileges.

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. [CVSS 8.8 HIGH]

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. [CVSS 8.8 HIGH]

An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser [CVSS 5.4 MEDIUM]

Themify Shopo WordPress theme (through 1.1.4) allows authenticated users to upload web shells. Despite requiring low-level authentication, the scope change to CVSS 9.9 means any subscriber account can achieve full server compromise.

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. [CVSS 8.8 HIGH]

Bagisto before 2.3.10 has a second server-side template injection vulnerability, this time via the type parameter. Like CVE-2026-21448, this enables remote code execution through the Blade template engine. Patch available in 2.3.10.

Bagisto eCommerce platform before 2.3.10 is vulnerable to server-side template injection (SSTI) through customer address fields during checkout. A normal customer can inject Blade template code that executes when viewed in the admin panel, achieving RCE. PoC available.

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

gpsd (before commit dc966aa) has a heap buffer overflow in the NMEA2000 satellite view handler (PGN 129540). A malicious satellite count value overwrites the skyview array, enabling code execution on GPS daemon processes. PoC available, patch available.

QNAP Malware Remover before 6.6.8.20251023 has a code generation vulnerability that allows remote attackers to bypass the protection mechanism. An ironic vulnerability in a security tool that is supposed to protect QNAP NAS devices.

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. [CVSS 7.2 HIGH]

Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.