Skip to main content

Remote Code Execution

other CRITICAL

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.

How It Works

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.

Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.

The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.

Impact

  • Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
  • Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
  • Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
  • Ransomware deployment — direct pathway to encrypt files and disable backups
  • Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
  • Supply chain attacks — modification of application code or dependencies to compromise downstream users

Real-World Examples

The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.

Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.

Mitigation

  • Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
  • Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
  • Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
  • Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
  • Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
  • Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
  • Regular patching — prioritize updates for components with known RCE vulnerabilities

Recent CVEs (31845)

EPSS 2% 5.4 CVSS 7.2
HIGH POC KEV THREAT Act Now

Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.

RCE Code Injection Sma1000
NVD VulDB
CVSS 7.7
HIGH PATCH This Week

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1).

Denial Of Service Debian Python +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload in the Podlove Podcast Publisher WordPress plugin (all versions through 4.5.1) allows remote attackers to place attacker-controlled files on the server via the image caching path, potentially escalating to remote code execution. The root cause is incomplete file-type validation in the plugin's image cache handling, where a cached file's extension was trusted rather than re-derived from the actual validated image type. Reported by Wordfence and fixed upstream; no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE WordPress Podlove Podcast Publisher
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection (CWE-94) that lets an unauthorized attacker run code with full confidentiality, integrity, and availability impact after a victim is tricked into interacting with attacker-supplied content. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires local access and user interaction (UI:R), which meaningfully limits mass-exploitation despite the high 7.8 CVSS score.

RCE Code Injection Net 8 0 +10
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation.

SSRF RCE Adobe +3
NVD VulDB
EPSS 1% CVSS 9.6
CRITICAL Act Now

Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.

RCE XXE Adobe +3
NVD VulDB
CVSS 9.1
CRITICAL Act Now

Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.

RCE Denial Of Service Path Traversal +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, allowing an attacker to run code in the context of the current user. The flaw is Adobe-reported (advisory APSB26-71) and carries a CVSS 7.8 (High) rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, weaponization depends on social engineering rather than remote automated attack.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. The CVSS 3.1 base score is 7.8 (local vector, requires user interaction), and no public exploit has been identified at time of analysis. Reported by Adobe via advisory APSB26-71.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (memory corruption) that runs in the context of the current user when a victim opens a maliciously crafted media/project file. All affected versions covered by Adobe advisory APSB26-71 are impacted, and while no public exploit has been identified at time of analysis, the local attack vector with required user interaction makes it a classic file-format weaponization risk. The CVSS 7.8 (High) reflects full confidentiality, integrity, and availability impact once the file is opened.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code in the context of the current user. The flaw was reported by Adobe and is documented in advisory APSB26-71; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, it is a file-format/client-side memory-corruption issue rather than a remotely-triggerable server flaw.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a user opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. Affects Adobe Audition and was reported by Adobe under advisory APSB26-71. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS not provided.

Buffer Overflow Memory Corruption RCE +1
NVD
CVSS 8.0
HIGH This Week

Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).

PHP CSRF Microsoft +2
NVD GitHub
CVSS 7.5
HIGH This Week

Unauthenticated arbitrary file read in FacturaScripts (all versions through v2026.2) lets remote attackers retrieve protected documents by abusing the static file controllers Files.php and Myfiles.php, which authorize requests on the raw URL prefix rather than the resolved filesystem path. A request such as /Plugins/../MyFiles/Private/invoice.pdf passes the prefix allow-list yet resolves to a private file, leaking customer/supplier invoices, attachments, and .sql database backups. A detailed, reproducible exploit is publicly available in the GitHub Security Advisory; there is no vendor-released patch identified at time of analysis and no evidence of active exploitation.

Apache PHP Canonical +2
NVD GitHub
CVSS 9.9
CRITICAL Act Now

Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).

Oracle SQLi PHP +2
NVD GitHub
EPSS 1% CVSS 8.5
HIGH PATCH This Week

OS command injection in the TP-Link Archer VX1800v (v1) router lets an adjacent, high-privileged attacker inject shell metacharacters through the domain name parameter of an HTTP management interface, yielding arbitrary command execution as root and full device takeover. The flaw scores CVSS 4.0 8.5 (High) and a vendor firmware patch is available; no public exploit identified at time of analysis. Note a naming discrepancy in the source data - the free-text description says 'VX800v' while the CPE and tags reference 'VX1800V' - so verify the exact affected model against the TP-Link advisory before acting.

RCE Command Injection Archer Vx1800V V1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 score is 7.3 (High), tempered by local access, high attack complexity, a present attack requirement, and required active user interaction.

RCE Studio 5000 Logix Designer
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).

Authentication Bypass RCE Studio 5000 Logix Designer
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.

Path Traversal RCE Studio 5000 Logix Designer
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution for a privileged authenticated attacker capable of bypassing ASLR and stack canary protections via crafted HTTP requests. The CVSS temporal metric E:P confirms proof-of-concept exploit code exists, and RL:O confirms an official patch has been released by Fortinet (advisory FG-IR-26-148). This vulnerability is not listed in CISA KEV at time of analysis, and the dual prerequisites of privileged access plus memory-protection bypass substantially constrain real-world exploitability despite the critical CIA impact triad.

Fortinet Buffer Overflow Stack Overflow +5
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Arbitrary file write via path traversal in Tenable Agent 11.2.0 and 11.1.3 and earlier lets a privileged attacker escape the intended plugin directory and drop files at attacker-chosen paths, potentially escalating to remote code execution. The flaw is vendor-reported (Tenable TNS-2026-18) and affects the endpoint scanning agent that typically runs with elevated/service privileges. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal RCE Tenable Agent
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the siman.exe (Siman) simulation-language component, which mishandles user-supplied data when parsing a model file. An attacker who convinces a user to open a crafted Arena file can run code in the context of that user's process. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently theoretical rather than actively exploited.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the linker.exe (Siman) component, which fails to properly validate user-supplied data parsed from simulation model files. A local attacker who convinces a user to open a specially crafted Arena file can corrupt memory and run code in the context of the current user. No public exploit has been identified at time of analysis, the issue is not in CISA KEV, and no EPSS score was provided, so real-world exploitation appears theoretical rather than observed.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the expmt.exe (Siman) component, which fails to validate user-supplied data when parsing model/experiment files. A local attacker who convinces an engineer to open a malicious Arena file can run code in the context of the current user. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; it was self-reported by Rockwell's PSIRT (advisory SD1784).

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the model.exe (Siman) component when a victim opens a maliciously crafted simulation model file. The flaw lets an attacker run code in the context of the current user by tricking an operator or engineer into opening a booby-trapped file, making it a client-side, file-delivery RCE rather than a remotely reachable network service bug. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided, so real-world exploitation appears limited to social-engineering-driven targeting.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis; Milestone has released patched versions addressed in their official advisory.

RCE Command Injection Xprotect Management Server
NVD VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE +5
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.

Path Traversal RCE Java +1
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-502 root cause and 7.6 CVSS make this a meaningful patch priority for SAP landscapes.

Deserialization SAP RCE +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because SAProuter typically runs as a persistent network gateway service, successful exploitation can compromise a strategically positioned host in an SAP landscape.

RCE Microsoft Saprouter On Microsoft Windows
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.

RCE 2K Indoor Wi Fi Security Camera
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial-of-service in AnyDesk allows a local attacker with low-privileged code execution to crash or destabilize the application by abusing improper junction resolution during screen recording file operations. The AnyDesk service fails to validate symbolic link or NTFS junction targets before accessing screen recording files, enabling redirection of privileged file creation to arbitrary filesystem paths. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the low privilege requirement combined with AnyDesk's common deployment on multi-user systems warrants patching. Note: the provided tag 'RCE' appears to be a mislabeling - the CVE description and CVSS impact metrics consistently describe a DoS-only outcome with no code execution.

RCE Anydesk
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).

RCE Argo Helm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

AnyDesk's 'Send Support Information' feature is exploitable by local low-privileged attackers via a Windows junction (directory reparse point) attack that forces the AnyDesk service to write files to an attacker-chosen path, producing a denial-of-service condition. Affected installations span all tracked AnyDesk versions per the NVD CPE wildcard, with no confirmed fixed version at time of analysis. No public exploit code has been identified and this vulnerability is not listed in CISA's KEV catalog; however, note that the source intelligence tags this as 'RCE,' which directly conflicts with the CVE description and CVSS vector (C:N/I:N/A:H) - the actual confirmed impact is availability-only denial-of-service.

RCE Anydesk
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE 2K Indoor Wi Fi Security Camera
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but ZDI-sourced advisories are typically high-fidelity and reproducible.

RCE Privilege Escalation Glary Utilities
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.

RCE Coldfusion
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

RCE Coldfusion
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.

RCE Code Injection Java +1
NVD GitHub
CVSS 8.1
HIGH PATCH This Week

Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.

RCE Python
NVD GitHub
CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in DIRAC (Distributed Infrastructure with Remote Agent Control) grid middleware lets any authenticated user run arbitrary commands on the server through the FileCatalog DatasetManager. A SQL injection (CWE-89) in the checkDataset code path lets the attacker control a value that is fed directly into a Python eval(), turning a data-layer flaw into full server compromise. Rated CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H); no public exploit identified at time of analysis, though the vendor advisory names the exact vulnerable source lines.

SQLi RCE
NVD GitHub
EPSS 1% CVSS 9.5
CRITICAL Act Now

Remote code execution in the ServiceNow AI Platform allows an unauthenticated attacker, under certain (unspecified) circumstances, to execute arbitrary code within the ServiceNow platform, carrying a critical CVSS 4.0 base score of 9.5. ServiceNow has patched hosted instances directly and issued fixes to self-hosted customers and partners; there is no public exploit identified at time of analysis, and the vendor states it is not currently aware of exploitation. The high CVSS complexity metric (AC:H) indicates the exploit is not trivially reproducible against arbitrary instances, tempering the otherwise maximal impact rating.

RCE Servicenow Ai Platform Code Injection
NVD VulDB
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE +3
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.

RCE Path Traversal Laravel Mediable
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.

RCE Hfs
NVD GitHub VulDB
CVSS 9.9
CRITICAL PATCH Act Now

Authenticated remote code execution in DIRAC's RequestManagementSystem lets any logged-in grid user run arbitrary commands as the DIRAC service account, enabling full compromise of the DIRAC installation. The flaw stems from an eval() call reachable through the export_getRequestCountersWeb service method, and successful exploitation exposes dirac.cfg secrets, database credentials, and all stored user proxies and tokens. Rated CVSS 9.9; no public exploit code has been released, though the vendor advisory documents a complete working exploitation path.

RCE Code Injection
NVD GitHub
CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. No public exploit code or CISA KEV listing exists; vendor-released patches are available and the fix has been merged upstream.

RCE Code Injection XSS
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE +2
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.

Stack Overflow RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.

XSS RCE Java +1
NVD
EPSS 1% CVSS 9.2
CRITICAL Act Now

Remote unauthenticated code execution in Thales CERT's "Suspicious" email-analysis application (versions 1.3.4 and earlier), dubbed "Matryoshka Mail," lets an attacker abuse path traversal in attachment handling to overwrite writable application files-Python modules, configuration, cron inputs, and runtime artifacts-yielding root-level execution inside the Django container. Because the affected code runs Python and processes attacker-supplied mail, overwriting an imported module effectively converts arbitrary file write into RCE, plus persistent denial of service and possible exposure of application secrets and integrations. No public exploit identified at time of analysis and the issue is not in CISA KEV, but it carries a CVSS 4.0 base score of 9.2 and vendor-credited discovery by Lucien Doustaly (wlayzz).

Denial Of Service Path Traversal RCE +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Jwt Attack Dc 80
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code injection in the Realtyna Organic IDX WordPress plugin (real-estate-listing-realtyna-wpl) affects all versions up to and including 5.2.0, allowing remote attackers to inject and execute arbitrary code (described as 'Remote Code Inclusion') against affected WordPress sites. Patchstack assigned a maximum CVSS 3.1 base score of 10.0 with an unauthenticated network vector and scope change, indicating full compromise of the host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Code Injection RCE Realtyna Organic Idx Plugin
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.

Code Injection RCE Infra Monitoring
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Code injection in DedeCMS 5.7.118 exposes high-privileged remote attackers to arbitrary PHP code execution via the Column Name parameter in the Column Management component of `/plus/search.php`. The exploit document on GitHub describes a cache file writing mechanism through which attacker-supplied input is persisted to disk and subsequently executed by the PHP runtime. A public proof-of-concept exists; no active exploitation is confirmed in the CISA KEV catalog.

Code Injection PHP RCE +1
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Shenzhou Shihan Video Conference System v1.0 lets a remote, unauthenticated attacker inject arbitrary SQL through the /user/getUserLogin endpoint, enabling full database compromise and, per the MITRE report, arbitrary code execution. The flaw is network-reachable against default installs with no authentication or user interaction (CVSS 9.8). No CISA KEV listing exists and EPSS is low (0.27%, 18th percentile); disclosure references (a GitHub CVE issue and a cnblogs write-up) suggest public exploitation details circulate, though weaponized exploit code was not independently confirmed in this analysis.

SQLi RCE N A
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code injection in pig-mesh Pig's pig-codegen module through version 3.9.2 allows low-privileged authenticated attackers to execute arbitrary code server-side via the GeneratorServiceImpl component, reachable over the network. A publicly available proof-of-concept exploit exists at GitHub (sombra0316/CVE-2026), elevating the urgency for defenders. No vendor patch has been released, and the vendor did not respond to responsible disclosure, leaving affected deployments without an official remediation path.

Code Injection Java RCE +1
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC Monitor

Code injection in SonicCloudOrg sonic-agent through version 2.7.2 allows remote unauthenticated attackers to inject and execute arbitrary code via the ExchangeController endpoint, which bypasses or is excluded from the JWT Authentication Filter. The vulnerability carries a public proof-of-concept exploit named 'Unauth_ExchangeSend', confirming the endpoint is reachable without authentication. Critically, the affected product is end-of-life with no vendor support, and the maintainer did not respond to disclosure - no patch is forthcoming.

Code Injection Java RCE +1
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Use-after-free in ImageMagick before 7.1.2-26 exposes servers that process untrusted images to denial of service and potential code execution via a dangling pointer in the FormatMagickCaption method when memory allocation fails. The CVSS 4.0 vector scores this at 6.3, reflecting high attack complexity (AC:H) and specific prerequisite conditions (AT:P), though intelligence tags flag RCE - a claim the vendor CVSS impact metrics do not fully corroborate, as only low availability impact is scored. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free +2
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating the LLM that drives the CodeAgent component. Because CodeAgent._execute_python() runs LLM-generated code with no AST validation, import restrictions, or sandbox, an attacker who can shape model output via prompt injection can exfiltrate all environment secrets and gain full control of the agent host. VulnCheck reports the flaw with a maximum CVSS 4.0 score of 10.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Code Engine WordPress plugin (all versions ≤ 0.3.5) lets authenticated users with Contributor-level access or higher run arbitrary PHP/code on the server via the 'code-engine' shortcode, because the plugin fails to restrict access to its code-injection functionality. Reported by Wordfence, the flaw carries a CVSS 8.8 (high) rating; there is no public exploit identified at time of analysis, though the technique (abusing a shortcode that intentionally executes snippets) is straightforward for anyone with authoring rights. This turns the plugin's core 'run PHP snippets' feature into a privilege-escalation path from low-trust content contributors to full server code execution.

Command Injection WordPress RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.

Code Injection WordPress PHP +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.

WordPress LFI Path Traversal +4
NVD
EPSS 1% CVSS 8.7
HIGH Act Now

Authenticated arbitrary file write in OpenPLC Runtime v3 lets a logged-in user of the legacy web UI escalate to native code execution on the host running the automation controller. The program-upload workflow stores the attacker-supplied prog_file filename in the Programs.File database field and later reuses it unvalidated as a destination path; because Python os.path.join() honors absolute paths, files can be written anywhere the webserver process can write. Reported by ICS-CERT (CISA ICS advisory ICSA-26-190-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python RCE Openplc
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.

Deserialization RCE Spinnaker
NVD GitHub VulDB
CVSS 7.8
HIGH POC PATCH This Week

Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.

Deserialization Python Canonical +6
NVD GitHub
EPSS 2% CVSS 8.7
HIGH PATCH This Week

Privilege escalation to root in the HestiaCP web hosting control panel (versions before 1.9.5) lets any low-privilege authenticated user run arbitrary OS commands as root by injecting a single-quote into an unvalidated DNS record type field. The flaw chains weak input validation in is_dns_record_format_valid() with unsafe eval-based zone parsing in update_domain_zone(), turning a routine DNS record creation into full host takeover. No public exploit is identified at time of analysis, but VulnCheck has published a detailed advisory and the vendor shipped a fix in 1.9.5.

Command Injection RCE Hestiacp
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.

Path Traversal RCE Intellij Idea
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sensitive configuration exfiltration in Grav CMS before 2.0.2 lets an authenticated page author bypass the Twig sandbox and read the full config tree, including plugin SMTP credentials, API keys, and database passwords. The flaw is an incomplete fix for the earlier GHSA-j274-39qw-32c9 sandbox escape: the redacted 'config' facade is still trivially bypassed through the allow-listed grav.offsetGet('config') call. No public exploit has been identified at time of analysis, though the bypass technique is fully described in the vendor advisory.

Code Injection PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api.py run arbitrary Python, because that value is interpolated directly into an f-string that is later executed as generated server code via subprocess.Popen(). The CVSS 4.0 base score is 9.4 and the vector requires high privileges (PR:H), meaning the attacker must already be able to reach and drive the deployment API. No public exploit has been identified at time of analysis and it is not on the CISA KEV list.

Code Injection Python RCE +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary Python code execution in PraisonAI (praisonaiagents) before 1.6.78 occurs when AgentFlow._resolve_pydantic_class resolves a string output_pydantic reference in a workflow step, causing the framework to import a sibling tools.py from the workflow file's directory via importlib exec_module without any sandboxing. Because this loader ignores the PRAISONAI_ALLOW_*_TOOLS environment guardrails, an attacker who supplies a malicious workflow file plus its tools.py runs code with the workflow runner's privileges the moment the workflow is executed via WorkflowManager or loaded through load_yaml. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV.

Python RCE Praisonai
NVD GitHub
EPSS 0% CVSS 3.9
LOW Monitor

Heap overflow in libarchive's PAX extended header parser allows exploitation via a maliciously crafted tar archive containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation of the affected system could result in a denial of service condition or, in more serious cases, arbitrary code execution under the privileges of the process invoking libarchive. No public exploit code or active exploitation has been confirmed at time of analysis, though a GitHub pull request (#3253) indicating an upstream fix is available suggests the issue is reproducible and patch-ready. The official CVSS score of 3.9 (Low) conflicts materially with the vendor-applied RCE tag, a discrepancy that warrants independent validation.

Denial Of Service RCE Heap Overflow +1
NVD GitHub VulDB
EPSS 1% CVSS 6.6
MEDIUM This Month

Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.

WordPress LFI RCE +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Samsung's libpadm.so system library on Galaxy devices allows a local, low-privileged attacker to corrupt memory via an out-of-bounds write and run code in the context of the vulnerable component prior to the SMR Jul-2026 Release 1. The flaw was reported internally by Samsung Mobile Security and carries a CVSS 4.0 base score of 8.4 (high). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation to arbitrary code execution in Samsung's fabricKeymaster trustlet affects Galaxy devices running builds prior to the SMR Jul-2026 Release 1 security patch level. A local attacker who already holds privileged (root/system-level) access on the device can exploit a time-of-check-to-time-of-use race condition to run arbitrary code within the Keymaster trusted application, undermining the hardware-backed key store. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported directly by Samsung's own mobile security team.

RCE
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege-escalating code execution in Samsung's libsavsac.so native library (used in Galaxy devices running firmware prior to the SMR Jul-2026 Release 1) allows a low-privileged local attacker to trigger an out-of-bounds write and execute arbitrary code in the context of the affected component. The flaw was reported by Samsung's own Mobile Security team and carries a CVSS 4.0 base score of 8.4 (High). No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload +1
NVD GitHub
CVSS 5.9
MEDIUM POC PATCH This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
MEDIUM POC PATCH This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow +3
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary OS command execution in Vim prior to 9.2.0736 arises from the bundled PHP omni-completion script (runtime/autoload/phpcomplete.vim), which interpolates an attacker-controlled class or trait name from the edited buffer into a search() pattern executed via win_execute() without escaping. When a victim opens a crafted PHP file and invokes omni-completion, a name containing a single quote breaks out of the search string and the trailing text is honored as Ex commands, letting an attacker run shell commands through :! . There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed and the mechanism is well documented in the vendor advisory.

Code Injection PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary Ex command execution in Vim before 9.2.0735 arises from its C omni-completion script (runtime/autoload/ccomplete.vim), which interpolates the unescaped typeref: or typename: field of a tags entry into a :vimgrep pattern passed to :execute. Because :vimgrep treats the bar character as a command separator, a crafted tag field can terminate the search pattern and append an attacker-controlled command that runs with the privileges of the editing user when a victim opens a malicious .c file and triggers C omni-completion. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.4 reflects high confidentiality, integrity, and availability impact.

Code Injection RCE Vim
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.

Authentication Bypass RCE PHP
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.

Authentication Bypass File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).

Authentication Bypass Information Disclosure RCE
NVD GitHub
Prev Page 2 of 354 Next

Quick Facts

Typical Severity
CRITICAL
Category
other
Total CVEs
31845

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy