Skip to main content

Remote Code Execution

other CRITICAL

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.

How It Works

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.

Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.

The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.

Impact

  • Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
  • Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
  • Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
  • Ransomware deployment — direct pathway to encrypt files and disable backups
  • Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
  • Supply chain attacks — modification of application code or dependencies to compromise downstream users

Real-World Examples

The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.

Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.

Mitigation

  • Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
  • Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
  • Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
  • Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
  • Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
  • Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
  • Regular patching — prioritize updates for components with known RCE vulnerabilities

Recent CVEs (31889)

EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in phpBB 3.3.15 allows unauthenticated remote attackers to execute arbitrary code through the Admin Control Panel icon management functionality via a malicious link or webpage that tricks an authenticated administrator into performing unwanted actions. The attack requires user interaction (UI:R) and targets only integrity (CVSS score 4.3), though the CVE tags reference RCE, suggesting potential for elevated impact under specific conditions. No public exploit code has been independently confirmed at the time of this analysis.

RCE CSRF
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in Sonatype Nexus Repository 3.22.1-3.90.2 allows authenticated attackers with task creation permissions to execute arbitrary code via unsafe deserialization in the task management component. Exploitation bypasses the nexus.scripts.allowCreation security control, granting unauthorized code execution on the server. CVSS 9.4 (Critical). No public exploit identified at time of analysis. Attack requires low-privileged authentication (PR:L) and network access but no user interaction.

RCE Deserialization
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Authenticated users can leak IP addresses of other users viewing Code Quality reports in GitLab EE through specially crafted malicious content injection. The vulnerability affects GitLab EE versions 18.0.0 through 18.10.2, requires user interaction (report viewing), and has been patched in versions 18.8.9, 18.9.5, and 18.10.3. No public exploit code or active exploitation has been confirmed; the vulnerability was discovered and reported through the GitLab responsible disclosure program.

RCE Gitlab Code Injection
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in dfir-unfurl versions through 20250810 via exposed Werkzeug debugger. Improper string-based config parsing enables Flask debug mode by default, allowing unauthenticated remote attackers to access the interactive debugger interface and execute arbitrary Python code or extract sensitive application data including source code, environment variables, and stack traces. No public exploit identified at time of analysis.

RCE Python
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

DLL and shared-library hijacking in ufrisk MemProcFS versions prior to 5.17 enables local arbitrary code execution through six distinct attack surfaces. Unsafe library-loading patterns-including unqualified LoadLibraryU and dlopen calls for vmmpyc, libMSCompression, and plugin DLLs-allow attackers to plant malicious libraries in the working directory or manipulate LD_LIBRARY_PATH. Exploitation requires user interaction (CVSS UI:P) but no authentication (PR:N), achieving high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.

RCE Memprocfs
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Hayabusa versions before 3.8.0 contain a stored cross-site scripting (XSS) vulnerability in HTML report generation that allows authenticated attackers to inject arbitrary JavaScript into the Computer field of JSON-exported logs, which executes in a forensic examiner's browser when viewing the generated HTML report. The vulnerability requires user interaction (report viewing) and results in information disclosure or session compromise, affecting forensic analysis workflows that process untrusted or adversary-controlled log data.

RCE Information Disclosure XSS +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.

Path Traversal Google RCE
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.

Path Traversal RCE Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to escape renderer sandbox via malicious HTML page. A remote attacker who has already compromised the renderer process can achieve arbitrary code execution within the sandbox through insufficient input validation in Chrome's Media component. Requires user interaction (visiting crafted page). EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability; no confirmed active exploitation (not in CISA KEV). Vendor patch released in Chrome 147.0.7727.55.

Google RCE Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use After Free Memory Corruption Google +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's ANGLE graphics layer on macOS prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox via malicious HTML pages. The vulnerability stems from insufficient input validation (CWE-20) in ANGLE, Chrome's OpenGL ES implementation layer. While rated 8.8 CVSS due to complete confidentiality/integrity/availability impact, EPSS exploitation probability is low (0.05%, 16th percentile) with no public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV).

Google RCE Chrome
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 147.0.7727.55 through a use-after-free vulnerability in the browser's navigation component. Remote attackers can execute arbitrary code by delivering a specially crafted HTML page that triggers memory corruption when a user visits the malicious site. EPSS probability of 0.04% indicates low observed exploitation activity, and no CISA KEV listing confirms this is not confirmed actively exploited at time of analysis. Google has released patches in Chrome 147.0.7727.55.

Denial Of Service RCE Google +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.

RCE Google Information Disclosure +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox by delivering a malicious HTML page that triggers a use-after-free vulnerability. While rated High severity (CVSS 8.8) due to complete confidentiality/integrity/availability impact, EPSS scoring places exploitation probability at only 4% (11th percentile), indicating low observed targeting in the wild. No confirmed active exploitation (not in CISA KEV) and no public proof-of-concept identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.

Memory Corruption Denial Of Service Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser sandbox via a maliciously crafted HTML page exploiting a type confusion vulnerability in the V8 JavaScript engine. With CVSS 8.8 (High), network-based attack vector requiring only user interaction, and available vendor patch, this represents a significant but contained threat. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability, and no active exploitation or public POC is identified at time of analysis. The sandbox containment limits initial impact severity compared to full system compromise.

Memory Corruption Google RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Skia graphics library (versions prior to 147.0.7727.55) allows remote attackers to execute arbitrary code within the browser's sandbox via specially crafted HTML pages exploiting an integer overflow vulnerability. Google patched this high-severity flaw in Chrome 147.0.7727.55 released April 2026. No active exploitation confirmed (not on CISA KEV), with low EPSS score (0.04%, 11th percentile) indicating minimal observed exploitation activity. Exploitation requires user interaction (visiting malicious webpage) but no authentication, making it viable for drive-by attacks against unpatched Chrome installations.

Google RCE Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.

RCE Google Buffer Overflow +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.

Google RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's V8 JavaScript sandbox affects Google Chrome versions prior to 147.0.7727.55 through a type confusion vulnerability. Attackers can execute arbitrary code by convincing users to visit a malicious webpage, requiring no authentication. Vendor-released patch available (Chrome 147.0.7727.55). No public exploit identified at time of analysis, with EPSS probability at 0.04% (11th percentile) indicating low observed exploitation likelihood despite high CVSS score of 8.8.

Memory Corruption Google RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows attackers to execute arbitrary code within the browser sandbox via malicious HTML pages. Publicly available exploit code exists. While CVSS scored 8.8 (High), EPSS indicates low exploitation probability (0.04%, 11th percentile), suggesting limited real-world targeting despite proof-of-concept availability. No CISA KEV listing confirms active exploitation campaigns.

Google RCE Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.

Google RCE Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.

Memory Corruption Denial Of Service Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 147.0.7727.55 allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebRTC component. The attack requires user interaction (visiting a malicious page). EPSS probability is low (0.03%, 10th percentile), and no public exploit or active exploitation (KEV) has been identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.

Memory Corruption Denial Of Service Use After Free +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code by exploiting a heap buffer overflow in the WebML component through specially crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but presents critical risk with high impact to confidentiality, integrity, and availability. EPSS score of 0.03% (9th percentile) indicates low probability of imminent exploitation in the wild, with no public exploit identified at time of analysis and no CISA KEV listing confirming active exploitation.

RCE Google Buffer Overflow +4
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.

PHP Path Traversal WordPress +2
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Vim 9.2.0315 and earlier contains a command injection vulnerability in the netbeans interface that allows a malicious netbeans server to execute arbitrary Ex commands via unsanitized strings in defineAnnoType and specialKeys protocol messages. An authenticated local attacker with user-level privileges and ability to interact with a netbeans connection can achieve code execution with the privileges of the Vim process. The vulnerability is fixed in Vim 9.2.0316.

RCE Command Injection Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Remote code execution in Tophat mobile testing harness prior to 2.5.1 allows authenticated network attackers to execute arbitrary commands on a developer's macOS workstation via unsanitized URL query parameters passed directly to bash. The vulnerability affects any developer with Tophat installed, with commands executing under the user's permissions and no confirmation dialog for previously trusted build hosts. This was fixed in version 2.5.1.

RCE Apple Command Injection
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Remote code execution in InvenTree 1.2.3 through 1.2.6 allows staff users with settings access to execute arbitrary code by crafting malicious Jinja2 templates that bypass sandbox validation. The vulnerability exists because the PART_NAME_FORMAT validator uses a sandboxed Jinja2 environment, but the actual rendering engine in part/helpers.py uses an unsandboxed environment, combined with a validation bypass via dummy Part instances with pk=None that behave differently during validation versus production execution. No public exploit code or active exploitation confirmed at time of analysis.

Ssti RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.

Path Traversal Denial Of Service RCE +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Command injection in OpenTelemetry Go SDK allows local attackers to execute arbitrary code by placing malicious `kenv` binary in PATH on BSD and Solaris systems. Vulnerability occurs during resource detection initialization when application resolves bare command name instead of absolute path. Affects DragonFly BSD, FreeBSD, NetBSD, OpenBSD, and Solaris platforms when `/etc/hostid` does not exist. Incomplete fix for prior CVE-2026-24051 left BSD/Solaris code path vulnerable to identical PATH hijacking attack.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Template injection in PraisonAI Python package enables remote code execution through unescaped user input in agent-centric tools. Authenticated attackers inject malicious Jinja2 template expressions via agent instructions to execute arbitrary system commands with process privileges. The create_agent_centric_tools() function passes unsanitized user input directly to template-rendering tools under auto-approval mode, causing expressions like {{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.

RCE Python Code Injection
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in praisonaiagents (all versions through 1.5.113) allows authenticated users to escape the Python subprocess sandbox and execute arbitrary shell commands on the host. The vulnerability exists in the execute_code() tool's sandbox mode, where an incomplete AST attribute blocklist permits frame traversal through exception objects (__traceback__, tb_frame, f_back, f_builtins). Attackers chain these four unblocked attributes to retrieve the real exec builtin from the subprocess wrapper's frame, bypassing all security layers. Exploitation requires low-privilege agent API access and no victim interaction. Confirmed actively exploited (CISA KEV). Publicly available exploit code exists.

RCE Python
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unsafe YAML deserialization in PraisonAI allows remote code execution through malicious agent definition files. The AgentService.loadAgentFromFile method uses js-yaml.load without safe schema restrictions, permitting dangerous tags like !!js/function that execute arbitrary JavaScript. Unauthenticated attackers can upload crafted YAML files via API endpoints to achieve complete server compromise. Affects PraisonAI prior to v4.5.115. Publicly available exploit code exists via proof-of-concept demonstrating command execution.

RCE Deserialization
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in Zammad 7.0.0 allows authenticated administrators with high-level privileges to inject malicious server-side templates through AI Agent configuration parameters, leading to arbitrary code execution on the helpdesk server. Exploitation requires administrative access to control type_enrichment_data settings and user interaction. Vendor-released patch version 7.0.1 is available. EPSS score of 0.04% indicates low exploitation probability in the wild; no public exploit identified at time of analysis.

RCE Code Injection Zammad
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

OS command injection in TP-Link Archer AX53 v1.0 dnsmasq module allows authenticated adjacent attackers to execute arbitrary code through maliciously crafted configuration files. Successful exploitation enables device configuration modification, sensitive data access, and complete system compromise. Affects TP-Link Archer AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213. Requires high-privilege adjacent network access (CVSS:4.0 AV:A/PR:H). No public exploit identified at time of analysis.

TP-Link RCE Command Injection
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stack-based buffer overflow in TP-Link Archer AX53 v1.0 tmpServer module enables authenticated adjacent attackers to execute arbitrary code via malicious configuration file. Exploitation triggers segmentation fault, permits device state modification, sensitive data exposure, and integrity compromise. Affects firmware versions before 1.7.1 Build 20260213. Requires high privileges and adjacent network access. No public exploit identified at time of analysis.

Information Disclosure Stack Overflow RCE +2
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in ProSolution WP Client plugin (≤1.9.9) enables attackers to upload executable files without validation via the 'proSol_fileUploadProcess' function, leading to remote code execution on WordPress servers. Critical severity (CVSS 9.8) with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.

RCE WordPress File Upload
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deserialization (CWE-502) of resumable container image layer upload state stored in the database. An attacker with the privileges needed to initiate image uploads can tamper with intermediate upload data to execute arbitrary code on the Quay server. No public exploit identified at time of analysis; EPSS is low (0.06%) and CISA SSVC marks exploitation status as none, though technical impact is rated total.

Red Hat Deserialization RCE +3
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.

Path Traversal RCE Logstash
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).

RCE Code Injection Stata Mcp
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.

RCE Code Injection Insight Agent
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Path traversal via backslash bypass in NiceGUI file upload sanitization allows arbitrary file write on Windows systems. The vulnerability exploits a cross-platform path handling inconsistency where PurePosixPath fails to strip backslash-based path traversal sequences, enabling attackers to write files outside the intended upload directory when applications construct paths using the sanitized filename. Windows deployments are exclusively affected; potential remote code execution is possible if executables or application files can be overwritten. No public exploit code identified at time of analysis, though the vulnerability is confirmed in NiceGUI versions prior to 3.10.0.

Python Path Traversal Apple +2
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Command injection in CoolerControl daemon (coolercontrold) versions prior to 4.0.0 allows high-privileged local attackers to escalate privileges to root by embedding malicious bash commands in alert configuration names. The vulnerability enables authenticated administrators to execute arbitrary system commands with root privileges through the alert management interface. EPSS score of 0.05% (17th percentile) indicates low current exploitation probability, with no active exploitation confirmed and CISA SSVC assessment marking exploitation status as 'none' and automatable as 'no'.

Command Injection RCE Suse
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

Code Injection RCE Movable Type
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file upload in Gerador de Certificados - DevApps plugin for WordPress (all versions ≤1.3.6) enables authenticated administrators to upload files without type validation, creating remote code execution opportunities. The vulnerability stems from missing file type validation in the moveUploadedFile() function. CVSS 7.2 (High) reflects network-accessible attack requiring high privileges; EPSS data not provided, no public exploit identified at time of analysis, not listed in CISA KEV.

WordPress RCE File Upload
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Remote code execution in MATCHA INVOICE 2.6.6 and earlier allows authenticated administrators to upload arbitrary files with dangerous types, enabling arbitrary code execution on the affected server. The vulnerability affects ICZ Corporation's MATCHA INVOICE product across all versions up to and including 2.6.6. While CVSS 4.7 reflects the requirement for administrative authentication, the RCE impact and file upload mechanism present a significant post-authentication risk in environments where administrative accounts may be compromised or insider threats exist. No public exploit code or CISA KEV confirmation identified at time of analysis.

File Upload RCE Matcha Invoice
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.

RCE Authentication Bypass Cmd Go
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.

Deserialization RCE IBM
NVD VulDB
MEDIUM PATCH This Month

openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).

AI / ML RCE
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.

Buffer Overflow RCE Firecracker
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Memory Corruption OpenSSL Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

NULL pointer dereference in OpenSSL 1.0.2 through 3.6.x delta CRL processing enables remote denial-of-service attacks against applications performing X.509 certificate verification. Exploitation requires X509_V_FLAG_USE_DELTAS flag enabled, certificates with freshestCRL extension or base CRL with EXFLAG_FRESHEST flag, and attacker-supplied malformed delta CRL missing required CRL Number extension. Unauthenticated network-accessible attack with low complexity causes application crash. Impact limited to availability; memory disclosure and code execution ruled out by vendor. FIPS modules unaffected.

RCE Denial Of Service Null Pointer Dereference +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Memory Corruption Use After Free Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Remote code execution in SiYuan desktop client (Electron-based) versions prior to 3.6.4 allows authenticated attackers to execute arbitrary code on victim systems via malicious notes propagated through workspace sync. Stored XSS in table caption fields escalates to RCE due to nodeIntegration enabled and contextIsolation disabled in Electron renderer. CVSS 9.0 (Critical) with scope change indicates escape from browser context. No active exploitation confirmed (not in CISA KEV). EPSS score 0.14% suggests low current exploitation probability. Vendor-released patch: version 3.6.4.

XSS Node.js RCE
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape in Flatpak versions prior to 1.16.4 allows applications to access arbitrary host filesystem paths and achieve host-level code execution through symlink manipulation in portal sandbox-expose options. The vulnerability requires no authentication (CVSS:4.0 PR:N) and is exploitable over the network with low complexity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack primitive is clearly documented in the vendor advisory.

RCE Flatpak
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

RCE Lr1110 Lr1120 +1
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Memory corruption via out-of-bounds read in NI LabVIEW's mgcore_SH_25_3!aligned_free() function enables information disclosure or arbitrary code execution when users open maliciously crafted VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity stems from local attack vector requiring user interaction but no authentication. No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability's existence and technical details.

Information Disclosure Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Memory corruption in NI LabVIEW 26.1.0 and earlier allows local attackers to execute arbitrary code or disclose sensitive information via maliciously crafted VI files. The vulnerability stems from an out-of-bounds read in sentry_transaction_context_set_operation(), requiring user interaction to open a specially crafted file. CVSS 8.5 (High) with local attack vector and low complexity. No public exploit identified at time of analysis, and EPSS data not available for this recently published CVE.

Information Disclosure Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Memory corruption in NI LabVIEW's ResFileFactory::InitResourceMgr() function allows arbitrary code execution or information disclosure when users open malicious VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity reflects high impact potential, though exploitation requires user interaction to open a crafted file. No public exploit identified at time of analysis, with EPSS data unavailable for this recently assigned CVE. Local attack vector limits remote exploitation scenarios.

Memory Corruption Information Disclosure Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution and information disclosure when processing maliciously crafted .lvclass files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open the weaponized file (CVSS AV:L/UI:P). No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability and provides remediation guidance.

Memory Corruption Information Disclosure Buffer Overflow +2
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution when processing malicious LVLIB files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open a specially crafted .lvlib project library file (CVSS 8.5, AV:L/PR:N/UI:P). No public exploit identified at time of analysis. EPSS data not available, but the local attack vector and user interaction requirement significantly limit immediate mass exploitation risk despite high CVSS score.

Memory Corruption Information Disclosure Buffer Overflow +2
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Remote code injection in PowerJob 5.1.0, 5.1.1, and 5.1.2 allows unauthenticated attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI endpoint /openApi/addWorkflowNode by manipulating the nodeParams argument. The vulnerability exploits unsafe Groovy code evaluation without input sanitization, enabling full remote code execution with a low CVSS complexity score (6.9/10). No public exploit code is confirmed at time of analysis, and the vendor has not yet responded to the early disclosure notification.

Code Injection RCE Powerjob
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Reflected cross-site scripting (XSS) in ChurchCRM's dashboard search parameter allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers. Versions prior to 7.1.0 fail to sanitize user input, enabling payload execution even when server-side validation triggers HTTP 500 errors. The CVSS v4.0 score of 8.6 reflects network accessibility (AV:N), low complexity (AC:L), no authentication required (PR:N), and high confidentiality/integrity impact (VC:H/VI:H). No public exploit identified at time of analysis, though EPSS data is unavailable for risk quantification.

XSS RCE Churchcrm
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code through the unsanitized $dbPassword variable during setup wizard initialization, resulting in complete server compromise. This critical flaw (CVSS 10.0) exists as an incomplete fix for CVE-2025-62521 and requires no authentication or user interaction to exploit. The pre-authentication nature and maximum CVSS severity indicate immediate patching priority for all exposed ChurchCRM installations.

PHP Code Injection RCE
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.

Denial Of Service Use After Free RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL POC Act Now

SQL injection in Windmill workflow orchestration platform versions 1.276.0 through 1.603.2 enables authenticated attackers to escalate privileges to administrator and achieve remote code execution. The vulnerability exists in folder ownership management functionality where the owner parameter lacks input sanitization, allowing extraction of JWT signing secrets and administrative user identifiers to forge admin tokens. Publicly available exploit code exists (GitHub POC by Chocapikk), and EPSS risk assessment is critical given the low-complexity remote attack vector requiring only low-privilege authentication. Vendor-released patch: version 1.603.3.

SQLi RCE Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.

Privilege Escalation RCE Authentication Bypass +2
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Arbitrary code execution in NVIDIA DALI (all versions prior to 2.0) allows local authenticated attackers with low privileges to execute malicious code by exploiting insecure deserialization of untrusted data, requiring user interaction. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. The vulnerability affects NVIDIA's Data Loading Library, a critical component in AI/ML data preprocessing pipelines.

Nvidia RCE Deserialization +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload malicious files via path traversal in the backup restore functionality, overwriting Apache .htaccess files to execute arbitrary code. The vulnerability exploits unsanitized user input in RestoreJob.php, enabling attackers with high-privilege access to bypass intended upload restrictions. No public exploit identified at time of analysis, though CVSS 9.1 reflects the critical impact of complete system compromise through changed security scope.

RCE PHP Path Traversal +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the host system by injecting malicious SSH options through the login endpoint. Affecting Red Hat Enterprise Linux versions 7 through 10, this critical pre-authentication vulnerability (CVSS 9.8) requires no credentials and executes code before any authentication checks occur. EPSS data not available; no confirmed active exploitation (CISA KEV) at time of analysis, though the pre-authentication nature and command injection vector present severe risk for internet-exposed Cockpit instances.

RCE Command Injection Red Hat Enterprise Linux 10 +3
NVD VulDB Exploit-DB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Remote code execution in File Browser versions 2.0.0 through 2.63.1 allows authenticated administrators to execute arbitrary OS commands via malicious filenames. The vulnerability stems from unsanitized variable substitution in the hook system, which processes file events (upload, rename, delete) using administrator-defined shell commands. Attackers with file write permissions can inject shell metacharacters into filenames that trigger command execution when hooks fire. No public exploit identified at time of analysis, though EPSS data not provided. The vulnerable feature has been disabled by default from v2.33.8 onwards as a mitigation measure.

RCE Command Injection Filebrowser
NVD GitHub VulDB
EPSS 0% CVSS 2.8
LOW PATCH Monitor

Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.

Denial Of Service RCE Null Pointer Dereference +1
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Electron's window.open() handler fails to properly scope named-window lookups to the opener's browsing context group, allowing a renderer to hijack an existing child window opened by a different renderer and potentially inherit elevated webPreferences including privileged preload scripts. This affects Electron versions before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, and poses a remote code execution risk only in applications that open multiple top-level windows with differing trust levels and grant child windows elevated permissions via setWindowOpenHandler. No public exploit identified at time of analysis.

Microsoft RCE Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Deserialization RCE Java +5
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DHCP hosts configuration parameter. Exploitation requires low-complexity network access with low-level authentication (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vulnerability's straightforward injection mechanism and the popularity of Pi-hole as a DNS/DHCP solution elevate practical risk for environments with multiple administrative users or compromised credentials.

Command Injection RCE Ftl
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary dnsmasq configuration directives via newline character injection in the DHCP lease time parameter (dhcp.leaseTime), leading to command execution on the underlying system. Affects the FTLDNS component that provides Pi-hole's interactive API and web statistics. No public exploit identified at time of analysis, though exploitation requires only low-complexity attack methods with network access and low-privilege authentication (CVSS 8.8).

RCE Command Injection Ftl
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via newline injection in DNS host record configuration. The vulnerability exploits improper input sanitization in the dns.hostRecord parameter, enabling injection of malicious dnsmasq directives that execute at the system level. With CVSS 8.8 (network-accessible, low complexity, requires low-privilege authentication), this represents a critical risk for Pi-hole deployments where administrative access controls are weak. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.

RCE Command Injection Ftl
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DNS CNAME records parameter (dns.cnameRecords). Authentication requirements confirmed (CVSS PR:L - low privileges required). Publicly available exploit code exists. CVSS 8.8 with network attack vector and low complexity indicates high exploitability once authenticated access is obtained.

RCE Command Injection Ftl
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges to execute arbitrary system commands by injecting newline-delimited dnsmasq configuration directives into the upstream DNS servers parameter (dns.upstreams). The vulnerability requires network access with authentication (CVSS:3.1 PR:L) but has low attack complexity and no user interaction required. No public exploit identified at time of analysis, though technical details are available in the GitHub Security Advisory.

RCE Command Injection Ftl
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in Weaver E-cology 10.0 (pre-20260312) allows attackers to execute arbitrary system commands via exposed debug functionality at /papi/esearch/data/devops/dubboApi/debug/method. Attackers exploit this by sending crafted POST requests with malicious interfaceName and methodName parameters to invoke command-execution helpers. Confirmed actively exploited (CISA KEV) with exploitation first observed by Shadowserver Foundation on March 31, 2026. Publicly available exploit code exists (h4cker.zip PoC), CVSS 9.8 (Critical), EPSS data not provided but real-world exploitation confirmed.

RCE Authentication Bypass E Cology
NVD VulDB GitHub
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Command Injection
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Mozilla Firefox versions prior to 149.0.2 stems from multiple memory safety bugs allowing unauthenticated network attackers to execute arbitrary code without user interaction. Mozilla confirmed memory corruption evidence across affected versions (Firefox 149.0.1 and Thunderbird 149.0.1), though Thunderbird patch status remains unconfirmed. CVSS 9.8 reflects maximum severity due to network-accessible attack vector with no complexity barriers. No public exploit identified at time of analysis, though the CWE-787 out-of-bounds write class has high weaponization potential once technical details emerge from linked Bugzilla entries.

Memory Corruption Buffer Overflow Mozilla +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Multiple memory corruption vulnerabilities in Mozilla Firefox (< 149.0.2) and Firefox ESR (< 140.9.1) enable unauthenticated remote code execution with critical CVSS 9.8 severity. These memory safety bugs-including CWE-787 out-of-bounds write issues-affect both standard and Extended Support Release channels, with Mozilla confirming evidence of memory corruption exploitable for arbitrary code execution. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack requiring no user interaction.

Memory Corruption Buffer Overflow Mozilla +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Mozilla Firefox and Thunderbird via memory corruption vulnerabilities allows unauthenticated remote attackers to execute arbitrary code without user interaction. Affects Firefox <149.0.2, Firefox ESR <115.34.1, and Firefox ESR <140.9.1 across desktop platforms. With CVSS 9.8 (critical severity, network-accessible, no privileges required) and CWE-119 buffer overflow classification, this represents multiple memory safety bugs that Mozilla assessed could be exploited for arbitrary code execution. No public exploit identified at time of analysis; EPSS data not provided but critical browser vulnerabilities historically attract rapid exploitation interest.

Mozilla Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.

PHP RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(

Apache Java RCE +2
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The `_load_rng_state()` method in the `Trainer` class calls `torch.load()` without the `weights_only=True` parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. An attacker can craft a malicious `rng_state.pth` checkpoint file that executes arbitrary code when loaded by an application using affected Transformers versions. The fix is available in version v5.0.0rc3, and no public exploit has been independently confirmed at time of analysis.

RCE Deserialization Huggingface Transformers
NVD GitHub
Prev Page 27 of 355 Next

Quick Facts

Typical Severity
CRITICAL
Category
other
Total CVEs
31889

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy