Skip to main content

Remote Code Execution

other CRITICAL

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.

How It Works

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.

Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.

The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.

Impact

  • Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
  • Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
  • Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
  • Ransomware deployment — direct pathway to encrypt files and disable backups
  • Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
  • Supply chain attacks — modification of application code or dependencies to compromise downstream users

Real-World Examples

The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.

Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.

Mitigation

  • Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
  • Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
  • Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
  • Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
  • Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
  • Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
  • Regular patching — prioritize updates for components with known RCE vulnerabilities

Recent CVEs (31891)

EPSS 0% CVSS 8.5
HIGH This Week

The Post Snippets WordPress plugin versions up to and including 4.0.12 contain an improper code generation vulnerability (CWE-94) that enables remote code injection and execution. An attacker can exploit this flaw to execute arbitrary code on affected WordPress installations, potentially leading to complete site compromise. The vulnerability has been publicly documented by Patchstack with available references, and the attack vector appears to be network-based without requiring high privileges.

RCE Code Injection Post Snippets
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

This vulnerability in Cisco IOS XE Software bootloader affects Catalyst 9200, ESS9300, IE9310/9320, and IE3500/3505 series switches, allowing authenticated local attackers with level-15 privileges or unauthenticated attackers with physical access to execute arbitrary code at boot time and bypass the chain of trust. An attacker can manipulate loaded binaries to circumvent integrity checks during boot, enabling execution of non-Cisco-signed images. While the CVSS score is 6.1 (Medium), Cisco assigned it a High Security Impact Rating due to the critical nature of breaking the secure boot mechanism, a foundational security control.

Cisco RCE Apple
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

A DLL hijacking vulnerability exists in the installer for OM Workspace (Windows Edition) Ver 2.4 and earlier, allowing local attackers to execute arbitrary code with the privileges of the user running the installer. The vulnerability is reported by JPCERT and affects software from OM Digital Solutions Corporation. With a CVSS score of 7.8 (High), the vulnerability requires local access and user interaction but no special privileges, making it a moderate real-world risk for targeted attacks during software installation.

RCE Microsoft Windows
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

A remote code execution vulnerability (CVSS 8.4). High severity vulnerability requiring prompt remediation.

RCE Microsoft Windows
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

The pdf-image npm package through version 2.0.0 contains an OS command injection vulnerability in the pdfFilePath parameter. Attackers can exploit this remotely without authentication by injecting malicious commands through file path inputs that are passed unsafely to shell commands via child_process.exec(). A proof-of-concept exploit is publicly available on GitHub (zebbernCVE/CVE-2026-26830), significantly increasing exploitation risk.

Node.js Command Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.

RCE Race Condition
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33.1.0.0818 allows unauthenticated attackers within network range to overwrite the instruction. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.

Code Injection RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

The textract library through version 2.5.0 contains an OS command injection vulnerability in its file extraction modules that allows attackers to execute arbitrary operating system commands by crafting malicious filenames. The vulnerability affects multiple extractors (doc.js, rtf.js, dxf.js, images.js, and util.js) where user-supplied file paths are passed directly to child_process.exec() without adequate sanitization. An attacker can exploit this by uploading or referencing files with specially crafted names containing shell metacharacters, leading to complete system compromise with the privileges of the process running textract.

Code Injection RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

N2W versions prior to 4.3.2 and 4.4.0 prior to 4.4.1 contain improper validation of API request parameters that enables unauthenticated remote code execution. An attacker can craft malicious API requests to bypass input validation and achieve arbitrary code execution on affected systems. This vulnerability affects cloud backup and disaster recovery infrastructure and poses critical risk to data protection environments.

RCE Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

N2W versions before 4.3.2 and 4.4.x before 4.4.1 contain a spoofing vulnerability that enables remote code execution and account credential theft. The vulnerability allows attackers to impersonate legitimate entities, potentially leading to arbitrary code execution on affected systems and unauthorized access to sensitive credentials. No CVSS score, EPSS data, or active KEV designation is currently available, limiting immediate risk quantification.

RCE Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.

Path Traversal RCE N A
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

NVIDIA NeMo Framework contains an insecure deserialization vulnerability (CWE-502) that allows authenticated local attackers to execute arbitrary code. The vulnerability affects NVIDIA NeMo Framework installations and can lead to code execution, privilege escalation, information disclosure, and data tampering. According to CISA's SSVC framework, there is currently no evidence of active exploitation in the wild, and the attack is not automatable, though technical impact is rated as total.

RCE Information Disclosure Nvidia +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

NVIDIA NeMo Framework contains a remote code execution vulnerability in its checkpoint loading mechanism caused by insecure deserialization (CWE-502). Attackers with local access and low privileges can exploit this to achieve code execution, privilege escalation, information disclosure, and data tampering with high impact on confidentiality, integrity, and availability. According to SSVC framework, there is currently no observed exploitation in the wild, though the technical impact is rated as total.

RCE Information Disclosure Nvidia +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Model Optimizer for Windows and Linux contains an unsafe deserialization vulnerability in its ONNX quantization feature that allows attackers to execute arbitrary code by providing a malicious input file. Users who process untrusted ONNX model files are at risk of complete system compromise, including code execution, privilege escalation, data tampering, and information disclosure. There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept availability.

Information Disclosure RCE Deserialization +3
NVD VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.

Information Disclosure RCE Deserialization +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading mechanism that allows remote code execution when a user loads a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. The attack requires local access and low privileges but no user interaction once the malicious file is loaded.

RCE Information Disclosure Nvidia +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM contains an insecure deserialization vulnerability (CWE-502) during model inferencing that allows remote code execution when a user loads a maliciously crafted input file. This vulnerability has a CVSS score of 7.8 and requires local access with low privileges but no user interaction, enabling attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability affects NVIDIA's large language model training framework widely used in AI research and production environments.

RCE Information Disclosure Nvidia +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading functionality that allows remote code execution when a user is tricked into loading a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. There is no current indication of active exploitation in CISA's KEV catalog, and EPSS data was not provided in the intelligence sources.

RCE Information Disclosure Nvidia +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM contains a critical unsafe deserialization vulnerability (CWE-502) in its hybrid conversion script that allows remote code execution when a user loads a maliciously crafted file. The vulnerability affects NVIDIA Megatron-LM installations and enables attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. With a CVSS score of 7.8 and local attack vector requiring low privileges and no user interaction, this represents a significant risk for organizations using this large language model training framework.

RCE Deserialization Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron LM contains an insecure deserialization vulnerability (CWE-502) in its quantization configuration loading mechanism that enables remote code execution. Attackers with local access and low privileges can exploit this flaw to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability has a CVSS score of 7.8 and affects all versions of NVIDIA Megatron LM based on available CPE data.

RCE Information Disclosure Nvidia +1
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Google RCE Command Injection +5
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

PinchTab versions 0.8.3 through 0.8.5 contain a security-policy bypass that allows arbitrary JavaScript execution through the POST /wait endpoint's fn mode, even when the security.allowEvaluate setting is explicitly disabled. While the /evaluate endpoint correctly enforces the allowEvaluate guard, the /wait endpoint fails to apply the same policy check before evaluating caller-supplied JavaScript expressions, enabling authenticated users with an API token to execute arbitrary code in browser tab contexts despite the operator's intention to disable JavaScript evaluation. A proof-of-concept demonstrating this bypass has been published by the vendor, showing that side effects can be introduced in page state and confirmed through subsequent requests.

Authentication Bypass RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Ruby icalendar library versions prior to the patched commit fail to sanitize carriage return and line feed characters in URI property values, allowing attackers to inject arbitrary ICS calendar lines through CRLF injection. Applications that generate .ics files from untrusted metadata are affected, enabling attackers to add malicious calendar properties such as attendees, URLs, or alarms that downstream calendar clients will process as legitimate event data. A proof-of-concept demonstrating the vulnerability is publicly available, and a patch is available from the vendor.

RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

IDrive's id_service.exe process, which runs with SYSTEM-level privileges on Windows systems, is vulnerable to privilege escalation and arbitrary code execution due to insecure file handling. The vulnerability affects IDrive Cloud Backup Client for Windows across multiple versions, as the elevated service process reads UTF16-LE encoded configuration files from C:\ProgramData\IDrive\ that are writable by standard unprivileged users. An attacker with local user access can modify these files to inject arbitrary executable paths, causing id_service.exe to execute malicious code with SYSTEM privileges, resulting in complete system compromise. While CVSS and EPSS scores are not available, this represents a critical local privilege escalation vector with trivial exploitability due to the file write permissions on the ProgramData directory.

RCE Idrive Cloud Backup Client For Windows
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.

PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.

RCE Command Injection Zimbra Collaboration Suite
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.

RCE Node.js Code Injection +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The Vikunja Desktop Electron wrapper enables Node.js integration in the renderer process without proper context isolation or sandboxing, allowing any cross-site scripting vulnerability in the web frontend to escalate directly to remote code execution on the victim's machine. Vikunja versions 0.21.0 through 2.1.x are affected, as confirmed by CPE cpe:2.3:a:go-vikunja:vikunja. An attacker exploiting an XSS flaw gains full access to Node.js APIs and the underlying operating system, making this a critical privilege escalation from web-based XSS to system-level RCE.

XSS RCE Node.js +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A signed integer overflow vulnerability exists in the libtiff library's putcontig8bitYCbCr44tile function that leads to out-of-bounds heap writes through incorrect memory pointer calculations. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are confirmed affected. An attacker can exploit this by tricking a user into opening a specially crafted TIFF file, potentially achieving arbitrary code execution or causing application crashes.

Integer Overflow Denial Of Service RCE +5
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).

Nginx Buffer Overflow RCE +3
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.

RCE Command Injection Docker
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.

Mozilla RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.

Mozilla RCE Buffer Overflow
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Multiple memory safety bugs affecting Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR allow remote attackers to achieve arbitrary code execution through memory corruption vulnerabilities. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are confirmed affected, with evidence suggesting these memory corruption issues could be exploited under sufficient effort. The vulnerability class encompasses buffer overflow and memory safety defects that demonstrate exploitation potential, though no active public exploitation has been documented at this time.

Mozilla RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Tabs Mail Carrier 2.5.1 contains a buffer overflow vulnerability in the MAIL FROM SMTP command that allows remote attackers to execute arbitrary code by sending a crafted MAIL FROM parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.4
HIGH POC This Week

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the EIP register through a 264-byte buffer overflow. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Local arbitrary code execution in 4mhz Base64 Decoder 1.1.2 occurs when the application processes a maliciously crafted input file, causing a stack-based buffer overflow that overwrites the Structured Exception Handler (SEH) chain. Publicly available exploit code exists (Exploit-DB 46625) demonstrating an SEH overwrite chained with a POP-POP-RET gadget and an egghunter payload to reach attacker-supplied shellcode. Despite CVSS 8.6 and a working PoC, EPSS is only 0.01% (2nd percentile), reflecting the niche Windows utility and local-only attack vector.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

AIDA64 Extreme 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input through the email. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

AIDA64 Business 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH pointers with malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

AIDA64 Extreme 5.99.4900 contains a structured exception handler buffer overflow vulnerability in the logging functionality that allows local attackers to execute arbitrary code by supplying a. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE File Upload +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Local buffer overflow in River Past Cam Do 3.7.6's activation code field enables arbitrary code execution with SYSTEM privileges through specially crafted 608-byte input followed by shellcode and SEH chain overwrite. While exploitation requires local access and a publicly available exploit exists (Exploit-DB 46670), EPSS score of 0.01% indicates minimal real-world exploitation activity. The vulnerability affects a legacy multimedia application with no confirmed vendor patch, making it primarily relevant for environments still running this discontinued software.

Buffer Overflow RCE File Upload +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A vulnerability in CODESYS Control runtime systems allows a low-privileged remote attacker to replace the boot application, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects numerous CODESYS Control variants across multiple platforms including Linux, Windows, embedded systems, and industrial controllers. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privileges, this represents a significant threat to industrial control systems and automation environments.

RCE Codesys Control Rte Sl Codesys Control Rte For Beckhoff Cx Sl +14
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

A code injection vulnerability exists in dendibakh perf-ninja's Lua modules (specifically in ldo.C within labs/misc/pgo), allowing improper control of code generation that can lead to remote code execution. The vulnerability affects all versions of perf-ninja as indicated by the CPE specification. An attacker can exploit this flaw to inject and execute arbitrary code, with a vendor patch now available to remediate the issue.

Code Injection RCE Perf Ninja
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.

Google RCE Use After Free +6
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.

Google RCE Use After Free +6
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Remote code execution in llama.cpp prior to commit b7824 is possible through a crafted GGUF file that exploits an integer overflow in the `ggml_nbytes` function, causing heap buffer overflow during tensor processing. An attacker can bypass memory validation by specifying tensor dimensions that cause the size calculation to underflow dramatically, allowing memory corruption and potential code execution. The vulnerability affects Debian and other systems running vulnerable versions of llama.cpp, with no patch currently available.

RCE Buffer Overflow Heap Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

Apache WordPress PHP +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

The Woocommerce Custom Product Addons Pro plugin for WordPress contains a critical remote code execution vulnerability caused by unsafe use of PHP's eval() function when processing custom pricing formulas. All versions up to and including 5.4.1 are affected, allowing unauthenticated attackers to execute arbitrary PHP code on the server by submitting malicious input to WCPA text fields configured with custom pricing formulas. With a CVSS score of 9.8, this represents a maximum severity issue requiring immediate attention, though EPSS and KEV status data are not provided in the available intelligence.

Code Injection WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

A critical remote code execution vulnerability exists in PTC Windchill PDMLink and PTC FlexPLM products due to unsafe deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on affected systems. The vulnerability affects multiple versions of both products spanning from version 11.0 through 13.1.3.0 for Windchill and 11.0 through 13.0.3.0 for FlexPLM. An attacker can craft malicious serialized objects that, when deserialized by the vulnerable application, trigger code execution with the privileges of the Windchill or FlexPLM service account.

RCE Deserialization Windchill Pdmlink +1
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability allowing authenticated remote attackers to upload malicious files and achieve remote code execution. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing the risk of exploitation. The vulnerability affects the Census CSWeb data dissemination platform used for hosting census and survey data online.

RCE File Upload Csweb
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An authenticated code injection vulnerability exists in the Code Study Plugin component of OpenSource Workshop Connect-CMS that allows authenticated users to execute arbitrary code on the server. Both the 1.x series (versions up to 1.41.0) and 2.x series (versions up to 2.41.0) are affected. With a CVSS score of 8.8 (High severity), this vulnerability enables remote code execution and information disclosure with low attack complexity and no user interaction required.

RCE Information Disclosure Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

An arbitrary file-write vulnerability exists in Pega Browser Extension (PBE) affecting Pega Robot Studio developers using versions 22.1 or R25 who automate Google Chrome and Microsoft Edge browsers. A threat actor can craft a malicious website that, when visited by a developer during interrogation mode in Robot Studio, executes arbitrary file-write operations on the developer's system. This vulnerability does not affect end-user Robot Runtime deployments, limiting its blast radius to development environments.

Google RCE Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

PHP RCE File Upload
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. The vulnerability has a CVSS score of 8.6 and requires no authentication or user interaction to exploit, though no patch is currently available and there is no evidence of active exploitation in KEV data.

Path Traversal PHP RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

WordPress PHP RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.

Command Injection Privilege Escalation RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

FTP Shell Server 6.83 contains a buffer overflow vulnerability in the 'Account name to ban' field that allows local attackers to execute arbitrary code by supplying a crafted string. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Lavavo CD Ripper 4.20 contains a structured exception handling (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Admin Express 1.2.5.485 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an alphanumeric encoded payload in the Folder Path field.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

MiniFtp contains a buffer overflow vulnerability in the parseconf_load_setting function that allows local attackers to execute arbitrary code by supplying oversized configuration values.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration field that allows local attackers to overwrite structured exception handling pointers.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

Iperius Backup 6.1.0 contains a privilege escalation vulnerability that allows low-privilege users to execute arbitrary programs with elevated privileges by creating backup jobs.

Privilege Escalation RCE Iperius Backup
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

Axessh 4.2 contains a stack-based buffer overflow vulnerability in the log file name field that allows local attackers to execute arbitrary code by supplying an excessively long filename.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

DVDXPlayer Pro 5.5 contains a local buffer overflow vulnerability with structured exception handling that allows local attackers to execute arbitrary code by crafting malicious playlist files.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC This Week

TuneClone 2.20 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious license code string.

Memory Corruption Buffer Overflow RCE +1
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

A code injection vulnerability exists in Foundation Agents MetaGPT versions up to 0.8.1 within the code_generate function of metagpt/ext/aflow/scripts/operator.py, allowing authenticated remote attackers to execute arbitrary code. The vulnerability is classified as CWE-94 (improper control of generation of code) and carries a CVSS score of 6.3 with network-based attack vector requiring low privileges. A public exploit has been disclosed on GitHub, and the vendor has not responded to early disclosure attempts, elevating the practical risk despite the moderate CVSS rating.

RCE Code Injection Metagpt
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The Task Manager plugin for WordPress (all versions up to 3.0.2) contains an arbitrary shortcode execution vulnerability in the AJAX search callback function due to missing capability checks and insufficient input validation. Authenticated attackers with Subscriber-level privileges and above can inject malicious shortcode syntax into search parameters to execute arbitrary shortcodes on the WordPress site, potentially leading to code execution and site compromise. The vulnerability is classified with a CVSS 3.1 score of 6.5 and has been reported by Wordfence security researchers.

Code Injection WordPress RCE
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.

Redis WordPress SSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM This Month

The The Contact Form, Survey, Quiz & Popup Form Builder - ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE WordPress Code Injection
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist protections. Authenticated remote attackers with low privileges can inject malicious shell startup files (.bash_profile, .zshenv) via unsanitized HOME and ZDOTDIR variables to achieve arbitrary code execution before allowlisted commands execute. A patch is available from the vendor via GitHub commit c2c7114ed39a547ab6276e1e933029b9530ee906.

RCE Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability (CWE-1188) that allows local attackers with low privileges to execute arbitrary code on the host system by exploiting disabled OS-level sandbox protections in the Chromium browser container. The vulnerability does not require a sandbox escape, making exploitation straightforward for local users. A patch is available from the vendor, and the issue was reported by VulnCheck with references to GitHub security advisories and patch commits.

RCE Google Chrome
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Unsafe IOCTL handling in the DDK kernel module allows local attackers with limited privileges to bypass GPU memory protections and write to arbitrary physical memory through race condition exploitation. This privilege escalation vulnerability affects systems using the vulnerable DDK driver and requires no user interaction to trigger. No patch is currently available.

RCE Graphics Ddk
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A code injection vulnerability exists in Mindinventory MindSQL up to version 0.2.1 that allows remote code execution through manipulation of the ask_db function in mindsql/core/mindsql_core.py. An authenticated attacker can exploit this vulnerability to execute arbitrary code on the affected system. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.

Code Injection RCE Mindsql
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Python allows authenticated users with SETTINGS permission to modify the reconnect.script configuration parameter without restriction, which is then passed unsanitized to subprocess.run() enabling arbitrary command execution. The vulnerability exists due to insufficient input validation in the set_config_value() API endpoint, which only restricts the general.storage_folder setting while leaving other security-critical options like reconnect.script unprotected. An attacker with non-admin SETTINGS privileges can exploit this to achieve full system compromise on the affected Python installation.

Python RCE Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF +3
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction.

WordPress RCE Code Injection
NVD VulDB GitHub
EPSS 3% CVSS 9.3
CRITICAL PATCH Act Now

An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.

SSRF PHP RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in PHP ffmpeg integration allows unauthenticated attackers to execute arbitrary OS commands on standalone encoder servers by bypassing incomplete input sanitization that fails to filter bash command substitution syntax. The vulnerable `sanitizeFFmpegCommand()` function strips common shell metacharacters but permits `$()` notation, which can be injected through crafted encrypted payloads and executed in a double-quoted shell context. No patch is currently available.

RCE PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF +1
NVD GitHub VulDB
EPSS 3% CVSS 10.0
CRITICAL POC PATCH Act Now

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

ScreenToGif, a widely-used screen recording application, is vulnerable to DLL sideloading attacks through a malicious version.dll file. Versions from 2.42.1 and earlier are affected when the portable executable is run from user-writable directories, which is the primary intended use case for this application. Attackers can achieve arbitrary code execution in the user's context with high impact on confidentiality, integrity, and availability. No public patches are available at the time of disclosure, and no evidence of active exploitation (KEV status) has been reported.

RCE Microsoft Windows
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.

Memory Corruption RCE Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Stack-based buffer overflow in GMT versions 6.6.0 and earlier allows local attackers to crash the application or execute arbitrary code by supplying an excessively long dataset identifier to vulnerable functions like gmt_remote_dataset_id. The vulnerability affects command-line processing of geographic data and currently lacks a public patch, leaving all affected GMT installations exposed to local exploitation.

Stack Overflow Buffer Overflow RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated users can trigger a heap overflow in MariaDB 11.4 (before 11.4.10) and 11.8 (before 11.8.6) through the JSON_SCHEMA_VALID() function, causing denial of service and potentially remote code execution under specific memory layout conditions. The vulnerability requires valid database credentials and affects server availability and integrity across scope boundaries. No patch is currently available for vulnerable versions.

RCE Buffer Overflow Heap Overflow +2
NVD GitHub VulDB
Prev Page 31 of 355 Next

Quick Facts

Typical Severity
CRITICAL
Category
other
Total CVEs
31891

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy