Skip to main content

Remote Code Execution

other CRITICAL

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.

How It Works

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.

Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.

The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.

Impact

  • Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
  • Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
  • Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
  • Ransomware deployment — direct pathway to encrypt files and disable backups
  • Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
  • Supply chain attacks — modification of application code or dependencies to compromise downstream users

Real-World Examples

The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.

Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.

Mitigation

  • Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
  • Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
  • Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
  • Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
  • Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
  • Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
  • Regular patching — prioritize updates for components with known RCE vulnerabilities

Recent CVEs (31892)

EPSS 0% CVSS 8.4
HIGH PATCH This Week

Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.

RCE Buffer Overflow Arduino Tuyaopen
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.

RCE Tomcat Apache +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.

Command Injection RCE Code Injection +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Command Injection RCE Deserialization +2
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.

Path Traversal RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that allows a malicious BST device to trigger a buffer overflow by reporting an oversized dev_name_len parameter without bounds checking. An attacker with physical access to inject a malicious BST device can crash the autopilot task or potentially achieve arbitrary code execution, impacting drone flight safety and control systems. No active KEV exploitation data or public POC is currently documented, but the vulnerability is patched in version 1.17.0-rc2.

RCE Stack Overflow Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Code injection in SimpleEval when objects with dangerous attrs are passed. PoC available.

Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.

XSS RCE
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Command injection RCE in claude-hovercraft tool. EPSS 1.3%.

Command Injection RCE AI / ML +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2026-3084 is an integer underflow vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malicious media files. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and can be exploited through user interaction with specially crafted H.266 video content, allowing attackers to execute arbitrary code in the context of the application. No active exploitation (not in KEV) or public POC has been reported, and the relatively high CVSS score (7.8) is tempered by the local attack vector and user interaction requirement.

RCE Integer Overflow Gstreamer
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2026-2921 is an integer overflow vulnerability in GStreamer's RIFF palette handling for AVI files that allows remote code execution with a CVSS score of 7.8. The vulnerability affects all versions of GStreamer (based on CPE wildcard) and requires user interaction to exploit, such as opening a malicious AVI file. No evidence of active exploitation (not in KEV), no public POC mentioned, and EPSS data not provided.

RCE Integer Overflow Gstreamer
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.

Buffer Overflow RCE Gstreamer
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2026-3086 is an out-of-bounds write vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malformed APS (Adaptation Parameter Set) units. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, such as processing a malicious H.266 video file. No evidence of active exploitation (not in KEV), no public POC, and no EPSS score available yet.

Buffer Overflow RCE Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap-based buffer overflow vulnerability in GStreamer's rtpqdm2depay component that allows remote attackers to execute arbitrary code when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary based on implementation. No active exploitation is known (not in KEV), and no EPSS score is available to assess real-world exploitation probability.

Buffer Overflow RCE Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap-based buffer overflow vulnerability in the GStreamer multimedia framework's JPEG parser that allows remote code execution when processing malicious Huffman tables. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, with a CVSS score of 7.8. No active exploitation in the wild has been reported (not in KEV), and no EPSS data is available.

Buffer Overflow RCE Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Stack-based buffer overflow in GStreamer's H.266 codec parser that allows remote code execution when processing malicious video files. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to trigger, such as opening a malicious media file. No active exploitation (not in KEV) or public PoC has been reported, with EPSS data unavailable.

Buffer Overflow RCE Stack Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2026-2923 is an out-of-bounds write vulnerability in GStreamer's DVB Subtitles handling that allows remote code execution when processing malformed subtitle coordinates. This vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary by implementation. No evidence of active exploitation (not in KEV), no public POC available, and no EPSS data provided.

Buffer Overflow RCE Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Critical remote code execution vulnerability in GStreamer's RealMedia demuxer component, allowing attackers to execute arbitrary code via malformed video packets that trigger an out-of-bounds write. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and requires user interaction to process malicious media files. While no active exploitation is reported (not in KEV), the availability of a vendor patch and ZDI advisory suggests this vulnerability has been responsibly disclosed and addressed.

Buffer Overflow RCE Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap-based buffer overflow vulnerability in GStreamer's ASF Demuxer component that allows remote attackers to execute arbitrary code when processing malicious ASF media files. The vulnerability requires user interaction (opening/processing a malicious file) and affects all versions of GStreamer based on the CPE data. No evidence of active exploitation (not in KEV) or public proof-of-concept exists, though Zero Day Initiative tracked it as ZDI-CAN-28843.

Buffer Overflow RCE Heap Overflow +1
NVD VulDB
EPSS 2% CVSS 8.8
HIGH This Week

Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). With a CVSS score of 8.8 and requiring only low privileges, this represents a severe risk for Unraid installations.

PHP Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

CVE-2026-3562 is an authentication bypass vulnerability in Philips Hue Bridge's HAP (HomeKit Accessory Protocol) implementation, specifically within the ed25519_sign_open function that fails to properly verify Ed25519 cryptographic signatures. Network-adjacent attackers can exploit this flaw without authentication to execute arbitrary code on affected Hue Bridge installations. The CVSS score of 6.3 reflects moderate severity with local network access requirements, though the authentication bypass nature elevates real-world risk for smart home environments.

Authentication Bypass RCE Jwt Attack
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated network-adjacent attackers to execute arbitrary code. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restrictions) through the hk_hap_pair_storage_put function on TCP port 8080. No EPSS data or KEV listing is available, and while ZDI has published an advisory, no public POC or active exploitation has been reported.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authentication (which can be bypassed) to achieve remote code execution as root. The vulnerability affects the HomeKit Accessory Protocol (HAP) implementation on TCP port 8080 and has a high CVSS score of 8.0, though no active exploitation or public PoC has been reported.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers to execute arbitrary code when users initiate device pairing. The vulnerability affects all versions of Philips Hue Bridge and has a CVSS score of 8.0, requiring physical proximity and user interaction to exploit. No EPSS data or KEV listing is available, suggesting this is not actively exploited in the wild.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

XSS in AnythingLLM 1.11.1 and earlier.

XSS RCE AI / ML +1
NVD GitHub
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.

Google RCE Buffer Overflow +3
NVD VulDB GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

SQL injection in OneUptime telemetry API before 10.0.23.

RCE SQLi Oneuptime
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.

RCE Buffer Overflow Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

HMS Networks' industrial IoT gateways (Ewon Flexy and Cosy+) contain a command injection vulnerability that allows authenticated attackers to execute arbitrary OS commands remotely. This affects Flexy devices before firmware 15.0s4 and Cosy+ devices before 22.1s6 (22.x branch) or 23.0s3 (23.x branch). With a CVSS score of 8.8 but low EPSS of 0.06%, this vulnerability requires valid credentials but enables full system compromise.

RCE Command Injection Code Injection
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

JumpServer contains a Server-Side Template Injection (SSTI) vulnerability in its Applet and VirtualApp upload functionality that allows authenticated administrators to execute arbitrary code within the JumpServer Core container. The vulnerability affects JumpServer versions vulnerable to unsafe Jinja2 template rendering of user-uploaded YAML manifest files. While requiring high privilege level (Application Applet Management or Virtual Application Management permissions), successful exploitation results in complete container compromise with high confidentiality, integrity, and availability impact.

Ssti RCE Jumpserver
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Unauthenticated attackers can trigger out-of-bounds memory access in the web interface of multiple Omada switches through improper input validation, potentially achieving remote code execution or causing denial-of-service. Affected products include Sg2005p PD 1.x, Sg2008 4.2x/4.3x, and Sg2008p 3.2x/3.3x, which require only network access to the vulnerable interface. A patch is available to address this high-severity vulnerability (CVSS 7.7).

Buffer Overflow Information Disclosure RCE +62
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.

Node.js RCE PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

SandboxJS sandbox escape before 0.8.34 via Function access through arrays. CVSS 10.0.

RCE Code Injection Sandboxjs
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.

Path Traversal RCE Google
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that occurs when processing maliciously crafted files, potentially allowing attackers to leak sensitive information or execute arbitrary code. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation or public proof-of-concept code.

Buffer Overflow Information Disclosure RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption vulnerability in all versions of Digilent DASYLab software that allows attackers to achieve information disclosure or arbitrary code execution through specially crafted files. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation (not in KEV) or public proof-of-concept code.

Buffer Overflow Information Disclosure RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption vulnerability in all versions of Digilent DASYLab that allows attackers to execute arbitrary code or steal information by tricking users into opening malicious files. The vulnerability has a CVSS score of 7.8 (High) and requires user interaction, with no evidence of active exploitation (not in KEV) or publicly available proof-of-concept code.

Buffer Overflow Information Disclosure RCE +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that allows attackers to achieve arbitrary code execution or information disclosure by tricking users into opening malicious .DSB files. With a CVSS score of 7.8 and requiring only user interaction, this out-of-bounds write vulnerability poses significant risk, though no active exploitation or public POCs have been reported.

Buffer Overflow Information Disclosure RCE +2
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

A code injection vulnerability in ILLID Advanced Woo Labels WordPress plugin (versions up to 2.36) allows authenticated administrators to execute arbitrary code through improper input validation, potentially leading to full site compromise. The vulnerability requires high privileges to exploit (CVSS 7.2), has no known active exploitation in the wild (not in CISA KEV), and carries a very low EPSS score of 0.00043 (0.043%), indicating minimal real-world exploitation likelihood despite the high CVSS score.

Code Injection RCE Advanced Woo Labels
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

RCE via code injection in Modal Dialog WordPress plugin.

Code Injection RCE Modal Dialog
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Arbitrary file upload in Pix for WooCommerce WordPress plugin.

File Upload RCE WordPress
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mai...

Code Injection RCE Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.

Buffer Overflow D-Link RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.

RCE Path Traversal Dataease
NVD GitHub VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

PostgreSQL RCE SQLi
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Veeam Backup & Replication allows Backup Administrators to achieve RCE in high-availability deployments. While requiring admin-level access, the scope change to the HA infrastructure makes this critical for organizations running Veeam in HA mode.

RCE Code Injection Veeam Backup Replication
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Yet another Veeam Backup & Replication RCE vulnerability allowing authenticated domain users to execute code on the Backup Server with scope change (CVSS 9.9). Part of a cluster of related Veeam vulnerabilities disclosed together.

RCE Code Injection Veeam Backup Replication
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

A second RCE vulnerability in Veeam Backup & Replication allows any authenticated domain user to execute code on the Backup Server with scope change. Same impact as CVE-2026-21666 but through a different attack vector.

RCE Authentication Bypass Veeam Backup Replication
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Veeam Backup & Replication allows an authenticated domain user to achieve remote code execution on the Backup Server. With a scope change to CVSS 9.9, a compromised domain account can fully take over the backup infrastructure.

RCE Authentication Bypass Veeam Backup Replication
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.

RCE Deserialization Sglang
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.

RCE Deserialization Sglang
NVD GitHub VulDB
EPSS 0%
Monitor

An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.

Linux RCE Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Lenovo Filez fails to properly validate SSL/TLS certificates, enabling network-positioned attackers to intercept traffic and execute arbitrary code on affected systems. An attacker with the ability to perform man-in-the-middle attacks can exploit this weakness to compromise user devices without authentication. No patch is currently available to remediate this vulnerability.

Authentication Bypass RCE
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]

PHP RCE Path Traversal +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

RCE in NetGain EM Plus 10.1.68. PoC available.

RCE Code Injection
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Verypdf docPrint Pro 8.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized alphanumeric encoded payload in the User Password or Master Password fields. [CVSS 8.4 HIGH]

Buffer Overflow Memory Corruption RCE
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Easy File Sharing Web Server 7.2 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by creating a malicious username. [CVSS 8.4 HIGH]

Buffer Overflow Memory Corruption RCE
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary OS command execution in Cloud CLI versions prior to 1.24.0 allows authenticated users to inject malicious commands through improperly sanitized git configuration parameters passed to shell execution functions. The /api/user/git-config endpoint fails to properly escape bash metacharacters like backticks and $() substitutions, enabling attackers to execute arbitrary operating system commands with application privileges. No patch is currently available for affected deployments.

RCE Code Injection Cloud Cli
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.

RCE Code Injection Craft Cms
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.

Privilege Escalation RCE Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Command Injection RCE Eds3016Ps1Ns Firmware +1
NVD VulDB
EPSS 0% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Code Injection RCE Eds5032 Firmware +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. [CVSS 8.8 HIGH]

Code Injection RCE Eds5032 Firmware +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. [CVSS 8.8 HIGH]

Code Injection RCE Eds5032 Firmware +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Code Injection RCE Eds5032 Firmware +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. [CVSS 8.8 HIGH]

Code Injection RCE Eds5032 Firmware +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

RCE in OpenClaw Agent Platform v2026.2.6 via prompt injection.

RCE Code Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary plugin installation and remote code execution in ExactMetrics WordPress plugin versions 8.6.0-9.0.2 allows authenticated users with report-viewing permissions to bypass administrative capability checks via parameter manipulation. An attacker can exploit an Insecure Direct Object Reference in the onboarding process to install malicious plugins and execute arbitrary code on vulnerable WordPress installations. This vulnerability requires the site administrator to have previously granted non-admin users report access permissions.

WordPress RCE Authentication Bypass +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

LFI to RCE in IFTOP by WellChoose.

LFI PHP RCE +1
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Code injection in MitsubishiChemical network devices MR-GM5L-S1 and MR-GM5A-L1 allows authenticated administrators to execute arbitrary commands via crafted inputs. While requiring high-privilege access (CVSS:4.0 PR:H), successful exploitation achieves complete system compromise with high confidentiality, integrity, and availability impact. EPSS score of 0.05% (16th percentile) indicates low probability of mass exploitation. No active exploitation or public proof-of-concept identified at time of analysis, though JPCERT/CC coordination suggests vendor awareness and patch availability.

Code Injection RCE
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated attackers can execute arbitrary OS commands on AOS-CX Switches through improper input validation in the CLI, potentially compromising network infrastructure. This command injection flaw (CWE-78) affects high-privileged users with network access and carries a CVSS score of 7.2, with no patch currently available.

Command Injection RCE
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.

RCE Memory Corruption Android +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem has a fifth OOB write enabling remote privilege escalation.

RCE Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Samsung/Google MFC driver has an OOB write in mfc_core_isr.c enabling kernel-level privilege escalation on Android devices.

RCE Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem has a fourth OOB write due to incorrect bounds check.

RCE Android Google
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

IBM Trusteer Rapport 3.5.2309.290 contains an insecure DLL search path vulnerability that allows local attackers to execute arbitrary code by planting a malicious file in a compromised directory. The attack requires local system access but no user interaction or elevated privileges, making it exploitable by any local user. No patch is currently available for this high-severity vulnerability.

IBM RCE
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

PHP RCE CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

MCP Atlassian server has a path traversal vulnerability enabling unauthorized access to Confluence and Jira data outside the intended scope.

Atlassian Path Traversal RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.

Node.js RCE Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in DNG SDK 1.7.1 2471 and earlier via an out-of-bounds write vulnerability that executes with user privileges when a victim opens a malicious file. The vulnerability requires user interaction but no special privileges, making it exploitable through social engineering with crafted documents. No patch is currently available for affected DNG Software Development Kit users.

Buffer Overflow RCE Dng Software Development Kit
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can execute code with the privileges of the affected user, requiring only social engineering to deliver the malicious file. No patch is currently available for this high-severity vulnerability.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. An attacker can achieve code execution with user privileges by crafting a weaponized file and socially engineering a victim into opening it. No patch is currently available for this high-severity vulnerability.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Adobe Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability that executes with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but no special permissions, making it a practical attack vector for local exploitation. No patch is currently available.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. Users running affected versions face code execution at their privilege level with no available patch. This requires social engineering to trick users into opening a crafted file.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
EPSS 1% CVSS 8.7
HIGH POC This Week

Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbitrary code via unsanitized push option values that bypass internal header validation. An attacker can inject malicious metadata fields by exploiting insufficient input sanitization in the git push operation handler. This high-severity vulnerability affects GitHub Enterprise Server versions prior to 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3, with no patch currently available for all affected installations.

RCE Command Injection Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Firefox versions prior to 148.0.2 results from multiple memory corruption flaws in the browser's memory safety implementation. An unauthenticated attacker can exploit these vulnerabilities through a malicious webpage requiring user interaction to achieve remote code execution with full system privileges. No patch is currently available for this vulnerability.

Mozilla Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Gas station automation system BUK TS-G 2.9.1 has a SQL injection enabling compromise of fuel management and transaction data.

PHP RCE SQLi
NVD VulDB
Prev Page 33 of 355 Next

Quick Facts

Typical Severity
CRITICAL
Category
other
Total CVEs
31892

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy