Skip to main content

Remote Code Execution

other CRITICAL

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.

How It Works

Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.

Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.

The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.

Impact

  • Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
  • Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
  • Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
  • Ransomware deployment — direct pathway to encrypt files and disable backups
  • Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
  • Supply chain attacks — modification of application code or dependencies to compromise downstream users

Real-World Examples

The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.

Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.

Mitigation

  • Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
  • Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
  • Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
  • Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
  • Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
  • Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
  • Regular patching — prioritize updates for components with known RCE vulnerabilities

Recent CVEs (31873)

EPSS 1% CVSS 7.6
HIGH PATCH This Week

Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary-code payloads past the scanner by abusing Python's built-in trace.Trace.runctx in a pickle reduce method, so a malicious model/pickle file is rated safe yet executes code when later deserialized with pickle.load(). picklescan is a security scanner used to vet untrusted ML pickle files (notably in the Hugging Face ecosystem), so this failure defeats the very control teams rely on to catch malicious models. No public exploit identified at time of analysis and the issue is not in CISA KEV; reported by VulnCheck with a CVSS 4.0 base score of 7.6.

Python RCE Picklescan
NVD GitHub
EPSS 1% CVSS 7.6
HIGH PATCH This Week

Malicious pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle arbitrary code execution payloads past the scanner by abusing the built-in trace.Trace.run function inside a pickle's __reduce__ method. Because picklescan does not flag trace.Trace.run as a dangerous global, a crafted model/pickle file is reported as safe yet executes arbitrary code when later deserialized via pickle.load. No public exploit identified at time of analysis; this is a classic deny-list gap in a security scanner that defenders rely on to gate untrusted ML artifacts.

Deserialization RCE Picklescan
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in txtai through 9.10.0 lets a remote attacker reach the API /reindex endpoint and supply an arbitrary dotted callable (for example subprocess.getoutput) that the server imports and invokes during reindexing, running commands as the server process. The flaw is exploitable only when the API is network-exposed with no TOKEN set (so all endpoints are unauthenticated) and the index is writable - not the default posture. No public exploit has been identified at time of analysis, but the issue carries a high CVSS 4.0 base score of 9.3 and was reported by VulnCheck.

Code Injection RCE Txtai
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection IBM File Upload +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake. Because the flaw is reachable before any login, any client able to reach the database listener can trigger it, and the CVSS 3.1 base score of 9.8 reflects full compromise of confidentiality, integrity, and availability. No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection IBM RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.

Deserialization IBM RCE +1
NVD VulDB
EPSS 3% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.

Deserialization SSRF RCE +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the host by submitting flow definitions containing nodes with missing or empty component type fields. The improper input validation (CWE-20) lets malformed node specifications bypass type checks and reach unsafe execution paths in the low-code AI workflow engine. The CVSS vector (AV:N/PR:N) indicates network-reachable, pre-authentication exploitation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

IBM RCE Langflow Oss
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.

Deserialization IBM Redis +2
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-system commands and read sensitive files such as stored credentials, escalating from low-privileged application access to full host compromise. Rated CVSS 9.9 with a scope-changing vector, the flaw enables lateral movement once an attacker holds any valid Langflow account. No public exploit identified at time of analysis, but a vendor patch is available.

Code Injection IBM RCE +1
NVD
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.

Code Injection Python Java +2
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

{} literals. No public exploit identified at time of analysis, but the high CVSS (8.6) and trivial exploitation make this a priority for affected deployments.

RCE Prototype Pollution
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution in HKUDS Vibe-Trading before 0.1.10 is reachable via a DNS-rebinding attack against its local API server, which trusts the TCP peer address to waive the API_AUTH_KEY bearer-token check for loopback clients, performs no Host-header validation, and binds to 0.0.0.0 with credentialed CORS by default. Because loopback requests also auto-enable shell tools, a malicious web page visited by the victim can issue authenticated POST /swarm/runs calls with a built-in preset that permits the bash tool, executing arbitrary commands as the API process user and also overwriting LLM and data-source settings to redirect provider traffic and exfiltrate credentials. No CISA KEV listing or EPSS score was provided and no public exploit identified at time of analysis, though the issue was reported by VulnCheck.

RCE Vibe Trading
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier stems from improper input validation (CWE-20) that lets an attacker craft a malicious file which, when opened by a victim, executes code in the context of the current user and can inject scripts to hijack the victim's account or session. The CVSS 3.1 base score is 9.3 (Critical) with a changed scope, reflecting cross-boundary impact once the victim is lured into interaction. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, so risk currently hinges on social-engineering a target into opening attacker-supplied content.

RCE Coldfusion
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier lets a remote attacker run code in the context of the current user with no authentication and no user interaction. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS of 10.0 with a changed scope, meaning impact can extend beyond the vulnerable component. No public exploit identified at time of analysis, but ColdFusion's history of weaponized RCE bugs makes this a high-priority patch.

RCE Coldfusion
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in Adobe ColdFusion (versions 2025.9, 2023.20 and earlier) lets a remote attacker run arbitrary code in the context of the current user with no authentication and no user interaction, per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scored 10.0 with a changed scope. The root cause is improper input validation (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Coldfusion
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Reflected Cross-Site Scripting in Adobe ColdFusion 2025.9, 2023.20 and earlier lets an attacker craft a malicious link that, when opened by a victim, injects and executes attacker-controlled script in the victim's browser session, with Adobe characterizing the impact as potential arbitrary code execution in the context of the current user. Because the CVSS scope is changed and confidentiality, integrity and availability impacts are all rated High, a successful attack against an authenticated ColdFusion administrator could compromise the management interface. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS RCE Coldfusion
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote attacker upload a file of a dangerous type (e.g., a CFML/JSP payload) and execute it in the context of the current user, with no user interaction required. The CVSS 3.1 base score is the maximum 10.0 with a changed scope, reflecting that successful exploitation breaches the ColdFusion process boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but ColdFusion's history of weaponized file-upload/RCE bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB GitHub
EPSS 1% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and earlier enables remote, unauthenticated attackers to write or access files outside intended directories and achieve arbitrary code execution in the context of the current user. Rated CVSS 10.0 with a changed scope and no user interaction required, this is among the most severe ColdFusion flaws possible. No public exploit identified at time of analysis, but the impact and trivial attack complexity make it a top patching priority.

Path Traversal RCE Coldfusion
NVD VulDB GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases stems from an unrestricted dangerous-file-type upload (CWE-434) that lets a remote attacker drop and execute a malicious payload, such as a CFM/CFML webshell, in the context of the running ColdFusion user. Rated CVSS 10.0 with a changed scope, it requires no user interaction and, per the provided vector, no authentication. No public exploit identified at time of analysis, though ColdFusion's history of weaponized upload bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Adobe RCE +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Code injection via malicious project files in Mendix Studio Pro 10.11 through 11.11 allows arbitrary code execution on a developer's workstation when a victim opens and runs a specially crafted project through the build pipeline. Siemens' own ProductCERT (SSA-779310) reported this flaw, classifying it under CWE-94, with patches available only for the 10.24 and 11.6 long-term support lines. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the breadth of affected versions - spanning the entire 10.x and 11.x release trees - means most active Mendix developer environments are exposed.

Code Injection RCE Mendix Studio Pro 10 11 +25
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.

Memory Corruption Mozilla Buffer Overflow +2
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in LLaMA-Factory through version 0.9.5 allows attackers who can reach the Gradio WebUI to run arbitrary Python by entering a malicious model path in the Chat or Training interfaces. Because the app forwards unvalidated user input into Hugging Face's AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True, a referenced repository's custom modeling code executes with the server process's privileges. Publicly available exploit code exists (a proof-of-concept gist plus a VulnCheck advisory), though it is not listed in CISA KEV and no in-the-wild abuse is documented in the available data.

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Remote code execution in Redeight CMS 1.0 lets an authenticated attacker upload arbitrary PHP scripts through the admin Pages module's FileAdd endpoint, which performs no extension or MIME-type validation. The uploaded file lands in the web-accessible /uploads/files/ directory and is executed directly by the web server, yielding full server-side code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP RCE File Upload +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH Act Now

Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; no EPSS score was supplied.

Deserialization RCE Dtmsoft
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.

WordPress Deserialization RCE +2
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permissions execute arbitrary commands as root on managed servers. The 'network' parameter in the Destination Network Management feature is passed unsanitized into shell commands, yielding full root-level remote code execution on the host. No public exploit identified at time of analysis; the issue is fixed in 4.0.0-beta.471.

Command Injection RCE Coolify
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authenticated user run arbitrary commands on the deployment host. The flaw is an OS command injection in the Nixpacks build pack: the user-supplied install_command build parameter is concatenated unsanitized into a shell command executed during the build phase, allowing escape from the build context to host-level command execution. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but the path to abuse is straightforward for any user who can configure a deployment.

Command Injection RCE Coolify
NVD GitHub
HIGH PATCH This Week

Authenticated remote code execution in Open Identity Platform OpenAM Community Edition through 16.0.6 lets any user able to author or edit server-side scripts escape the scripting sandbox and run OS commands as the OpenAM application-server account. Because the sandbox's default class allow/deny lists fail to contain script execution, a sub-realm RealmAdmin can pivot from realm-scoped administration to full JVM/host compromise, affecting every realm the process serves. No public exploit has been identified at time of analysis, and the issue is fixed in 16.1.1.

RCE
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Heap-based buffer overflow in libtiff's PixarLog codec decoder lets attackers crash or potentially execute code in any application that decodes a maliciously crafted PixarLog-compressed TIFF using the PIXARLOGDATAFMT_8BITABGR output format with a specific stride value. Any software linking libtiff for TIFF decoding is exposed, with impact ranging from denial of service to potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any developer who bundles or deploys an attacker-supplied Snowpark project. The flaw lives in the Snowpark annotation processor callback template, where untrusted project content is interpolated directly into generated Python code (CWE-94). No public exploit has been identified at time of analysis, but the attack is straightforward and high-impact (CVSS 8.8) given that it executes with the victim's local privileges; exploitation hinges on the victim running the bundling/deployment workflow against malicious content.

Code Injection Python RCE +1
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is realistic since it only requires a user to clone and open a booby-trapped repo; it is fixed in 2.1.163.

Path Traversal RCE Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 1.8
LOW PATCH Monitor

Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. Real-world risk is very low: exploitation requires local access, deliberate user invocation of a non-default shell mode, and an attack precondition - reflected in the CVSS 4.0 score of 1.8 - with no public exploit or active exploitation identified. Notably, libxml2 maintainers disputed the security classification, treating this as a bug rather than a vulnerability.

Buffer Overflow Stack Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.

Java RCE Red Hat Openshift Dev Spaces
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to plant a PHP web shell. The handler fails to validate the unique_name parameter, so traversal sequences write attacker-controlled files outside the attachments directory and into the web root, and because file extensions are not validated, an uploaded PHP file executes as the web server user. Publicly available exploit code exists and a vendor patch is available, though the issue is not listed in CISA KEV.

Path Traversal RCE PHP +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in SzafirHost (KIR's Szafir electronic-signature host application) arises from a ZIP/JAR parser-confusion flaw: signature verification reads the archive's Central Directory while extraction reads local file headers sequentially, letting an attacker who controls the served native-library archive smuggle an unsigned malicious DLL/SO/DYLIB past the signature check. Versions prior to 1.2.2 are affected; the injected library is written to the native temp directory and loaded, yielding code execution on the victim's machine. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE File Upload Szafirhost
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in Alexantr filemanager v1.0 lets remote attackers run arbitrary code through the filemanager.php component, mapped to CWE-94 (code injection). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw requiring no authentication or user interaction, and publicly available exploit code exists (GitHub POC by SLO-CYBER-SEC). SSVC rates exploitation as proof-of-concept with total technical impact and automatable=yes, but it is not on CISA KEV and no EPSS score was provided.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.

Code Injection Java RCE +3
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.

Microsoft RCE Flowise
NVD GitHub VulDB Exploit-DB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to versions 1.0.45 and 1.3.21, where a flawed authentication whitelist lets attackers reach protected API endpoints without credentials. The AuthenticationFilter exempts the public config endpoint using a suffix match (request.getPath().endsWith("/configs")) instead of an exact path match, so any API path ending in 'configs' bypasses Basic Auth, allowing an attacker to create and run arbitrary workflows. Because the default-enabled script-execution plugins (shell, Python) run inside the worker container as root, this escalates directly to unauthenticated RCE. Carries a maximal CVSS of 10.0; there is no public exploit identified at time of analysis.

Command Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Kestra orchestration platform before 1.0.45 and 1.3.21 lets anonymous attackers fully compromise the host. The REST API authentication filter treats any request path ending in /configs as the public instance-config endpoint, so an attacker appending the literal segment configs (e.g. to flow-create or execution-trigger routes) bypasses Basic-Auth, creates a flow with a Shell/Process task, and executes commands as root inside the container; with the default docker-compose mounting /var/run/docker.sock, this pivots to the host Docker daemon. No public exploit identified at time of analysis, but the technique is fully described in the vendor advisory and is trivially reproducible.

Code Injection Docker RCE +1
NVD GitHub VulDB
LOW PATCH Monitor

Output manipulation in flawfinder before version 2.0.20 allows an attacker who controls repository filenames or file content to inject ANSI escape sequences into terminal output, visually hiding or falsifying scan results from human reviewers. The same untrusted-input handling gap extends to structured report generation: CSV reports and SonarQube XML output (via the output_sonar() function) can be corrupted or attribute-injected when filenames, categories, or code context contain unescaped special characters. No public exploit code is identified and the vulnerability is not in CISA KEV; however, the defense-evasion potential is meaningful for organizations running flawfinder against untrusted or adversarial repositories in CI/CD pipelines. The 'RCE' tag present in the intelligence metadata is not supported by the advisory and appears to be a mis-classification.

Python RCE
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Remote code execution in the Cudy LT300 3.0 4G LTE router (firmware before 2.5.12) lets authenticated users run arbitrary OS commands by embedding shell metacharacters in the cbid.system.ntp.current POST parameter of the system time (NTP) configuration page. Because the CVSS 4.0 vector specifies PR:L, an attacker needs valid (low-privileged) web credentials but no user interaction, and successful injection yields full host compromise (VC/VI/VA all High). No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Command Injection RCE Lt300 3 0
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker with adjacent-network access and no authentication (CVSS:3.1 AV:A/PR:N) to corrupt cached entries and ultimately execute arbitrary code on the server. The CVSS 9.6 score reflects a scope change (S:C) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Openproject
NVD GitHub VulDB
CVSS 9.9
CRITICAL POC PATCH Act Now

Argument injection in the Incus daemon (incusd) backup feature lets an authenticated remote API client (PR:L) write arbitrary files on the host as root and likely escalate to code execution, affecting all versions before 7.2.0. The backup compression_algorithm field is split into tokens but only the first token is allowlist-validated, so trailing flags are passed straight to compressors like zstd. Publicly available exploit code exists (a full Python PoC is published in the GHSA advisory); rated CVSS 9.9 and tagged RCE, though it is not listed in CISA KEV.

RCE
NVD GitHub
CVSS 9.9
CRITICAL POC PATCH Act Now

Arbitrary host file read and write in Incus (the LXC/LXD container and VM manager) before version 7.2.0 allows a user who can import a crafted container image or instance backup to escape into the host filesystem via an unsanitized top-level `templates` symlink, possibly escalating to root command execution. The flaw stems from tar/rsync extraction routines that exclude device nodes but fail to reject symlinks pointing outside the target directory. No KEV listing or EPSS score is provided, but a detailed working PoC is published in the GHSA advisory.

RCE
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Use-after-free in Envoy's HTTP OAuth2 filter (envoy.filters.http.oauth2) across versions 1.37.0-1.37.4 and 1.38.0-1.38.2 enables unauthenticated remote attackers to crash Envoy worker threads by racing a connection teardown against an in-flight async token exchange. When a downstream client disconnects while the filter is awaiting an async OAuth2 token response, the late AsyncClient callback invokes StreamDecoderFilterCallbacks on an already-freed object, producing undefined behavior and worker crashes. The reporter explicitly disclaims RCE - confirmed impact is availability loss (DoS); allocator-dependent memory corruption effects beyond crash are theoretically possible but not demonstrated. No public exploit or CISA KEV listing identified at time of analysis.

Memory Corruption Microsoft Use After Free +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Heap buffer overflow in Envoy's TcpStatsdSink component (versions 1.34.0 through pre-fix releases) allows unauthenticated remote attackers to crash the Envoy process or potentially achieve remote code execution by submitting HTTP or gRPC requests with request paths exceeding 16KiB, provided a specific non-default dual-filter configuration is present. The root flaw is an incorrect buffer rotation in the thread-local metric flusher that allocates a new 16KiB slice but continues writing beyond its boundary via unchecked memcpy operations. No public exploit has been identified at time of analysis, though vendor-confirmed patches are available across all affected release branches (1.35.13, 1.36.9, 1.37.5, 1.38.3).

Buffer Overflow RCE Envoy
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

{tag}` placeholder used to dynamically build output file paths. When an instance ingests logs from untrusted sources and references `${tag}` in a path parameter (e.g., the `out_file` plugin), an attacker can inject `../` traversal sequences to write or overwrite arbitrary files with attacker-controlled content, which the vendor states is directly escalatable to full RCE. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N) and a vendor patch (v1.19.3) is available; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM This Month

An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing the input of an arbitrary message,. Rated medium severity (CVSS 5.6). No vendor patch available.

RCE Amd Athlon 3000 Series Mobile Processors With Radeon Graphics Amd Ryzen 5000 Series Processors With Radeon Graphics +15
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Server-side template injection in Edgewall's Genshi template engine (versions 0 through 0.7.9) lets a remote attacker reach the expression-evaluation component and run arbitrary Python code on the host. Because Genshi evaluates template expressions as Python, any application that feeds attacker-controlled input into a Genshi expression can be driven to full remote code execution. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list; EPSS data was not provided.

RCE Genshi
NVD GitHub VulDB
EPSS 0% CVSS 1.8
LOW Monitor

An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing arbitrary message input,. Rated low severity (CVSS 1.8). No vendor patch available.

RCE Amd Ryzen 3000 Series Desktop Processors Amd Ryzen 5000 Series Desktop Processors +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.

Deserialization Java RCE
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Remote code execution in Blocksy Companion Pro (the premium add-on plugin for the Blocksy WordPress theme) versions 2.1.45 and earlier allows authenticated users holding only the low-privilege Contributor role to inject and execute arbitrary PHP code on the host. The flaw, reported by Patchstack and tracked under CWE-94, carries a CVSS 3.1 base score of 8.5 with a changed scope, meaning successful exploitation can impact components beyond the WordPress application itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was provided in the source data.

Code Injection RCE
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary code execution and denial of service in FastStone Image Viewer 8.3 occur when the application parses a maliciously crafted Photoshop (PSD) file, triggering an integer overflow in its PSD parsing component. Affected users are those who open attacker-supplied PSD files in this Windows freeware image viewer; successful exploitation can crash the application or, per the reporter and tags, lead to code execution in the user's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service RCE
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.

RCE Heap Overflow Buffer Overflow
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in JetBrains Kotlin before 2.4.20 stems from unsafe deserialization (CWE-502) of build cache metadata, allowing an attacker who can influence cached build artifacts to execute arbitrary code during a build. The flaw carries a CVSS 9.8 (C:H/I:H/A:H) rating, but there is no public exploit identified at time of analysis and EPSS is very low (0.11%, 2nd percentile), and CISA SSVC marks exploitation as 'none'. JetBrains, who reported the issue, has released a fixed version (2.4.20).

Deserialization RCE Kotlin
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated code injection (CWE-94) in Trellix Network Security appliances (NX, EX, FX, AX, and CMS/Central Management) lets a logged-in administrator run arbitrary commands by abusing how the web UI renders Alert artifact details. The flaw requires existing high-privilege admin access on an adjacent network rather than remote anonymous access, so it functions primarily as a privilege/trust-boundary escape rather than a mass-exploitable internet-facing bug. The CVSS 4.0 maturity flag (E:P) indicates proof-of-concept exploit material exists, but the issue is not listed in CISA KEV and shows no confirmed active exploitation.

Code Injection RCE Trellix Network Security Nx Ex Fx Ax And Cms
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.

Buffer Overflow Denial Of Service Stack Overflow +2
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in NEC's ExpressUpdate Agent for Windows allows a low-privileged user who can already access the host to execute arbitrary code with SYSTEM privileges, owing to insufficient access controls on the agent. Reported by NEC under advisory NV26-004, the flaw carries a CVSS 4.0 base score of 8.5 (High) and maps to CWE-782 (exposed IOCTL with insufficient access control). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft RCE Expressupdate Agent For Windows
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the `type` parameter or by abusing the `ox.setChannelTargeting` XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. Reported via HackerOne by multiple researchers (including phucrio and offsetmd); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Adserver
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service +4
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.

Path Traversal RCE Flowise
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.

Command Injection RCE Flowise
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Arbitrary file read and write in FlowiseAI Flowise (versions 2.2.8 through 3.0.5) lets remote unauthenticated attackers traverse the filesystem because the chatflowId and chatId parameters are never validated as UUIDs or numbers. By supplying a path-traversal value such as '../../../../../tmp' as the chatflow id, an attacker can write controlled files via the /api/v1/chatflows endpoint and read arbitrary files via /api/v1/get-upload-file and /api/v1/openai-assistants-file/download - and the file-write primitive can be escalated to remote code execution. A proof-of-concept is published in the GHSA advisory, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.

RCE Flowise
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.

File Upload Path Traversal RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE Grav
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, where agent terminal commands run in a sandbox that grants write access to the command's working directory. By manipulating the working_directory parameter, a malicious or prompt-injected agent can cause the sandbox to expose writable paths outside the intended workspace, then overwrite the cursorsandbox helper so subsequent commands execute outside the sandbox entirely. There is no public exploit identified at time of analysis, but the vendor rates this 9.3 (CVSS 4.0) with high confidentiality, integrity, and availability impact and notes it requires no user interaction beyond a benign prompt.

Path Traversal RCE Cursor
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where a malicious agent can write files outside the protected workspace. Cursor canonicalizes a Write target to confirm it stays in-workspace, but when canonicalization fails it insecurely falls back to the raw path and writes without approval; an agent can deliberately force this failure via an in-workspace symlink pointing outside the workspace (target missing or read permission stripped) to write arbitrary files under the user's privileges. Overwriting the cursorsandbox helper then causes later commands to run unsandboxed, yielding full RCE with no user interaction beyond a benign prompt. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Cursor
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.

Java Denial Of Service RCE +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Reduced cryptographic key protection in Silicon Labs' SiXG301 SYMCRYPTO hardware engine (exposed via the Simplicity SDK PSA crypto library) allows an attacker who already has on-device code execution to weaken the engine's Differential Power Analysis (DPA) countermeasures by forcing low-entropy seed values, making AES/hashing keys far easier to recover through subsequent power-analysis side-channel attacks. The flaw affects embedded systems built on the SiXG301 SoC and was reported by Silicon Labs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation also requires physical access to the device for the power measurements.

RCE Simplicity Sdk
NVD
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.

Memory Corruption Denial Of Service Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Remote code execution in THC Hydra through 9.7 allows a malicious or attacker-controlled server to compromise the machine running the Hydra brute-force client during NTLM authentication. When Hydra connects to such a server across its SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, or HTTP-Proxy-Urlenum modules, a crafted NTLM Type-2 challenge with an overlong domain string causes the base64-encoded response to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling code execution on hosts lacking stack protection. No public exploit identified at time of analysis, but a vendor patch (commit 9cc84c2) is available, and the issue inverts the usual threat model - the operator of the offensive tool becomes the victim.

Buffer Overflow Stack Overflow RCE +1
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 8.4
HIGH Act Now

Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Out-of-bounds read in Horner Automation Cscape prior to 10.2 SP3 lets an attacker who supplies a malicious CSP project file disclose memory contents and, per the advisory, achieve arbitrary code execution within the engineering workstation. Cscape is the configuration/programming environment for Horner OCS controllers, so the target is the engineer's PC rather than the PLC itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Buffer Overflow Information Disclosure +1
NVD
HIGH PATCH This Week

Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. No public exploit is identified at time of analysis and confirmed arbitrary command execution was not demonstrated on stock classpaths; the issue is fixed in 16.1.1.

Deserialization Java RCE
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permission (or access to client registration endpoints) register a malicious client whose redirect URI uses a case-insensitive `javascript:` or `data:` scheme, bypassing URI validation. When a victim later clicks a crafted link - for example during the logout flow or within the Admin Console - the script executes in the Keycloak origin, enabling session/token theft and effective code execution in that trusted context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it carries a CVSS 7.3 (PR:L, UI:R).

XSS RCE Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Stored code injection in ToolJet self-hosted (prior to 3.20.178-lts) lets any authenticated builder-role user - available on the free tier - overwrite a globally-shared marketplace plugin with arbitrary JavaScript that runs server-side with full Node.js capabilities (require, process). Because the poisoned plugin executes whenever any user on the instance runs a query that uses it, a single low-privileged account achieves remote code execution and an instance-wide supply-chain compromise. The flaw carries a CVSS 4.0 score of 9.4; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Node.js RCE +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.

Code Injection Python RCE +2
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Arbitrary file write in 3X-UI, a web control panel for managing Xray-core proxy servers, allows an authenticated administrator to write attacker-controlled files anywhere on the host by tampering with Xray configuration values through the database import feature in versions prior to 3.3.1. Because the written files execute in the context of the Xray process - frequently root in self-hosted deployments - this escalates to full code execution and persistent host compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is resolved in release 3.3.1.

RCE 3x Ui
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Dell RCE Wyse Management Suite
NVD VulDB
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) is reachable through a path traversal flaw (CWE-22) that lets an authenticated, high-privileged remote attacker access or write files outside the intended directory and ultimately execute arbitrary code on the management server. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality, integrity, and availability impact gated by a high-privilege requirement. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Dell Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dell Microsoft +2
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Remote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user with only Contributor-level privileges inject and execute arbitrary PHP/code on the server via the plugin's snippet-handling functionality (CWE-94). Because a low-privilege role can pivot to full server compromise with a scope change (S:C), this is a privilege-escalation-to-RCE flaw reported by Patchstack; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection RCE Post Snippets
NVD
Prev Page 6 of 355 Next

Quick Facts

Typical Severity
CRITICAL
Category
other
Total CVEs
31873

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy