Remote Code Execution
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.
How It Works
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.
Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.
The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.
Impact
- Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
- Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
- Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
- Ransomware deployment — direct pathway to encrypt files and disable backups
- Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
- Supply chain attacks — modification of application code or dependencies to compromise downstream users
Real-World Examples
The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.
Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.
Mitigation
- Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
- Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
- Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
- Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
- Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
- Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
- Regular patching — prioritize updates for components with known RCE vulnerabilities
Recent CVEs (31876)
Remote code execution in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) is reachable through a path traversal flaw (CWE-22) that lets an authenticated, high-privileged remote attacker access or write files outside the intended directory and ultimately execute arbitrary code on the management server. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality, integrity, and availability impact gated by a high-privilege requirement. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user with only Contributor-level privileges inject and execute arbitrary PHP/code on the server via the plugin's snippet-handling functionality (CWE-94). Because a low-privilege role can pivot to full server compromise with a scope change (S:C), this is a privilege-escalation-to-RCE flaw reported by Patchstack; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.
Content injection in GitLab CE/EE via improper Snippet input validation permits authenticated low-privilege users to conceal arbitrary content within Snippets, affecting all versions from 14.8 through 19.1.0. Despite being tagged as Code Injection (CWE-94) with RCE in vendor-supplied tags, the published CVSS score of 4.3 with only low integrity impact (I:L) indicates the vendor-confirmed impact is scoped to content concealment rather than full remote code execution. Patches are available in versions 18.11.6, 19.0.3, and 19.1.1; no public exploit and no CISA KEV listing have been identified at time of analysis.
Denial of service in the shell-quote Node.js library (versions prior to 1.8.5) lets remote attackers stall the single-threaded event loop by passing an attacker-controlled string into any code path that calls parse(). The flaw is purely algorithmic - parse() builds its token list with Array.prototype.concat as a reduce accumulator, giving O(n^2) behavior so even a small payload of plain space-separated words causes disproportionate CPU consumption. There is no public exploit identified at time of analysis and no KEV listing; impact is to availability only with no code execution or data disclosure despite the misleading 'RCE' source tag.
Remote code execution in Quest NetVault Backup allows authenticated remote attackers - who can bypass the product's existing authentication mechanism - to run arbitrary OS commands as SYSTEM via the NVBULogDaemon JSON-RPC interface. The flaw stems from unsanitized user-supplied input being passed into a system call (CWE-78), and the credentialed authentication barrier is undermined by an acknowledged bypass, effectively widening exposure. No public exploit has been identified at time of analysis, but the issue was disclosed by Trend Micro ZDI (ZDI-26-376) and carries a CVSS of 8.8.
Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC message handler, letting attackers run arbitrary code in the NETWORK SERVICE context. While the flaw nominally requires authentication, ZDI reports the product's authentication mechanism can be bypassed, materially lowering the access bar. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but its CVSS 3.0 base score of 8.8 and full-impact (C:H/I:H/A:H) profile mark it as high priority for any exposed deployment.
Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-RPC messages, where a user-supplied string is concatenated into a SQL query without validation. Although the JSON-RPC interface nominally requires authentication, ZDI notes the existing authentication mechanism can be bypassed, so a remote attacker can reach the vulnerable code path and execute arbitrary code in the context of the NETWORK SERVICE account. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary code as NETWORK SERVICE on affected installations. While exploitation nominally requires authentication (CVSS PR:L), the ZDI advisory states the existing authentication mechanism can be bypassed, effectively lowering the barrier to remote attackers. There is no public exploit identified at time of analysis and no CISA KEV listing, but the issue was coordinated through Trend Micro's Zero Day Initiative (ZDI-CAN-27631 / ZDI-26-373) and carries a CVSS 3.0 base score of 8.8.
SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fails to validate a user-supplied string before constructing SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, effectively lowering the barrier to network-based attackers who can then execute code in the context of the NETWORK SERVICE account. No public exploit identified at time of analysis; the issue was reported privately by Trend Micro's Zero Day Initiative (ZDI-CAN-27632 / ZDI-26-372).
Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler, where a user-supplied string is concatenated into a SQL query without validation (CWE-89). Although the product requires authentication, the existing authentication mechanism can be bypassed, so remote attackers can reach the flaw and execute arbitrary code in the context of the NETWORK SERVICE account. Discovered and reported through Trend Micro's Zero Day Initiative (ZDI-26-371, formerly ZDI-CAN-27633); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler, where attacker-controlled input is concatenated into SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, so attackers can reach the vulnerable endpoint and execute code in the NETWORK SERVICE context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported privately via Trend Micro's Zero Day Initiative (ZDI-26-370 / ZDI-CAN-27648).
Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to inject arbitrary script that executes in a victim's authenticated session, bypassing access controls. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-369, formerly ZDI-CAN-27666), the flaw requires user interaction - the target must visit a malicious page or open a malicious file - and can be chained with other weaknesses to achieve code execution in the SYSTEM context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though the high CVSS of 8.8 reflects the serious downstream RCE potential.
SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NETWORK SERVICE account by sending crafted JSON-RPC messages to the NVBUDashboard component. While the JSON-RPC interface nominally requires authentication, ZDI reports the existing authentication mechanism can be bypassed, effectively lowering the access barrier. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it was responsibly disclosed through Trend Micro's Zero Day Initiative (ZDI-26-368, formerly ZDI-CAN-27809).
Authentication bypass via cross-site scripting in the Quest NetVault Backup viewclient web interface lets remote attackers inject arbitrary script that, when a victim visits a malicious page or opens a malicious file, runs in the application context and circumvents authentication. Disclosed through Trend Micro's Zero Day Initiative (ZDI-26-377, ZDI-CAN-28202), the flaw can be chained with additional vulnerabilities to achieve code execution as SYSTEM. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 8.8 rating reflects the high impact of the auth-bypass-plus-RCE chain.
Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-controlled length data is copied into an undersized heap buffer without bounds validation. Any user who opens a maliciously crafted HDR image (or visits a page that delivers one) can be exploited, with code running in the context of the GIMP process. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authenticated remote code execution in ATEN Unizon stems from a broken cryptographic signature check in the updateWar method (reachable via doCryptoHugeFileToFile), letting a high-privileged remote attacker push a forged WAR update and run arbitrary code as SYSTEM. The flaw (CWE-347) was reported by Trend Micro ZDI as ZDI-CAN-28590 and carries a CVSS 3.0 base score of 7.2; no public exploit identified at time of analysis.
Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the ImportDeviceList method, where a user-supplied file path is used in file operations without proper validation. A high-privileged remote attacker can traverse outside intended directories to write or manipulate files and ultimately execute arbitrary code in the SYSTEM context, fully compromising the host. Discovered and reported via the Zero Day Initiative (ZDI-26-382 / ZDI-CAN-28579); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated remote code execution in ATEN Unizon arises from a directory traversal flaw in the restoreDB method, where a user-supplied path is used in file operations without validation, letting a high-privileged attacker write or restore files outside the intended directory and run code as SYSTEM. The flaw was reported through Trend Micro's Zero Day Initiative (ZDI-CAN-28578 / ZDI-26-381) and carries a CVSS 3.0 base score of 7.2 (PR:H). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. Reported through ZDI (ZDI-26-384, ZDI-CAN-27990); no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but an upstream source fix is available.
Remote authenticated command injection in Unraid's web management server allows attackers to execute arbitrary OS commands as the www-data user by abusing unsanitized input in ToggleState.php. Any user with low-privilege authenticated web access can chain this CWE-78 flaw into full code execution on the underlying NAS host. Discovered and reported through ZDI (ZDI-CAN-30134 / ZDI-26-386); no public exploit identified at time of analysis and no CISA KEV listing.
Authenticated remote code execution in Unraid stems from OS command injection in the web server's FileUpload.php, where a user-supplied string is passed to a system call without validation, letting any logged-in attacker run arbitrary commands as the www-data user. Tracked as ZDI-CAN-30116 and disclosed via the Zero Day Initiative, it carries a CVSS 8.8 rating; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stored cross-site scripting in SiYuan's Attribute View (database) asset cell renderer escalates to remote code execution on the Electron desktop client for all versions prior to 3.7.0. An attacker who can persist crafted content into a database asset cell has malicious JavaScript executed in the privileged Electron context, breaking out to the host operating system; the issue carries a 9.9 CVSS and is fixed in 3.7.0. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
OAuth token theft in Rocket.Chat allows an unauthenticated remote attacker to mint a valid bearer access token for any user — including administrators — by POSTing MongoDB query operators to the /oauth/token endpoint. Because grant parameters are passed to findOne() without type validation, substituting {"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.
Local privilege escalation and arbitrary code execution in the HP Accessory WMI Provider installer bundled with certain HP Docking Stations allows a low-privileged local user to gain elevated (likely SYSTEM) execution. The root cause is insecure temporary-file/directory permissions used during installation (CWE-379), which an attacker can abuse to introduce or replace executable content that a privileged installer process runs. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; HP has published advisory hpsbhf04129 and is releasing software updates.
Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.
Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.
Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.
Unvalidated `ot_`-prefixed argument injection in OliveTin allows any authenticated user with action-trigger access to bypass input filtering, inject arbitrary environment variables into action execution contexts, and pollute Go template rendering data. All OliveTin versions prior to commit `ebffd9f040f7` (Go pseudo-version `< 0.0.0-20260531214440-ebffd9f040f7`) are affected. While direct standalone RCE is not confirmed, a public proof-of-concept exists in GHSA-prj9-97mp-mwh2 and secondary command injection is achievable wherever triggered action scripts consume `OT_`-prefixed environment variables in shell-unsafe ways.
Arbitrary code execution affects the WebAuthn authentication module of Open Identity Platform OpenAM Community Edition through 16.0.6, where untrusted Java deserialization (CWE-502) of a user-controllable storage attribute lets an attacker run code as the application server user. The vendor advisory (GHSA-6c99-87fr-6q7r) characterizes this as a pre-authentication RCE, but it is reachable only in non-default deployments where the WebAuthn storage/userAttribute has become attacker-writable. No public exploit has been identified at time of analysis, and the issue is fixed in 16.1.1.
Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. A publicly available exploit code exists (reported by VulnCheck via huntr) and a vendor patch is available, though the flaw is not listed in CISA KEV.
Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.
Pre-sandbox host-level code execution in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (prior to 0.1.22) allows an unprivileged attacker to run arbitrary commands on CI/CD runner hosts by planting a malicious .gemini/.env file in an untrusted workspace. In headless mode the tool automatically trusted workspace folders and loaded their environment variables before sandboxing, so a workflow that processes attacker-controlled content (for example reviewing a submitted pull request) would execute attacker-supplied commands on the host. No public exploit has been identified at time of analysis, but Google rates this CVSS 4.0 10.0 and a vendor advisory (GHSA-wpqr-6v78-jr5g) with fixed releases is available.
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. No public exploit identified at time of analysis, and CISA SSVC marks exploitation as none.
Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.
Detection bypass in picklescan before 0.0.29 allows malicious pickle files to evade scanning by abusing the undetected idlelib.calltip.Calltip.fetch_tip function, enabling arbitrary code execution when the file is later loaded via pickle.load(). Affects ML supply chains relying on picklescan to vet PyTorch models; publicly available exploit code exists in the GHSA advisory, but no public exploit identified in active campaigns at time of analysis.
Arbitrary code execution in QOS.CH logback-core versions up to and including 1.5.34 allows a local attacker with existing privilege to run code in the context of any Java application that loads Logback when the Janino library is on the classpath. The flaw circumvents prior hardening for CVE-2025-11226 via conditional configuration file processing, and is triggered either by writing to an existing logback configuration file or by injecting an environment variable that points the process at a malicious configuration. No public exploit identified at time of analysis, though the bypass nature of the issue makes weaponization of existing CVE-2025-11226 exploit code plausible.
Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward.
Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Denial of service in Plone's RSS feed portlet component (plone.app.portlets) allows an attacker to exhaust server resources by supplying or triggering the parsing of a maliciously crafted RSS/Atom feed, rendering the Plone application unavailable. Disclosed June 23, 2026 as part of a coordinated Plone security release, the issue carries a critical severity rating of 9.1. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Plone CMS enables persistent script injection by spoofing file MIME types within the plone.app.textfield and plone.restapi packages, announced June 5, 2026. An attacker with content-upload access can craft a file whose declared MIME type bypasses Plone's content-type enforcement, causing browsers to render the payload as HTML or JavaScript when other users access the stored content. No public exploit code or CISA KEV listing has been identified at time of analysis; the moderate severity rating (4.3) reflects the stored persistence risk offset by the upload-privilege requirement.
Denial-of-service via malformed iCalendar import in Plone's plone.app.event package, rated 9.1 critical, enables remote disruption of affected Plone installations by submitting a crafted ICS file to the event import endpoint. Disclosed June 23, 2026 as part of a coordinated Plone security release addressing six distinct vulnerabilities across multiple packages. No public exploit code or CISA KEV listing has been identified at time of analysis, though the critical severity rating and co-disclosure of a related icalendar library CVE (CVE-2026-55099) the same week warrant prompt patching.
Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.
Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication bypass in Daytona prior to 0.184.0 allows attackers to join organizations via pending invitations using unverified email addresses. The invitation accept and decline paths failed to enforce email verification (unlike organization creation), so on OIDC identity providers permitting self-service signup with pre-verification sessions, an attacker registering an email matching a pending invite can claim it and inherit the assigned role - up to Owner. No public exploit identified at time of analysis, but the path to full Owner-level organization takeover makes this a high-priority fix.
Git credential exposure in Daytona's daemon (all versions prior to 0.185.0) allows a network-positioned attacker to silently harvest HTTP Basic Authorization headers by exploiting a complete absence of TLS certificate validation on both the go-git and native git CLI clone code paths. An attacker with man-in-the-middle capability on clone traffic can present any fraudulent TLS certificate, capture the Git credentials supplied for the clone, and simultaneously inject tampered repository content into the execution sandbox - threatening both credential confidentiality and supply-chain integrity of AI-generated code workflows. No public exploit or active exploitation has been identified at time of analysis; a vendor-released fix is available in version 0.185.0.
Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to embed arbitrary PHP into the compiledlimitations database field via the logical parameter of delivery limitations, with execution occurring later during banner delivery. The flaw is exploitable over the network with low complexity and yields full confidentiality, integrity, and availability impact (CVSS 8.8), though no public exploit identified at time of analysis.
Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpected parameter into the delivery limitations save flow, planting attacker-controlled PHP into the compiledlimitations field that is then evaluated when banners are served. With CVSS 8.8 and a CWE-94 root cause, successful exploitation yields full code execution under the web/ad-delivery process, though there is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.
Arbitrary code execution in AWS Language Servers prior to version 1.65.0 allows attackers to run commands on a developer's machine when a victim opens and trusts a maliciously crafted workspace. The flaw stems from improper trust boundary enforcement (CWE-732) that causes commands embedded in project configuration files to execute automatically. No public exploit identified at time of analysis, but the requirement for only passive user interaction (workspace trust prompt) makes this a credible developer-targeting threat.
Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. No public exploit identified at time of analysis, but a related auth-bypass chain (GHSA-78x5-c8gw-8279) is documented by VulnCheck and could lower the practical privilege bar.
Authenticated remote code execution in NetComm NF20MESH routers running firmware R6B031 and earlier allows low-privileged authenticated attackers to gain full root-level OS control via OS command injection. The dalStorage_addUserAccount function unsafely concatenates attacker-supplied JSON username input into a shell command string executed by rut_doSystemAction without sanitization, enabling shell metacharacter injection. No public exploit identified at time of analysis and no CISA KEV listing, but a detailed public advisory from signal11.io documents the attack surface, and a vendor patch (implied R6B032) is available.
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation by crafting malicious pickle files that import unblocked Python standard library modules. The tool's blocklist (scanner.py _unsafe_globals) omits at least seven stdlib modules - including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib - exposing eight functions that execute arbitrary commands via subprocess or os.system. Publicly available exploit code exists in the GHSA advisory, demonstrating CLEAN scan results for files that achieve full RCE on load; this is especially concerning because picklescan is relied on by HuggingFace Hub and similar ML pipelines.
Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED_OUTPUT_DIR via symlinks and a TOCTOU race on the output_path parameter of the /screenshot and /pdf endpoints, potentially escalating to code execution where the runtime user can write to executable or cron paths. No public exploit identified at time of analysis, but the API is unauthenticated by default and the GHSA confirms the issue was found in an internal security audit.
Detection bypass in picklescan before 0.0.28 allows attackers to embed malicious torch.jit.unsupported_tensor_ops.execWrapper calls in pickle files that evade the scanner and execute arbitrary code when later loaded via pickle.load(). Publicly available exploit code exists in the GHSA advisory, and the flaw directly undermines the security guarantee picklescan is meant to provide for PyTorch model files. No CISA KEV listing and no EPSS data are provided, but the scanner bypass nature makes this a meaningful supply-chain risk for ML pipelines.
Detection bypass in picklescan before 0.0.33 allows attackers to smuggle arbitrary code through malicious pickle files by abusing numpy.f2py.crackfortran.myeval in a __reduce__ method, which the scanner fails to flag as dangerous. Any ML pipeline or model-hosting workflow that trusts picklescan's verdict before calling pickle.load() will execute attacker-controlled commands; publicly available exploit code exists in the GHSA advisory, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact contingent on user interaction.
Detection bypass in picklescan prior to 0.0.29 allows attackers to smuggle remote code execution payloads through pickle files that the scanner incorrectly classifies as safe. The library fails to flag the built-in profile.Profile.runctx function when used in a __reduce__ method, so a downstream pickle.load() of the scanned file executes arbitrary Python. Publicly available exploit code exists in the GHSA-6vqj-c2q5-j97w advisory, though no active exploitation has been reported.
Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.
SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component
Remote code execution in Pivotal CRM 6.6.04.08 Smart Client arises from insecure deserialization in the Pivotal.Core.Common.dll and Pivotal.Engine.Client.Services.Conversion.dll components, allowing remote attackers to execute arbitrary code on affected installations. The vendor (Aurea/Pivotal) has published a remediation advisory and a researcher has released a public technical advisory, but the issue is not currently listed in CISA KEV and SSVC indicates no observed exploitation. CVSS 8.1 reflects high impact tempered by high attack complexity, while no public exploit identified at time of analysis is corroborated by SSVC's 'Exploitation: none'.
Cross-workspace automation execution in Budibase (npm @budibase/server, all versions before 3.39.9) lets a builder-authenticated attacker run their own automations inside any other workspace on the same instance by overwriting the server-derived appId. The public, unauthenticated webhook trigger endpoint mass-assigns the raw POST body over internal parameters, and because Execute Script steps run JavaScript, this escalates to arbitrary code execution and full data theft in the victim's context. A detailed proof-of-concept is published in the vendor advisory (GHSA-rgvg-3wpc-h44p); publicly available exploit code exists, though it is not listed in CISA KEV and EPSS exploitation probability is modest at 0.41% (33rd percentile).
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. No public exploit identified at time of analysis, but the supply-chain primitive is well understood and trivially weaponizable.
CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.
DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.
Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.
Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Detection bypass in picklescan versions 0.0.26 and earlier (fixed in 0.0.30) allows attackers to smuggle arbitrary code through malicious pickle files by abusing Python's built-in ensurepip._run_pip function, which the scanner failed to flag as dangerous. Organizations relying on picklescan to vet PyTorch models or other serialized Python objects will load the file as safe and trigger remote code execution upon pickle.load(). Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified in active campaigns at time of analysis.
Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.
Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.
Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself.
Wallet balance inflation in AVideo's Authorize.Net payment plugin (versions <= 28.0) allows a low-privileged attacker to credit arbitrary amounts to any user account by forging webhook requests. Three code flaws chain together: a logical OR in the signature check lets a real transaction ID bypass HMAC validation entirely, attacker-controlled payload fields take precedence over authoritative API-fetched amounts and user IDs, and the payment approval status is never verified before crediting the wallet. A detailed proof-of-concept with working curl commands is publicly documented in GitHub Advisory GHSA-95jh-7r58-xmxw. No confirmed active exploitation (CISA KEV) at time of analysis, but the PoC lowers the bar to exploitation significantly.
Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.
Remote code execution in Autodesk Fusion Desktop's MCP (Model Context Protocol) extension allows attackers to execute arbitrary code with current user privileges when a victim visits a malicious webpage while Fusion is running with the MCP extension enabled. The flaw is rated CVSS 9.6 (Critical) due to its network-reachable nature and scope change, though successful exploitation requires user interaction (visiting a crafted page) and the non-default MCP extension being enabled. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.
Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and EPSS is low (0.25%), but SSVC rates the technical impact as total.
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. No public exploit identified at time of analysis and the issue is not on CISA KEV.
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- other
- Total CVEs
- 31876