Remote Code Execution

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file.

LimeSurvey before v6.15.0 has an insecure deserialization enabling remote code execution through crafted survey data.

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.

SiYuan prior to 3.5.10 has a path traversal vulnerability enabling arbitrary file access through crafted API requests.

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code. [CVSS 8.8 HIGH]

An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code. [CVSS 6.1 MEDIUM]

A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap.

Arbitrary code execution in MobaXterm prior to version 26.1 allows local attackers to hijack the application's search path when it launches Notepad++ without a fully qualified path, enabling malicious executable injection. An authenticated user can exploit this flaw by placing a crafted executable earlier in the system PATH to achieve code execution with the privileges of the MobaXterm user. No patch is currently available.

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]

Airflow Providers Http is affected by improper control of dynamically-managed code resources (CVSS 8.8).

Arbitrary code execution with administrative privileges in Qsee Client 1.0.1 and earlier through insecure DLL loading in the installer. An attacker can exploit this by placing a malicious DLL in the same directory as the installer and tricking a user into executing it. No patch is currently available.

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.

OS command injection in XikeStor SKS8310-8X network switch firmware 1.04.B07 and prior via management interface. Unauthenticated RCE on network infrastructure.

Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. No patch is currently available for affected deployments.

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. [CVSS 8.2 HIGH]

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]

Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.

Natro Macro versions prior to 1.1.0 execute arbitrary AutoHotkey code embedded in shared pattern and path files, allowing attackers to achieve code execution with the privileges of the logged-in user. Since these configuration files are commonly distributed among users, malicious actors can inject code that executes silently in the background alongside legitimate macro functionality. The vulnerability affects users who load untrusted pattern or path files from external sources.

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

Unauthenticated attackers can achieve remote code execution in Idno social publishing platform versions before 1.6.4 by exploiting a chain of import file write and template path traversal vulnerabilities. An attacker with high privileges can leverage command injection to execute arbitrary code on affected systems. A patch is available in version 1.6.4 and should be applied immediately as this vulnerability carries a 7.2 CVSS score.

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code through a vulnerable API endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can achieve full system compromise including data exfiltration and integrity violations.

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execute arbitrary code through malicious MongoDB dataset queries. The vulnerability affects users connecting Chartbrew to MongoDB databases for chart creation and has active public exploit code available. No patch is currently available for affected versions.

Authenticated arbitrary code execution in Chamilo LMS versions prior to 1.11.34 allows low-privileged users to bypass file upload restrictions through MIME-type spoofing and execute malicious commands on the server. The vulnerability stems from insufficient validation of file extensions and improper storage restrictions, enabling attackers to upload and execute arbitrary files. No patch is currently available for affected deployments.

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

RCE in Microsoft Devices Pricing Program.

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).

Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.

Arbitrary code execution in NLTK <= 3.9.2 StanfordSegmenter module. CVSS 10.0, EPSS 0.48%.

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. [CVSS 8.8 HIGH]

CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.

Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.

Arbitrary file read in OpenMQ via configuration parsing. Can lead to full exploitation.

Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.

Unauthenticated RCE via file upload in industrial/enterprise application.

Path traversal to RCE in SeppMail web interface via large file transfer. EPSS 0.52%.

Unrestricted file upload in Lendiz (lendiz) WordPress theme allows uploading web shells for remote code execution.

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) is affected by incorrect default permissions (CVSS 7.8).

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) contains a security vulnerability (CVSS 6.7).

Unauthorized file access in NLTK through path traversal flaws in multiple CorpusReader classes (versions up to 3.9.2) allows unauthenticated attackers to read arbitrary files on affected systems, potentially exposing SSH keys, API tokens, and other sensitive data. The vulnerability affects NLP applications and machine learning APIs that process user-controlled file inputs without proper validation. No patch is currently available.

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.

Remote code execution in Craft CMS versions before 5.8.22 and 4.16.18 can be achieved by authenticated administrators or users with System Messages access by injecting malicious Twig payloads through the map filter in configurable text fields. An attacker with admin-level privileges and allowAdminChanges enabled, or non-admin access to System Messages utilities, can execute arbitrary code on the affected server. A patch is available and users should update immediately to mitigate this risk.

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.

Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.

Malicious actors can install unauthorized Group Temporal Keys on ArubaOS wireless clients through a standardized roaming protocol vulnerability, enabling frame injection and network segmentation bypass. An attacker positioned on the local network could leverage this to intercept traffic, bypass client isolation, and compromise network integrity and confidentiality. No patch is currently available.

Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.

Code execution via HwRwDrv.sys in Nil Hardware Editor. PoC available.

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.

Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.

Zip slip to arbitrary file write in Zdir Pro 4.x ZIP extraction API. PoC available.

Command execution via reset_pj.cgi in Weintek cMT-3072XH2.

Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formGetIptv function and the list parameter, which can cause memory corruption and enable remote code execution. [CVSS 7.5 HIGH]

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). [CVSS 7.2 HIGH]

Tranzman versions up to 4.0 is affected by insufficient verification of data authenticity (CVSS 7.2).

An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. [CVSS 2.0 LOW]

WatchGuard Fireware OS contains an out-of-bounds write vulnerability in its management interface that permits authenticated administrators to achieve root-level code execution. The flaw affects versions 11.9 through 11.12.4_Update1, 12.0 through 12.11.7, and 2025.1 through 2026.1.1, with no patch currently available. While exploitation requires high-level administrative privileges, successful attacks grant complete system compromise.

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.

Remote code execution in AFFiNE prior to version 0.25.4 allows unauthenticated attackers to execute arbitrary code on victim machines through malicious affine: URL scheme handlers embedded on websites or in user-generated content. When a victim clicks a crafted link or visits a compromised site that auto-redirects to such a URL, the AFFiNE application processes the payload without additional user interaction, enabling complete system compromise. No patch is currently available for this high-severity vulnerability.

Android has a heap buffer overflow in multiple locations enabling privilege escalation through out-of-bounds read and write operations.

Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]

Mattermost Desktop is affected by inclusion of functionality from untrusted control sphere (CVSS 4.6).

DobryCMS has an unauthenticated file upload vulnerability allowing remote attackers to upload and execute arbitrary files on the web server.

IDExpert Windows Logon Agent has a second RCE vulnerability through another unsigned code download path.

IDExpert Windows Logon Agent by Changing has an RCE vulnerability through download of code without integrity check, allowing malicious update injection.

Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.

Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.

Group Office versions before 26.0.9, 25.0.87, and 6.8.154 allow authenticated attackers to execute arbitrary commands through maliciously crafted TNEF attachments, where attacker-controlled filenames in winmail.dat are processed unsafely with zip wildcard expansion. An attacker with valid credentials can exploit this to achieve remote code execution with full system privileges. No patch is currently available for affected deployments.

Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.

Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.

Remote code execution in intra-mart Accel Platform's IM-LogicDesigner module through insecure deserialization of crafted files imported by administrative users. An attacker with admin privileges can execute arbitrary code by importing a malicious file, with no patch currently available. The vulnerability affects all deployments where IM-LogicDesigner is enabled.

Remote code execution in Red Hat Satellite's rubyipmi BMC component allows authenticated users with host creation or update permissions to execute arbitrary code by injecting malicious input into the BMC username field. An attacker with these privileges can compromise the underlying system through command injection. No patch is currently available for this vulnerability.

Soliton Systems installers for Securebrowser For Onegate, Secureworkspace, and Securebrowser II fail to set proper file permissions during installation, enabling local authenticated users to execute arbitrary code with SYSTEM privileges. An attacker with user-level access can exploit this misconfiguration to achieve full system compromise. No patch is currently available.

Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.

Remote code execution in OCaml versions before 4.14.3 and 5.x before 5.4.1 allows unauthenticated attackers to execute arbitrary code by supplying malicious serialized data that exploits insufficient bounds checking in the Marshal deserialization function. The vulnerability stems from unbounded memory copy operations in the readblock() function that processes attacker-controlled length values, enabling a multi-stage exploitation chain. No patch is currently available for affected systems.

Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.