Remote Code Execution
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.
How It Works
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.
Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.
The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.
Impact
- Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
- Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
- Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
- Ransomware deployment — direct pathway to encrypt files and disable backups
- Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
- Supply chain attacks — modification of application code or dependencies to compromise downstream users
Real-World Examples
The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.
Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.
Mitigation
- Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
- Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
- Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
- Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
- Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
- Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
- Regular patching — prioritize updates for components with known RCE vulnerabilities
Recent CVEs (31883)
Remote code execution in Autodesk Fusion Desktop's MCP (Model Context Protocol) extension allows attackers to execute arbitrary code with current user privileges when a victim visits a malicious webpage while Fusion is running with the MCP extension enabled. The flaw is rated CVSS 9.6 (Critical) due to its network-reachable nature and scope change, though successful exploitation requires user interaction (visiting a crafted page) and the non-default MCP extension being enabled. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.
Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and EPSS is low (0.25%), but SSVC rates the technical impact as total.
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. No public exploit identified at time of analysis and the issue is not on CISA KEV.
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.
Remote code execution in SiYuan note-taking application (before v3.6.1) allows any malicious Bazaar marketplace package author to compromise users via unsanitized HTML rendering of package displayName, description, and README content. Because the Electron renderer is configured with nodeIntegration:true and contextIsolation:false, injected JavaScript pivots directly to arbitrary OS command execution. No public exploit identified at time of analysis, but VulnCheck published a detailed technical advisory documenting both zero-click (metadata) and one-click (README) vectors.
Remote code execution in SiYuan note-taking application before v3.6.1 occurs when users browse the built-in Bazaar marketplace, because package metadata (displayName, description) and README content are rendered without HTML sanitization. Because the Electron shell ships with nodeIntegration:true and contextIsolation:false, an injected script in the renderer executes arbitrary OS commands as the user. Reported by VulnCheck with detailed vulnerable-code analysis published in the GHSA advisory; no public exploit identified at time of analysis and not listed in CISA KEV.
Authenticated remote code execution in Craft CMS versions 5.5.0 through 5.9.13 allows admin users to execute arbitrary PHP by injecting Yii2 event handlers via the fieldLayoutConfig POST parameter to FieldsController::actionRenderCardPreview(). The flaw stems from missing Component::cleanseConfig() sanitization, enabling disclosure of environment variables including database credentials and CRAFT_SECURITY_KEY. No public exploit identified at time of analysis, though VulnCheck has published a detailed advisory describing the attack technique.
Detection bypass in picklescan versions before 0.0.30 allows malicious pickle files to evade security scanning by using cProfile.runctx in __reduce__ methods, leading to arbitrary code execution when the file is loaded via pickle.load(). The flaw undermines the core purpose of picklescan as a defensive tool for ML model security and was reported by VulnCheck with a published proof-of-concept in the GitHub Security Advisory. No public exploit identified at time of analysis as a weaponized in-the-wild attack, but PoC code is published in the GHSA.
Detection bypass in picklescan versions before 0.0.25 allows attackers to embed remote code execution payloads in pickle files by abusing the built-in timeit.timeit() function inside a __reduce__ method, which is not on the unsafe-globals blacklist. Any organization using picklescan to vet PyTorch or other pickle-based model files is affected, and a working PoC is publicly documented in the GHSA advisory (no public exploit identified at time of analysis as a weaponized tool, but POC code is published).
Detection bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code through pickle files by abusing torch.utils._config_module.load_config inside __reduce__ methods, defeating the library's malicious-pickle scanning and enabling remote code execution when the file is later loaded. Publicly available exploit code exists (GHSA-vv6j-3g6g-2pvj includes a working PoC), and the flaw is significant for any ML pipeline that trusts picklescan to vet third-party PyTorch model files. No CISA KEV listing at time of analysis, so exploitation status is limited to public POC rather than confirmed in-the-wild use.
Remote code execution in Prefect 3.6.23 allows any user holding deployment-creation permissions to run arbitrary commands on shared worker machines by abusing the GitRepository storage class. The commit_sha and directories parameters are concatenated into git invocations without a `--` separator or validation, letting attackers smuggle flags such as `--upload-pack` to execute external programs. No public exploit identified at time of analysis, but the bug was reported via huntr and is particularly dangerous for multi-tenant work pools where worker compromise crosses trust boundaries.
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated remote code execution in JoomShaper's SP LMS (com_splms) Joomla extension versions 1.0.0 through 4.1.3 allows network attackers to run arbitrary code on the server by sending a crafted cookie that the component deserializes without validation. The flaw is a textbook PHP object injection (CWE-502) with a CVSS 4.0 base score of 9.5, but at time of analysis there is no public exploit identified and the issue is not on the CISA KEV list. Risk is elevated because the trigger is a cookie value parsed before any authentication check.
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.
Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.
Arbitrary file write and read in Symfony UX Toolkit's `ux:install` console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or `.env` files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.
LDAP injection in OpenBao versions 0.1.0 through 2.5.4 allows an attacker with a valid low-privileged LDAP account to impersonate arbitrary directory users, including administrators, by supplying filter metacharacters in the username field at login. The root cause is a function selection error in `sdk/helper/ldaputil/client.go`: `EscapeLDAPValue()` (RFC 4514, DN escaping) is used in LDAP filter construction instead of `ldap.EscapeFilter()` (RFC 4515), leaving characters `*`, `(`, `)`, `\`, and NUL unescaped and injectable. Publicly available exploit code exists in the vendor advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV.
Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.
Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.
Authenticated remote code execution in gin-vue-admin 2.9.1 lets attackers with access to the code-generation and MCP management features inject arbitrary Go source via POST /autoCode/addFunc and trigger a rebuild/restart through POST /autoCode/mcpStart, yielding OS command execution as the application service account. No public exploit identified at time of analysis, and as of publication a patched version is not confirmed; the upstream GHSA-22cv-9jv2-6m62 advisory only documents allowlist-based workarounds.
Heap use-after-free in the Oj Ruby gem's `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) allows a Ruby block executed during iteration to free the underlying document buffer via `doc.close`, after which the native C iterator in `ext/oj/fast.c` dereferences the freed region. The flaw is reachable from pure Ruby and confirmed by an AddressSanitizer report against version 3.17.1, with no public exploit identified at time of analysis but a clear reproducer published in the GHSA advisory. Applications that parse attacker-influenced JSON with Oj::Doc and pass user-supplied callbacks into these iterators are most at risk.
Stored cross-site scripting in the jupyterlab-git extension (versions 0.30.0b3 through 0.53.x) escalates to remote code execution when a victim views a rename diff in the Git History tab. The PlainTextDiff.ts createHeader() method injects unsanitized Git filenames into innerHTML, so a filename such as <img src=x onerror=eval(atob(...))>.py fires JavaScript that reads the _xsrf cookie, spawns a JupyterLab terminal via POST /api/terminals, and runs arbitrary shell commands. Reported by AWS Security; no public exploit identified at time of analysis, though the vendor advisory (GHSA-f962-v9hr-pfg5) documents a detailed reproduction path, and it is not listed in CISA KEV.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
Denial of service in the Faraday Ruby HTTP client library (versions up to and including 2.14.2) allows remote attackers to crash worker threads by submitting query strings with deeply nested bracket-notation parameters. The Faraday::NestedParamsEncoder recursively walks attacker-controlled nested Hash structures without a depth ceiling, raising an uncaught SystemStackError at roughly 3,000+ levels of nesting (~9.4 KB payload). Publicly available exploit code exists in the GHSA-98m9-hrrm-r99r advisory itself; no public exploit identified at time of analysis in the active-exploitation sense, and impact is limited to availability - no RCE, auth bypass, or data disclosure, despite the input tags listing those categories.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.
Arbitrary file write in py7zr versions 1.1.0 through 1.1.2 allows attackers to escape the destination directory during archive extraction by chaining malicious symbolic links that resolve outside the target path. A victim who calls extractall() on a crafted 7z archive can have files written to arbitrary host filesystem locations, potentially escalating to remote code execution, privilege escalation, or data corruption. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no public exploit identified for active campaigns at time of analysis.
Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in libaom (reference AV1 codec) is possible when services use the SVC encoder with attacker-supplied frames, allowing crafted pixel data to overlap encoder layer context structures and hijack the cyclic refresh map pointer. The flaw chains a heap out-of-bounds write (CWE-787) with a crash-oracle ASLR bypass to redirect control flow in fork-based video processing services. No public exploit identified at time of analysis, but the issue is tracked under Red Hat and Chromium security trackers and an upstream fix commit has landed in aomedia.
Arbitrary address write in libaom, the reference AV1 video codec implementation, allows remote attackers to corrupt memory by supplying crafted pixel values to an encoder that has Scalable Video Coding (SVC) enabled, leading to denial of service or potential code execution. The flaw stems from a missing bounds check in the SVC layer ID control function that lets pixel data inject an attacker-controlled pointer into the cyclic refresh map, after which ~1,200 bytes are written deterministically to the chosen address. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. No public exploit identified at time of analysis, and the flaw primarily yields a reliable denial of service with a theoretical path to remote code execution via heap corruption.
Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV.
PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.
Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers to alter authorization outcomes by smuggling Cedar expressions through unescaped string values. The flaw is in toCedarExpr() on Cedar Value types, which fails to escape quote and backslash characters when serializing user-controlled values into policy text. No public exploit identified at time of analysis, but the integrity impact is severe because injected fragments like '|| true' can neutralize permit/forbid logic in fine-grained authorization decisions.
Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Realtek Audio Service 1.0.0.55 contains an unquoted service path vulnerability in RtkAudioService64.exe that allows local attackers to escalate privileges by injecting malicious code. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
RealTimes Desktop Service 18.1.4 contains an unquoted service path vulnerability in the rpdsvc.exe binary that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
TFTP Broadband 4.3.0.1465 contains an unquoted service path vulnerability in the tftpt.exe service binary that allows local attackers to execute arbitrary code with system privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Matrix42 Remote Control Host 3.20.0031 contains an unquoted service path vulnerability in the FastViewerRemoteService and FastViewerRemoteProxy services that allows local users to execute arbitrary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Wise Care 365 4.27 and Wise Disk Cleaner 9.29 contain unquoted service path vulnerabilities in the WiseBootAssistant and SpyHunter 4 Service respectively, allowing local users to execute arbitrary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Comodo Dragon Browser versions up to 52.15.25.663 contain a privilege escalation vulnerability in the DragonUpdater service due to an unquoted service path running with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Iperius Remote 1.7.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Fortitude HTTP 1.0.4.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Command injection in the Network-AI npm package (network-ai < 5.9.1) lets any agent or caller granted a wildcard allowlist entry such as `git *`, `npm *`, or `node *` execute arbitrary shell commands as the orchestrator process. The flaw stems from `SandboxPolicy.isCommandAllowed` glob-matching the entire command string while `ShellExecutor` runs it through `/bin/sh -c`, so shell metacharacters like `;`, `|`, and `$(...)` smuggle additional commands past the sandbox. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis in the wild and no CISA KEV listing.
Remote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Moniker protobuf message to the sideband streaming API, triggering an untrusted pointer dereference (CWE-822). The flaw is reachable without authentication or user interaction over the network, yielding a CVSS 4.0 base score of 9.3. No public exploit identified at time of analysis, but vendor advisories from NI and the upstream GitHub Security Advisory GHSA-ww59-ghm9-mm63 are published.
Remote code execution in JetBrains GoLand before 2026.1.3 lets an attacker run arbitrary code on a developer's machine when the victim opens a maliciously crafted project whose configuration is untrusted. The flaw, reported by JetBrains itself and assigned CVSS 8.8 with high confidentiality, integrity, and availability impact, requires the user to open the booby-trapped project (UI:R) but no prior authentication on the IDE. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.21% (11th percentile).
Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), where URL-encoded path separators bypass filename validation and allow arbitrary file write outside the upload directory. Any actor holding a valid, non-expired, upload-enabled shared-folder token - tokens explicitly designed to be shared publicly - can overwrite users/users.txt to plant an admin account and, depending on configuration, achieve remote code execution. No public exploit identified at time of analysis, but the upstream fix in v3.16.0 documents the exact bypass, lowering the bar for weaponization.
Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.
Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. Subsequent pods using an IfNotPresent or Never pull policy then inherit the poisoned tag and execute arbitrary code under the victim pod's Kubernetes identity. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis; vendor-released patches are available.
Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
Path traversal in PraisonAI's MultiAgentMonitor component (versions <= 1.5.114) lets remote attackers who can supply agent identifiers read, write, or overwrite arbitrary files on the host by embedding '../' sequences in agent IDs. The flaw, disclosed by VulnCheck and tracked as GHSA-766v-q9x3-g744, enables information disclosure, denial of service, and potential code execution in multi-agent AI deployments; no public exploit identified at time of analysis but a detailed PoC is included in the advisory.
Cross-origin agent execution in PraisonAI's AGUI endpoint allows any attacker-controlled website to silently invoke locally-running agents and exfiltrate their streaming responses, including tool execution results and sensitive environment data. The flaw stems from a triad of issues - no authentication on POST /agui, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing - that together let a simple cross-origin request bypass the browser's preflight check. No public exploit identified at time of analysis, but the GHSA advisory publishes a complete attack flow making weaponization trivial.
Local privilege escalation and arbitrary code execution affects Yandex Punto Switcher through version 4.5.0.583 due to an unquoted search path passed to WinExec when launching RunDll32.exe to invoke shell32.dll's Control_RunDLL with input.dll. An authenticated local attacker who can drop an executable into an earlier directory in the Windows search order can hijack execution and run code in the context of the affected user. No public exploit identified at time of analysis, but the technique (CWE-428) is well-understood and trivially weaponized.
Code execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl project file, triggering a CWE-843 type confusion that corrupts memory. The flaw was reported through CISA ICS-CERT, which is significant because DAQFactory is HMI/SCADA software where engineering project files are routinely shared between integrators and operators. There is no public exploit identified at time of analysis, but the file-borne delivery pattern is well-suited to phishing or supply-chain handoffs targeting OT engineers.
HTTP header injection (CRLF injection) in Kirby CMS's `Kirby\Http\Remote` class allows attackers who can influence outgoing request header values to inject or override arbitrary HTTP headers sent to upstream services. Affected are sites running Kirby versions up to 4.9.3 or 5.0.0-alpha.1 through 5.4.3 where custom code, plugins, or integrations pass user-controlled data into the `headers` option of `Remote` requests - the default Kirby installation is not affected. The attack targets the remote service receiving the manipulated request, enabling overrides of security-critical headers such as `Authorization`, `Host`, or `Cookie`, with downstream effects including unauthorized API access or upstream cache poisoning. No public exploit code and no CISA KEV listing have been identified at time of analysis; the 'RCE' tag in the source data appears to be a misclassification of this CWE-93 flaw.
Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands with the user's privileges when its workspace is opened, because custom task definitions in .theia/tasks.json or .vscode/tasks.json bypass the workspace trust gate. When the victim has also enabled AI chat with tool confirmation disabled via a workspace .theia/settings.json, the chain triggers automatically on the first chat message. No public exploit identified at time of analysis, but the attack pattern mirrors well-known VS Code workspace-trust bypass classes.
Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.
{signal} for abort support), the polluted prototype value flows into worker_threads.Worker and the attacker's exported function is invoked with every legitimate caller's task data. Publicly available exploit code exists (full PoC in the GHSA advisory), but no public exploit identified at time of analysis as in-the-wild abuse and the CVE is not in CISA KEV.
Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the `docker run` command line. A malicious OCI image author can craft an `io.docker.server.metadata` label that YAML-unmarshals into runtime-shaping fields of the `catalog.Server` struct, causing the gateway to append attacker-chosen flags like `-v /:/host` and `-u root` when launching the MCP server container. No public exploit identified at time of analysis, but the upstream advisory describes a full exploitation path.
Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. The flaw escalates a routine administrative capability into full server compromise without requiring user interaction.
Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8.1.2, allowing remote attackers to cause denial-of-service and potentially achieve remote code execution when a victim processes a crafted MagicYUV-encoded media file. No public exploit identified at time of analysis, but the broad deployment of FFmpeg across media players, transcoding pipelines, browsers, and server-side processing makes this a high-priority patch. EPSS and CISA KEV data were not provided in the input.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.
Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.
Remote code execution in PTC Windchill PDMlink and PTC FlexPLM allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. All releases prior to 11.0 M030 are affected, as are all CPS versions, and no public exploit identified at time of analysis. Reported by PTC themselves, the flaw carries a CVSS 4.0 base score of 9.3 (critical) reflecting high impact across confidentiality, integrity, and availability without requiring authentication or user interaction.
Sandbox escape via prototype pollution in ThingsBoard (versions prior to v4.3.1.2) allows a TENANT_ADMIN-authenticated user to achieve arbitrary code execution within the tb-js-executor sandboxed JavaScript context. The flaw lets a rule-chain script reach the host realm through the `args.constructor.constructor` chain (e.g., synthesizing a Function that returns `process`), defeating the intended VM isolation. No public exploit identified at time of analysis, though the upstream regression test in PR #15600 effectively documents the escape technique.
Command injection in the AWS Bedrock AgentCore Python SDK (versions >= 1.1.3, < 1.6.1) allows remote authenticated users to execute arbitrary commands within the Code Interpreter sandbox by supplying crafted package name arguments to the install_packages() method. The flaw stems from improper neutralization of argument delimiters (CWE-88), letting attacker-controlled strings break out of the intended pip-install argument context. No public exploit identified at time of analysis, but a vendor patch and advisory are available from AWS.
Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing empty checkMethodAllowed() and checkPropertyAllowed() implementations, enabling arbitrary method calls on internal PHP objects such as the DAO layer, Doctrine DBAL Connection, and PDO. Exploitation goes through a malicious Twig template injected via the DataObject ClassDefinition Layout\Text component and can lead to arbitrary file reads, arbitrary SQL execution, and potential remote code execution via PHP object gadget chains; the pimcore_* function wildcard broadens the bypass to every Pimcore Twig function. No public exploit identified at time of analysis, but VulnCheck has published an advisory describing the technique.
Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_read() that allows attackers to send oversized SSH packets and corrupt heap memory. The flaw was reported by VulnCheck and is fixed upstream in commit 97acf3df (PR #2052), which adds an upper-bound check against LIBSSH2_PACKET_MAXPAYLOAD. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects pre-authentication network reach with high impact on confidentiality, integrity, and availability.
Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the organization namespace via the API fork endpoint, despite a team configuration that denies repository creation (can_create_org_repo=false). Because the fork creator receives admin rights on the resulting repo, the attacker can enable Actions and push a workflow that exfiltrates all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens). Publicly available exploit code exists in the GHSA advisory with a full step-by-step PoC; no public exploit identified at time of analysis beyond the reporter's reproduction.
Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path.
Scanner evasion in picklescan versions prior to 1.0.3 lets an attacker smuggle malicious PyTorch pickle payloads past the scan_pytorch detection routine and gain arbitrary code execution when the model is later loaded with torch.load(). The bypass exploits a parser-differential between picklescan's pickletools.genops()-based magic-number extraction and PyTorch's pickle_module.load(), allowing a __reduce__(eval, ('MAGIC_NUMBER',)) trick to produce files that scan as clean but still deserialize correctly. A detailed proof-of-concept is published in the GHSA advisory and the VulnCheck writeup; no CISA KEV listing or EPSS score was supplied in the input.
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle detection by obfuscating eval calls nested under callable objects via getattr, causing the very tool intended to detect malicious pickles to miss them. Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as actively used in attacks; the CVSS 4.0 score of 9.3 reflects unauthenticated network-reachable impact on confidentiality, integrity, and availability.
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the scanner by invoking the module-level profile.run() function, which is missing from the blocklist that only covers Profile.run and Profile.runctx. The scanner reports zero issues while pickle.loads() triggers exec() of attacker-controlled Python. No public exploit identified at time of analysis beyond the proof-of-concept in the GHSA advisory, and the issue is not listed in CISA KEV.
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked function past its scanner using pkgutil.resolve_name as an indirection primitive. Because pkgutil.resolve_name is not on the blocklist, an attacker can chain two REDUCE opcodes to resolve and invoke os.system, builtins.exec, subprocess.call, or any other dangerous function while the scanner reports the pickle as CLEAN - a universal blocklist bypass that defeats picklescan's entire safety premise. No public exploit is identified in CISA KEV, but the GHSA advisory authored by VulnCheck publishes a complete working technique, so weaponization is trivial.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- other
- Total CVEs
- 31883