Rce

Arelle before 2.39.10 is vulnerable to unauthenticated remote code execution via the /rest/configure REST endpoint, allowing attackers to execute arbitrary Python code by supplying a malicious URL through the plugins parameter.

OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.

NetBox versions 4.3.5 through 4.5.4 are vulnerable to remote code execution (RCE) via template injection, where authenticated users with specific permissions can inject malicious Python callables into template parameters, bypassing Jinja2 sandboxing to execute arbitrary code.

A remote, anonymous attacker can exploit multiple vulnerabilities in OPNsense to bypass security measures and execute arbitrary code, potentially leading to complete system compromise.

Multiple vulnerabilities in Mozilla Thunderbird prior to versions 150.0.1 and Thunderbird ESR prior to 140.10.1 could allow a remote attacker to achieve arbitrary code execution, data confidentiality breach, and security policy bypass.

The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.

HKUDS OpenHarness contains a remote code execution vulnerability (CVE-2026-7551) in the /bridge slash command, allowing remote attackers to execute arbitrary operating system commands by injecting malicious commands via the /bridge spawn command, leading to unauthorized shell access and data exposure.

Synway SMG Gateway Management Management Software is vulnerable to unauthenticated OS command injection via crafted POST requests to the RADIUS configuration endpoint, leading to remote code execution.

A remote, anonymous attacker can exploit multiple unspecified vulnerabilities in GIMP to achieve arbitrary code execution on a vulnerable system.

Multiple vulnerabilities in Wireshark versions 4.4.x before 4.4.15 and 4.6.x before 4.6.5 could allow remote attackers to execute arbitrary code, cause a denial of service, or compromise data confidentiality.

A vulnerability in n8n allows authenticated users with workflow creation permissions to achieve remote code execution (RCE) through global prototype pollution via the XML Node in versions prior to 1.123.32, versions 2.17.0 to 2.17.4, and versions 2.18.0 to 2.18.1.

A prototype pollution vulnerability in n8n's XML webhook parser, exploitable by authenticated users, can lead to remote code execution on the n8n host.

The deprecated fabric-sdk-java client SDK is vulnerable to Java deserialization RCE due to the use of ObjectInputStream.readObject() without an ObjectInputFilter in Channel.java, allowing remote code execution if an attacker can supply crafted serialized Channel bytes to the client application.

Cockpit CMS is vulnerable to authenticated remote code execution via PHP code injection in the /cockpit/collections/save_collection endpoint, enabling attackers with collection management privileges to execute arbitrary commands on the server.

CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.

AgentFlow is vulnerable to arbitrary code execution (CVE-2026-7466) by manipulating the `pipeline_path` parameter in POST requests to `/api/runs` and `/api/runs/validate`, allowing attackers to execute arbitrary Python code.

Multiple vulnerabilities in Spring Boot, including CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972, can allow attackers to bypass authorization, hijack sessions, or achieve remote code execution, potentially leading to data breaches and system compromise.

A critical arbitrary code execution vulnerability (CVE-2026-41635) exists in Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5 due to missing class validation in the AbstractIoBuffer.resolveClass() method, potentially allowing attackers to execute arbitrary code on applications using Apache MINA.

CVE-2026-6992 is a command injection vulnerability in the Linksys MR9600 router that allows remote attackers to execute arbitrary OS commands by manipulating the 'pin' argument in the BTRequestGetSmartConnectStatus function.

Rclone versions prior to 1.73.5 are vulnerable to two critical unauthenticated remote code execution vulnerabilities (CVE-2026-41176 and CVE-2026-41179) when the remote control API is enabled without authentication, potentially allowing attackers to execute arbitrary commands and compromise the system.

A deserialization vulnerability exists in Ruby ERB versions before 4.0.3.1, version 4.0.4, ERB versions 5.0.0 before 6.0.1.1, and ERB versions 6.0.2 before 6.0.4. The `@_init` instance variable guard in `ERB#result` and `ERB#run` can be bypassed via `ERB#def_module`, `ERB#def_method`, and `ERB#def_class`, allowing arbitrary code execution when an ERB object is reconstructed via `Marshal.load` on untrusted data.

Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.

BridgeHead FileStore versions prior to 24A are vulnerable to unauthenticated remote code execution via exposed Apache Axis2 administration module with default credentials, enabling attackers to upload malicious web services and execute arbitrary OS commands.

OpenShell before 2026.3.28 is vulnerable to arbitrary code execution via mirror mode when converting untrusted sandbox files into workspace hooks, allowing attackers with mirror mode access to execute code during gateway startup.

OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.

CVE-2026-39987 is a pre-authentication remote code execution vulnerability in Marimo, enabling unauthenticated attackers to execute arbitrary system commands.

An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.

Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.

Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.

A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.

Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.

An unauthenticated user can execute arbitrary commands with normal user privileges on vulnerable IBM Total Storage Service Console (TSSC) / TS4500 IMC versions due to improper validation of user-supplied input, as identified by CVE-2026-5935.

The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.

Critical vulnerabilities CVE-2026-32613 and CVE-2026-32604 in Spinnaker allow authenticated attackers to execute arbitrary code due to insufficient input validation in expression parsing and gitrepo artifact handling, potentially leading to complete system compromise.

The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.

An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.

WWBN AVideo versions up to 29.0 contain an OS Command Injection vulnerability (CVE-2026-41064) in the `test.php` file, allowing unauthenticated remote code execution due to insufficient input sanitization, especially affecting `file_get_contents` and `curl` code paths.

Vvveb CMS 1.0.8 is vulnerable to remote code execution, allowing authenticated attackers to upload a PHP webshell with a .phtml extension, bypass extension restrictions, and execute arbitrary operating system commands by requesting the uploaded file.

Dolibarr versions 22.0.4 and earlier are vulnerable to OS Command Injection via the MAIN_ODT_AS_PDF configuration, allowing an authenticated administrator to inject a malicious payload, leading to arbitrary operating system command execution.

Anviz CX2 Lite and CX7 devices are vulnerable to unverified update packages that allow for unauthenticated remote code execution by unpacking and executing a malicious script.

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.

A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).

A remote code execution vulnerability exists in Sagredo qmail versions prior to 2026.04.07 due to the use of `popen` in the `notlshosts_auto` function within `qmail-remote.c`, potentially leading to OS command injection.

Flowise versions 3.0.13 and earlier are vulnerable to authenticated arbitrary command execution due to unsafe serialization of stdio commands in the MCP adapter, allowing a malicious user to execute commands on the underlying operating system.

Multiple critical vulnerabilities in CISCO ISE (CVE-2026-20186, CVE-2026-20147, CVE-2026-20180) allow remote attackers with low privileges to execute arbitrary commands, potentially escalating privileges to root and causing denial-of-service.

A high privileged user can achieve remote code execution via sandbox bypass in JetBrains YouTrack before version 2025.3.131383, identified as CVE-2026-33392, potentially leading to complete system compromise.

A remote code execution vulnerability exists in FlowiseAI's AirtableAgent.ts due to insufficient input verification when using Pandas, allowing attackers to inject malicious code into the prompt and execute arbitrary code via Pyodide.

An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to manipulate files or execute arbitrary code.

Weblate versions before 5.17 are susceptible to remote code execution due to unfiltered Git and Mercurial configuration files in project backups, potentially allowing attackers to execute arbitrary code under specific conditions.

CVE-2026-33120 is an untrusted pointer dereference vulnerability in Microsoft SQL Server that allows an authenticated attacker to achieve remote code execution over a network.

CVE-2026-6264, a critical deserialization vulnerability in Talend JobServer and Runtime, allows unauthenticated remote code execution via the JMX monitoring port, leading to complete system compromise.

Adobe ColdFusion versions 2023.18, 2025.6, and earlier are vulnerable to improper input validation, potentially leading to arbitrary code execution without user interaction.

A path traversal vulnerability in UniFi Play devices allows an attacker with network access to write arbitrary files, leading to remote code execution.

A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.

The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.

Adobe patched CVE-2026-34621, a zero-day vulnerability in Acrobat and Reader exploited since December, allowing malicious PDFs to bypass sandboxes and execute arbitrary code, potentially leading to local file theft.

A vulnerability in math.js versions before 15.2.0 allows for arbitrary JavaScript execution through the expression parser when evaluating user-supplied expressions.

LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI, potentially leading to complete system compromise.

Chamilo LMS versions prior to 2.0.0-RC.3 are vulnerable to remote code execution (RCE) via eval injection, where an authenticated administrator can inject arbitrary PHP code into platform settings that is then executed when any user (including unauthenticated) requests the /platform-config/list endpoint.

PraisonAI is vulnerable to remote code execution; loading untrusted YAML files with `type: job` can lead to arbitrary host command execution, potentially enabling full system compromise.

A vulnerability in PraisonAI allows authenticated users to execute arbitrary shell commands due to a hardcoded approval setting in the Chainlit UI modules, overriding administrator configurations and bypassing intended approval gates; insufficient command sanitization allows for destructive command execution, leading to confidentiality breach, integrity compromise, and availability impact on the server.

OpenClaw before 2026.3.22 is vulnerable to arbitrary code execution due to an unvalidated WebView JavascriptInterface, allowing attackers to inject malicious instructions by invoking the canvas bridge from untrusted pages.

A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.

OpenClaw versions prior to 2026.4.8 are vulnerable to remote code execution (RCE) via build tool environment variable injection due to missing denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS, allowing hostile environment variables to influence host exec commands.

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC to achieve arbitrary command execution on the device.

PraisonAI is vulnerable to OS command injection due to the use of `subprocess.run()` with `shell=True` on user-controlled inputs, allowing attackers to inject arbitrary shell commands and potentially leading to sensitive data exfiltration or system compromise in versions prior to 4.5.121.

CVE-2026-32590 describes a deserialization vulnerability in Red Hat Quay's handling of resumable container image layer uploads, potentially allowing an attacker to execute arbitrary code on the Quay server by tampering with intermediate data stored in the database.

XWiki is vulnerable to remote code execution due to an improperly protected scripting API, allowing users with script rights to bypass the Velocity scripting API sandbox and execute arbitrary code, leading to full instance compromise.

A remote code execution vulnerability (CVE-2026-34197) in Apache ActiveMQ Classic allows authenticated attackers to invoke management operations through the Jolokia API to retrieve a remote configuration file and execute OS commands, potentially exploitable without authentication via CVE-2024-32114.

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.

IBM Langflow Desktop versions 1.6.0 through 1.8.2 is vulnerable to arbitrary code execution due to insecure deserialization of untrusted data, allowing an authenticated user to execute code on the system.

A memory corruption vulnerability (CVE-2026-32862) in NI LabVIEW versions 2026 Q1 (26.1.0) and prior, stemming from an out-of-bounds write in ResFileFactory::InitResourceMgr(), can lead to information disclosure or arbitrary code execution if a user opens a malicious VI file.

A critical pre-authentication remote code execution vulnerability in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise.

A path traversal vulnerability in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload arbitrary files, leading to remote code execution by overwriting Apache .htaccess files.

Windmill CE/EE versions 1.276.0 through 1.603.2 are vulnerable to SQL injection in the folder ownership management, allowing authenticated attackers to inject SQL through the owner parameter, leading to sensitive data access, token forgery, and arbitrary code execution.

A critical vulnerability, CVE-2026-35616, exists in Fortinet FortiClient EMS (Endpoint Management Server) allowing unauthenticated attackers to bypass API authentication and authorization checks to execute arbitrary code or commands, potentially leading to full compromise of the EMS infrastructure.

Weaver E-cology 10.0 before 20260312 is vulnerable to unauthenticated remote code execution, allowing attackers to execute arbitrary commands by crafting a POST request to the /papi/esearch/data/devops/dubboApi/debug/method endpoint.

CVE-2025-65115 is a remote code execution vulnerability affecting multiple versions of JP1/IT Desktop Management and related products on Windows, potentially allowing attackers to execute arbitrary code on vulnerable systems.

The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

CVE-2026-5709 is a critical vulnerability in AWS Research and Engineering Studio (RES) versions 2024.10 through 2025.12.01, allowing remote authenticated attackers to execute arbitrary commands on the cluster-manager EC2 instance through the FileBrowser API.

Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.

GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.

VA MAX 8.3.4 is vulnerable to remote code execution (CVE-2019-25671), allowing authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter via a POST request to changeip.php.

A command injection vulnerability exists in Budibase's bash automation step due to insufficient sanitization, allowing attackers with automation modification access to inject arbitrary shell commands, leading to remote code execution.

pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.

Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.

Endian Firewall version 3.3.25 and prior allows authenticated users to execute arbitrary OS commands due to an OS command injection vulnerability in the DATE parameter of the /cgi-bin/logs_proxy.cgi endpoint.

Authenticated users can upload malicious files to a ShareFile Storage Zones Controller server and execute them, leading to remote code execution, due to improper neutralization of special elements, code generation, and unrestricted file upload.

An unauthenticated attacker can access restricted configuration pages in Customer Managed ShareFile Storage Zones Controller (SZC), leading to system configuration changes and potential remote code execution.

CVE-2026-33613 describes a remote code execution (RCE) vulnerability due to improper neutralization of special elements used in an OS command in the generateSrpArray function, leading to full system compromise, but requires a separate method for writing arbitrary data to the user table.

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation, allowing unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution.

Unauthenticated command execution is possible in IBM Verify Identity Access Container and IBM Security Verify Access Container due to improper validation of user-supplied input, allowing arbitrary command execution with lower privileges.

CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.

This rule detects a potential JAVA/JNDI exploitation attempt by identifying outbound network connections by JAVA to LDAP, RMI, or DNS standard ports followed by suspicious JAVA child processes such as shell interpreters and scripting languages, which may indicate a Java Naming and Directory Interface (JNDI) injection vulnerability exploitation attempt.

F5 has reclassified CVE-2025-53521, a vulnerability in BIG-IP APM, as a critical unauthenticated remote code execution vulnerability and reports it is being actively exploited in the wild.

Multiple vulnerabilities in CrewAI, an open-source multi-agent orchestration framework, can be exploited by attackers through prompt injection to execute arbitrary code and perform other malicious activities, potentially leading to system compromise.

XenForo before 2.3.9 and 2.2.18 allows remote code execution by authenticated, malicious admin users with admin panel access.

SiYuan versions prior to 3.6.2 are vulnerable to remote code execution (RCE) via a malicious website exploiting a permissive CORS policy to inject a JavaScript snippet, leading to arbitrary code execution within the application's Node.js context.

Vulnerabilities in Vim (<=9.2.0271) and GNU Emacs allow remote code execution by opening a specially crafted file, leveraging flaws in modeline handling and Git integration, respectively.

CVE-2026-4800 allows attackers to inject arbitrary code at template compilation time via untrusted input passed as key names in the options.imports object of the _.template function in lodash versions prior to 4.18.0, potentially leading to remote code execution.

A vulnerability in versions prior to 0.2.86 of the act project allows remote attackers to create arbitrary caches, potentially leading to remote code execution within Docker containers by poisoning predicted cache keys.

baserCMS versions prior to 5.2.3 are vulnerable to arbitrary code execution via a crafted zip file upload through the restore function, leading to unauthenticated remote command execution on the webserver.

The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).

Giskard-agents versions 0.3.3 and earlier, and versions 1.0.1a1 through 1.0.2a1 are vulnerable to remote code execution via server-side template injection where the ChatWorkflow.chat() method passes user-supplied strings directly to a non-sandboxed Jinja2 Environment, allowing attackers to execute arbitrary code on the server.

A chained attack leveraging SQL Expressions and a Grafana Enterprise plugin, tracked as CVE-2026-27876, can lead to remote arbitrary code execution on vulnerable Grafana instances with the sqlExpressions feature enabled.

OpenClaw is vulnerable to symlink traversal via IDENTITY.md appendFile in agents.create/update. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system leading to remote code execution, persistent code execution, unauthorized SSH access, or service disruption.

Multiple critical vulnerabilities in n8n, including prototype pollution, code injection, and SQL injection, allow authenticated users to achieve remote code execution, read sensitive files, and perform unauthorized database operations.

vLLM versions before 0.18.0 are vulnerable to remote code execution due to hardcoded trust of remote code, even when explicitly disabled by the user, allowing attackers to execute arbitrary code via malicious model repositories.

CVE-2023-7338 is a remote code execution vulnerability affecting Ruckus Unleashed when gateway mode is enabled, allowing authenticated remote attackers to execute arbitrary code by sending specially crafted requests through the web-based management interface.

A prototype pollution vulnerability in the n8n GSuiteAdmin node allows authenticated users with workflow creation/modification permissions to achieve remote code execution (RCE) by injecting attacker-controlled values into `Object.prototype`.

EVerest versions before 2026.02.0 are vulnerable to a stack-based buffer overflow (CVE-2026-22790) in the `HomeplugMessage::setup_payload` function, enabling remote code execution via network frames with oversized SLAC payloads.

A command injection vulnerability exists in Foreman's WebSocket proxy, enabling remote code execution on the Foreman server via a malicious compute resource server when a user accesses VM VNC console functionality.

An authenticated user with workflow creation/modification permissions can exploit insufficient restrictions in the n8n Merge node's AlaSQL sandbox to achieve remote code execution by reading local files or executing commands on the n8n host.

CVE-2026-4840 is a critical command injection vulnerability in the Netcore Power 15AX router that allows remote attackers to execute arbitrary OS commands by manipulating the IpAddr argument in the setTools function of the /bin/netis.cgi file.

The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions by manipulating the validation_rule parameter, potentially leading to Remote Code Execution (RCE) if the storage disk is configured to be publicly accessible.

Firefox 148 and Thunderbird 148 contain memory safety bugs that could potentially be exploited to execute arbitrary code, impacting versions prior to 149.

A remote code execution vulnerability in Microsoft SharePoint (CVE not specified) is being actively exploited by unauthenticated attackers, prompting urgent patching recommendations for internet-facing servers.

A remote code execution vulnerability exists in Craft CMS versions 5.6.0 through 5.9.12, where any authenticated user with control panel access can exploit the vulnerability by injecting malicious behavior via the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` due to the unsanitized parameter being passed to `FieldLayout::createFromConfig()`.

A critical JIT miscompilation vulnerability (CVE-2026-4698) in the JavaScript engine affects Firefox and Thunderbird, potentially leading to remote code execution.

PhreeBooks ERP 5.2.3 is vulnerable to remote code execution, allowing authenticated attackers to upload and execute arbitrary PHP files via the image manager, leading to reverse shell connections and system command execution.

PhreeBooks ERP 5.2.3 is vulnerable to arbitrary file upload in the Image Manager component, allowing authenticated attackers to upload malicious PHP files leading to remote code execution.

A remote command injection vulnerability exists in TOTOLINK X6000R routers, specifically versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826, allowing attackers to execute arbitrary commands via manipulation of the Hostname argument in the setLanCfg function.

The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.

CVE-2026-21992 allows an unauthenticated attacker to gain network access via HTTP and execute code remotely on Oracle Identity Manager and Oracle Web Services Manager.

A critical remote code execution vulnerability, CVE-2026-33017, exists in Langflow AI pipelines prior to version 1.9.0 that allows an unauthenticated remote attacker to execute code with full server process privileges, impacting availability, integrity, and confidentiality.

An unauthenticated remote attacker can exploit an OS command injection vulnerability (CVE-2026-32968) in the com_mb24sysapi module of Joomla, leading to remote code execution and full system compromise.

A stack-based buffer overflow vulnerability exists in Belkin F9K1122 version 1.00.33, allowing remote attackers to execute arbitrary code by manipulating the 'webpage' argument in the 'formWISP5G' function.

A remote code execution vulnerability exists in the GNU Inetutils Telnet server, potentially allowing unauthenticated attackers to execute arbitrary code on vulnerable systems.

Multiple critical vulnerabilities in Veeam Backup & Replication, including CVE-2026-21666, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708, allow for remote code execution, privilege escalation, and arbitrary file manipulation by authenticated users, potentially leading to a complete compromise of the backup infrastructure.

A critical unauthenticated remote code execution vulnerability, CVE-2026-21902, exists in Juniper Networks Junos OS Evolved PTX Series, allowing a network-based attacker to execute code as root, requiring immediate patching and increased monitoring.

A critical remote code execution vulnerability exists in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) due to improper authentication, allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to network configuration manipulation.

Multiple critical vulnerabilities in SolarWinds Serv-U MFT and FTP Server allow remote code execution, potentially leading to system compromise.

Multiple vulnerabilities in VMware Aria Operations, Cloud Foundation, and Telco Cloud Platform/Infrastructure could allow unauthenticated remote code execution (CVE-2026-22719) and privilege escalation (CVE-2026-22720, CVE-2026-22721).

Critical vulnerabilities, CVE-2026-27636 and CVE-2026-27637, exist in FreeScout Help Desk that could be exploited to achieve remote code execution, potentially leading to data exfiltration and system compromise.

CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.

Multiple vulnerabilities in GStreamer could be exploited by a remote, anonymous attacker to execute arbitrary code or cause a denial of service condition.

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

PhpSpreadsheet is vulnerable to Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) due to improper validation of filenames in the IOFactory::load function, exploitable via PHP wrappers like `phar://` and `ftp://`.

Xerte Online Toolkits versions 3.15 and earlier are vulnerable to unauthenticated remote code execution due to a missing authentication check in the elFinder connector, allowing arbitrary file operations that can be chained with other vulnerabilities.

CVE-2026-31609 is a critical double-free vulnerability in the SMB client, specifically within the smbd_free_send_io() function after smbd_send_batch_flush(), potentially leading to arbitrary code execution.

A command injection vulnerability in the `_extractLLM()` function of the evolver application allows remote attackers to execute arbitrary shell commands by injecting shell metacharacters into the `corpus` parameter, leading to potential system compromise.

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.

An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.

Weaver E-office versions prior to 10.0_20221201 are vulnerable to unauthenticated arbitrary file upload in the OfficeServer.php endpoint, allowing attackers to upload PHP webshells and achieve remote code execution.

VM2 is vulnerable to a sandbox breakout via the `__lookupGetter__` method, enabling attackers to execute arbitrary commands on the host system by exploiting context switching and property descriptor manipulation, leading to remote code execution.

A remote OS command injection vulnerability exists in Totolink A8000RU version 7.1cu.643_b20200521 via manipulation of the 'proto' argument in the /cgi-bin/cstecgi.cgi CGI handler, potentially leading to complete system compromise.

OpenMRS is vulnerable to a Stored Velocity SSTI to RCE via ConceptReferenceRange, where the `ConceptReferenceRangeUtility.evaluateCriteria()` method evaluates database-stored criteria strings as Apache Velocity templates without a sandbox, allowing unrestricted Java reflection through template expressions, leading to persistent remote code execution and privilege escalation when a user with the `Manage Concepts` privilege stores a malicious Velocity template expression in a concept's reference range criteria field.

Authenticated users with low-privilege API keys could execute arbitrary commands on the host running LiteLLM via the `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` endpoints, by submitting a server configuration including command execution parameters.

A critical RCE vulnerability in OpenLearnX allows for sandbox escape and arbitrary command execution in versions prior to 2.0.3.

The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.

ELBA5 version 5.8.0 contains a remote code execution vulnerability (CVE-2018-25272) that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions, potentially leading to complete system compromise.

A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.