Remote Code Execution (RCE)
Remote Code Execution (RCE) is the ability for an attacker to execute arbitrary commands or code on a target machine or process. RCE vulnerabilities represent the most critical class of security bugs — they give an attacker the same level of control as a system administrator.
RCE can manifest through many different attack vectors. Command injection occurs when user input is passed unsanitized to system shell commands. Deserialization attacks exploit unsafe object reconstruction in languages like Java, PHP, Python, and .NET. Server-Side Template Injection (SSTI) allows code execution through template engines like Jinja2, Twig, or Freemarker. File upload vulnerabilities can lead to RCE when executable files bypass upload filters and are served by the web server.
In modern applications, RCE often appears in less obvious places: expression language injection in Java frameworks, prototype pollution leading to code execution in Node.js, unsafe use of eval() or dynamic code loading, and vulnerabilities in PDF generators, image processors, and other libraries that shell out to system commands.
RCE bugs consistently command the highest payouts in bug bounty programs because the impact is total system compromise. Chaining lower-severity bugs into RCE — such as SSRF to cloud metadata to code execution — is a common and highly rewarded approach.
This page collects RCE techniques, exploitation writeups, and research across all major platforms and languages.
From Wikipedia
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-05-20 NEW 2026 | Max-severity vulnerability in ChromaDB allows unauthenticated remote code execution news | A critical vulnerability has been discovered in ChromaDB, a popular vector database. This max-severity bug permits unauthenticated remote code execution, meaning attackers can potentially compromise the system without needing any credentials. The discovery highlights a significant security risk for users of ChromaDB, enabling them to execute arbitrary code on the vulnerable server. No specific bounty payout amount is mentioned in the provided content. → scworld.com |
| 2026-05-20 NEW 2026 | Critical RCE SQL Injection and Privilege Escalation Vulnerabilities Affecting Ivanti Endpoint Manager Fortinet FortiClient EMS (CVE-2026-21643) SAP VMware and n8n: CVE Analysis Exploitation and Patch Guidance news | This content highlights critical vulnerabilities impacting Ivanti Endpoint Manager, Fortinet FortiClient EMS (CVE-2026-21643), SAP, VMware, and n8n. The vulnerabilities include Remote Code Execution (RCE), SQL Injection, and Privilege Escalation. The article provides an analysis of these CVEs, details on how they can be exploited, and guidance on patching to mitigate these security risks. No specific bug bounty payout amounts are mentioned. → rescana.com |
| 2026-05-20 NEW 2026 | New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code news | A critical vulnerability has been discovered in NGINX, a popular web server. This flaw, identified as CVE-2023-40547, allows remote attackers to execute arbitrary code on vulnerable servers. The vulnerability arises from improper handling of HTTP requests, potentially leading to denial-of-service conditions or complete system compromise. Users are strongly advised to update their NGINX installations to the latest version to patch this critical security hole. → cybersecuritynews.com |
| 2026-05-20 NEW 2026 | New NGINX Vulnerability Exposes Servers to Malicious Code Execution news | A new vulnerability in NGINX, a popular web server, has been discovered that allows for malicious code execution. This flaw could potentially compromise servers running NGINX, exposing them to security risks. Further details on the specific nature of the vulnerability and its impact are available via the provided link. No bug bounty payout amount was specified. → gbhackers.com |
| 2026-05-20 NEW 2026 | CVE-2026-45829: ChromaDB FastAPI ChromaToast RCE Exploit Now news | This content announces a remote code execution (RCE) exploit for CVE-2026-45829, affecting ChromaDB's FastAPI ChromaToast component. The exploit allows for compromising the system remotely. No specific bounty payout amount is mentioned in the provided text. → thecyberexpress.com |
| 2026-05-20 NEW 2026 | New NGINX Vulnerability Allows Remote Code Execution Attacks news | A newly discovered vulnerability in NGINX allows for remote code execution (RCE) attacks. The vulnerability, detailed in the linked article, presents a significant security risk to servers running the popular web server software. While the content highlights the exploit's potential, it does not mention a specific bug bounty payout amount. Users are advised to stay informed about patches and updates to mitigate this threat. → cyberpress.org |
| 2026-05-20 NEW 2026 | PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability intermediate | A Proof-of-Concept (PoC) exploit has been released for a 20-year-old remote code execution (RCE) vulnerability in PostgreSQL. This exploit targets a long-standing flaw, making it accessible to a wider range of attackers. While the content provides a link, it does not mention any specific bug bounty payout amounts. → cybersecuritynews.com |
| 2026-05-20 NEW 2026 | Mozilla Products Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities affecting Mozilla Products including Firefox, Firefox ESR, Firefox for iOS, and Thunderbird. Exploitable by remote attackers, these issues can lead to denial of service, remote code execution, information disclosure, security restriction bypass, elevation of privilege, and spoofing. Specific CVEs such as CVE-2026-8388, CVE-2026-8391, and CVE-2026-8401 are listed, with patches available for affected versions including Firefox 151 and Thunderbird 151. → hkcert.org |
| 2026-05-19 NEW 2026 | TP-Link Photoshop OpenVPN Norton VPN vulnerabilities news | Writeup detailing eight vulnerabilities in TP-Link Archer AX53 routers, including stack-based buffer overflow (CVE-2026-30814) and OS command injection (CVE-2026-30815, CVE-2026-30816, CVE-2026-30817, CVE-2026-30818, TALOS-2025-2307, TALOS-2025-2308, TALOS-2025-2309). It also covers privilege escalation in Adobe Photoshop via the Microsoft Store (CVE-2026-34632), a reachable assertion leading to DoS in OpenVPN (CVE-2026-35058), and privilege escalation in Norton VPN via the Microsoft Store (CVE-2025-58074). → blog.talosintelligence.com |
| 2026-05-19 NEW 2026 | Unpatched ChromaDB Vulnerability Can Lead to Server Takeover news | Writeup of CVE-2026-45829, dubbed ChromaToast, a pre-authentication RCE vulnerability in ChromaDB. This flaw allows unauthenticated attackers to execute arbitrary code, gain shell access, and compromise sensitive data, including API keys and secrets. Exploitation involves tricking the server into downloading and executing a malicious HuggingFace model before authentication. The vulnerability affects ChromaDB versions since 1.0.0, with an estimated 73% of internet-accessible deployments exposed. HiddenLayer and researcher Azraelxuemo have reported the issue without response from Chroma. → securityweek.com |
| 2026-05-19 NEW 2026 | Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft news | Flaws in SEPPmail Secure Email Gateway, including CVE-2026-2743 (pre-authenticated RCE via arbitrary file write) and CVE-2026-44128 (unauthenticated RCE through Perl code injection), permit remote code execution and mail traffic interception. Other vulnerabilities like CVE-2026-44127 (LFI) and CVE-2026-7864 (debug exposure) enable access to sensitive files and environment variables. These issues affect versions prior to the 15.x patched releases, allowing attackers to gain control, read or modify traffic, and access credentials. → cybersecuritynews.com |
| 2026-05-19 NEW 2026 | PoC Code Published for Critical NGINX Vulnerability news | Writeup detailing CVE-2026-42945, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` that can lead to denial-of-service or remote code execution. The vulnerability arises from a two-pass script engine process where an undersized buffer is allocated due to an unpropagated flag when a rewrite replacement contains a question mark. Exploitation involves manipulating request URIs with escapable characters to control the overflow size and employing cross-request heap feng shui to corrupt cleanup pointers for RCE. Patched versions include NGINX Plus 37.0.0 and NGINX open source 1.31.0. → securityweek.com |
| 2026-05-19 NEW 2026 | Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks news | Vulnerability CVE-2026-39987 is a pre-authentication remote code execution flaw in Marimo versions ≤ 0.22.x, specifically within the `/terminal/ws` WebSocket endpoint. An attacker can exploit this by connecting to the unauthenticated endpoint, which spawns a system-level shell, enabling arbitrary command execution and potential deployment of malware like NKAbuse, with payloads hosted on Hugging Face Spaces. This critical gap in authentication allows attackers to gain full control of exposed systems, often used for AI and data science prototyping. → cybersecuritynews.com |
| 2026-05-19 NEW 2026 | SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access news | Writeup of SEPPMail Secure E-Mail Gateway vulnerabilities including CVE-2026-2743 for path traversal leading to RCE, CVE-2026-7864 for information exposure, CVE-2026-44125 for missing authorization, CVE-2026-44126 for deserialization, CVE-2026-44127 for path traversal and file deletion, CVE-2026-44128 for eval injection, and CVE-2026-44129 for template engine vulnerabilities. These flaws allow unauthenticated attackers to execute arbitrary code, read mail traffic, and gain network access, with some fixed in versions 15.0.2.1, 15.0.3, and 15.0.4. → thehackernews.com |
| 2026-05-19 NEW 2026 | 20-Year-Old PostgreSQL Flaw Gets Public PoC Exploit for Remote Code Execution news | Library for exploiting CVE-2026-2005, a two-decade-old PostgreSQL flaw in the pgcrypto extension leading to remote code execution. This vulnerability allows attackers to achieve arbitrary read/write memory access via a heap-based buffer overflow in PGP session key parsing, ultimately escalating privileges to PostgreSQL superuser. The public PoC, demonstrating a multi-stage exploit that bypasses ASLR, leverages crafted PGP messages and PostgreSQL’s "COPY FROM PROGRAM" feature to execute arbitrary OS commands. → gbhackers.com |
| 2026-05-19 NEW 2026 | Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945) news | Writeup of CVE-2026-42945, a critical NGINX vulnerability dubbed NGINX Rift. Attackers are exploiting this memory corruption flaw to trigger denial-of-service conditions and potentially achieve unauthenticated remote code execution via crafted HTTP requests. The vulnerability affects NGINX Open Source and NGINX Plus, as well as certain F5 products, stemming from a bug in the `ngx_http_rewrite_module` and specifically triggered by rewrite directives with unnamed regex captures and question marks. Fixes are available for NGINX Open Source and Plus, with mitigations including the use of named captures. → helpnetsecurity.com |
| 2026-05-19 NEW 2026 | SEPPmail Gateway Flaws Expose Organizations to RCE and Email Traffic Interception news | Writeup of SEPPmail Gateway vulnerabilities including CVE-2026-2743, CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128, allowing pre-authenticated RCE via arbitrary file write in the LFT module and Perl code injection in the GINA v2 interface. Attackers can chain these flaws to gain full control of email gateways, intercept sensitive email traffic, and access confidential communications and credentials, posing significant risks to organizations, particularly in the DACH region. → gbhackers.com |
| 2026-05-19 NEW 2026 | Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE news | Writeup on critical n8n vulnerabilities CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791, which allow attackers to achieve full remote code execution. These flaws impact the HTTP Request node via prototype pollution (CWE-1321), the Git node through argument injection (CWE-88) for arbitrary file reads, and the XML node with a patch bypass. Versions below 1.123.43, 2.20.7, and 2.22.1 are affected. → cybersecuritynews.com |
| 2026-05-18 NEW 2026 | Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild news | Writeup on CVE-2026-42945, a critical NGINX heap buffer overflow vulnerability actively exploited in the wild. Researchers have observed real-world attacks allowing unauthenticated attackers to crash NGINX worker processes via crafted HTTP requests. While full remote code execution is unlikely due to ASLR, denial-of-service conditions are readily achievable. Exploitation requires specific NGINX rewrite configurations, but the large number of potentially vulnerable internet-facing NGINX servers necessitates urgent patching and mitigation. → cybersecuritynews.com |
| 2026-05-18 NEW 2026 | Critical NGINX Vulnerability Lets Hackers Launch Remote Code Execution Attacks news | Writeup on CVE-2026-42945, a critical NGINX vulnerability allowing unauthenticated attackers to crash servers or execute remote code via specially crafted HTTP requests triggering a heap buffer overflow. Exploitation is possible under specific conditions, such as ASLR being disabled, and requires a particular rewrite configuration. Millions of NGINX servers are exposed, and active exploitation has been observed, necessitating prompt patching and configuration audits. → gbhackers.com |
| 2026-05-18 NEW 2026 | Ivanti Fortinet SAP VMware n8n Patch RCE SQL Injection Privilege Escalation Flaws news | Patches released for Ivanti Xtraction (CVE-2026-8043), Fortinet (CVE-2026-44277, CVE-2026-26083), SAP (CVE-2026-34260, CVE-2026-34263), VMware Fusion (CVE-2026-41702), and n8n (CVE-2026-42231, CVE-2026-42232, CVE-2026-44791, CVE-2026-44789, CVE-2026-44790) address critical vulnerabilities including SQL injection, prototype pollution, authentication bypass, and privilege escalation. → thehackernews.com |
| 2026-05-18 NEW 2026 | Marimo Security Flaw Enables remote code execution Attacks news | Writeup on CVE-2026-39987, a critical pre-authentication RCE in Marimo, a Python notebook framework, allowing unauthenticated attackers to hijack a live system shell via an unprotected `/terminal/ws` WebSocket endpoint. Exploitation can lead to full system compromise, data exfiltration, and lateral movement, especially in Dockerized AI/ML environments. A Nuclei detection template is available. All Marimo versions ≤ 0.22.x are affected; upgrade to 0.23.0 or later. → cyberpress.org |
| 2026-05-18 NEW 2026 | Hackers Exploit Critical NGINX RCE Vulnerability in the Wild news | Writeup of CVE-2026-42945, "NGINX Rift," detailing a critical heap buffer overflow in the `ngx_http_rewrite_module`. This vulnerability, affecting numerous NGINX versions, enables remote code execution when ASLR is disabled and a denial-of-service condition via worker process crashes otherwise. Exploitation is actively occurring in the wild, with a proof-of-concept readily available. Patched versions of NGINX are now available, and Cloudflare has released a WAF rule update. → cyberpress.org |
| 2026-05-18 NEW 2026 | Critical Marimo RCE Flaw Could Let Attackers Execute Malicious Code Remotely news | Library for mitigating CVE-2026-39987, a critical RCE flaw in the Marimo Python notebook framework. This vulnerability allows unauthenticated attackers to spawn a system-level shell via the `/terminal/ws` WebSocket endpoint, potentially leading to full infrastructure compromise. Exploitation has been observed with NKAbuse malware, leveraging simple WebSocket clients to execute commands. Affected Marimo versions prior to 0.23.0 require immediate upgrading, with interim mitigations including network access restrictions and non-root execution. → gbhackers.com |
| 2026-05-18 NEW 2026 | n8n Security Flaws Could Let Attackers Achieve Remote Code Execution news | Writeup of n8n security flaws (CVE-2026-44789, CVE-2026-44790, CVE-2026-44791) detailing how prototype pollution, argument injection in the Git node, and patch bypass in the XML node can be chained for remote code execution. These critical vulnerabilities, requiring only low-privilege authenticated access, enable attackers to perform arbitrary file reads and compromise the entire n8n instance by manipulating workflow logic. → gbhackers.com |
| 2026-05-18 NEW 2026 | Exploitation of Critical NGINX Vulnerability Begins news | Writeup detailing the active exploitation of CVE-2026-42945, known as Nginx Rift, a critical-severity heap buffer overflow in NGINX's `ngx_http_rewrite_module`. This vulnerability, present for 16 years and patched by F5, can lead to denial-of-service or remote code execution depending on system configurations like ASLR. VulnCheck warns that threat actors are already leveraging this flaw via crafted HTTP requests, with public proof-of-concept code enabling potential RCE and demanding urgent attention for affected NGINX deployments. → securityweek.com |
| 2026-05-18 NEW 2026 | Experts warn of active exploitation of critical NGINX flaw CVE-2026-42945 news | Writeup of CVE-2026-42945, the "NGINX Rift" heap buffer overflow vulnerability affecting NGINX Plus and NGINX Open Source. Actively exploited shortly after disclosure, the flaw resides in `ngx_http_rewrite_module` and is triggered by specific rewrite directive configurations involving unnamed PCRE capture groups and question marks. While remote code execution is possible, it requires disabling Address Space Layout Randomization (ASLR) and knowledge of the vulnerable configuration, making widespread RCE attacks unlikely according to experts. → securityaffairs.com |
| 2026-05-18 NEW 2026 | Claude Code Vulnerability Allows Attackers to Run Commands Through Crafted Deeplinks news | Writeup of Claude Code RCE vulnerability allowing arbitrary command execution via crafted deeplinks, exploiting a flaw in `eagerParseCliFlag` that mishandles `--settings=` within URL parameters. This technique, discovered by Joernchen, impacts Claude Code versions prior to 2.1.118 and demonstrates the risks of naive string parsing for CLI arguments, particularly when combined with deeplink handlers that inject user-controlled input into critical application logic. → gbhackers.com |
| 2026-05-18 NEW 2026 | Claude Code RCE Vulnerability Allow Attackers Execute Commands via Malicious Deeplinks news | Writeup of RCE in Anthropic's Claude Code, allowing attackers to execute arbitrary shell commands via crafted `claude-cli://` deeplinks. The vulnerability, disclosed by Joernchen, exploited an `eagerParseCliFlag` function that naively processed `--settings=` flags embedded within deeplink parameters, bypassing workspace trust dialogs on macOS. Anthropic fixed the flaw in version 2.1.118. → cyberpress.org |
| 2026-05-18 NEW 2026 | US cyber agency warns of active exploitation of Microsoft Exchange Server spoofing vulnerability news | Catalog entry for CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability allowing arbitrary JavaScript execution in Outlook Web Access. Exploitable via specially crafted emails, this cross-site scripting flaw has a CVSS score of 8.1 and is actively being exploited. Microsoft offers a temporary mitigation and is developing a permanent fix. |
| 2026-05-18 NEW 2026 | Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks news | Library for understanding the Claude Code RCE vulnerability, which allows arbitrary command execution through malicious deeplinks by exploiting a naive command-line argument parser. The flaw, identified by Joernchen of 0day.click and now patched in version 2.1.118, weaponizes the `claude-cli://` handler and bypasses workspace trust dialogs by injecting malicious `SessionStart` hooks into the `--prefill` parameter. The vulnerability highlights risks associated with context-blind argument parsing, particularly within deeplink handlers. → cybersecuritynews.com |
| 2026-05-17 NEW 2026 | NGINX CVE-2026-42945 Exploited in the Wild Causing Worker Crashes and Possible RCE news | Library updates address critical NGINX CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module causing worker crashes and potential RCE when ASLR is disabled. Also, two openDCIM vulnerabilities, CVE-2026-28515 (missing authorization) and CVE-2026-28517 (OS command injection), are actively exploited and can be chained with CVE-2026-28516 (SQL injection) for RCE, reportedly by attackers using AI tools like Vulnhuntr. → thehackernews.com |
| 2026-05-17 NEW 2026 | CVE-2026-42945: NGINX Rewrite Heap Overflow Enables Remote DoS & Potential RCE news | Writeup of CVE-2026-42945, an NGINX rewrite heap overflow vulnerability, details its exploitation via crafted HTTP requests, particularly when using unnamed PCRE captures with a question mark in the replacement string. This flaw, present in versions from 0.6.27 through 1.30.0, can lead to Denial of Service through worker crashes or potential Remote Code Execution, especially with ASLR disabled. A proof-of-concept demonstrating RCE has been published. → socradar.io |
| 2026-05-16 NEW 2026 | Microsofts Patch Tuesday Update Targets 120 Security Flaws news | Microsoft's latest Patch Tuesday update addresses 120 security vulnerabilities, a significant release aimed at bolstering system security. This update is critical for users to install to protect their systems from potential exploits. The specific details of each vulnerability and the affected products are available in Microsoft's official release notes. The content does not mention any specific bug bounty payout amounts. |
| 2026-05-15 NEW 2026 | A remote code execution vulnerability has been discovered in NGINX; the affected versions are listed below. news | Writeup of CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX, enabling unauthenticated remote code execution when specific rewrite, if, or set directives are used with unnamed PCRE capture groups. DepthFirst's analysis highlights memory corruption issues, with potential exploitation on systems lacking ASLR. The vulnerability's severity is rated differently by NGINX (medium) and NIST (critical/high), depending on exploitability conditions. Affected users should update NGINX and review configurations for vulnerable directive combinations. |
| 2026-05-15 NEW 2026 | Amazon Redshift JDBC Driver Flaws Enable Remote Code Execution news | Amazon Redshift JDBC Driver Flaws Enable Remote Code Execution https://ift.tt/dWiYtcb → cyberpress.org |
| 2026-05-15 NEW 2026 | Nginx Remote Code Execution Vulnerability (CVE-2026-42945) Notice news | Nginx has a critical remote code execution (RCE) vulnerability, tracked as CVE-2026-42945. This flaw allows attackers to execute arbitrary code on affected Nginx servers. The exact impact and exploitability details are still emerging, but it represents a significant security risk for websites and applications relying on Nginx. Users are advised to monitor official Nginx advisories for patches and mitigation strategies. No bug bounty payout amount is mentioned in this notice. → securityboulevard.com |
| 2026-05-15 NEW 2026 | Google Chrome Multiple Vulnerabilities news | Writeup detailing multiple vulnerabilities in Google Chrome, affecting versions prior to 148.0.7778.167 (Linux) and 148.0.7778.167/168 (Mac/Windows). Exploitation of these CVEs, including CVE-2026-8509 through CVE-2026-8587, could lead to remote code execution, denial of service, security restriction bypass, spoofing, cross-site scripting, and information disclosure. Users are advised to update to the patched versions. → hkcert.org |
| 2026-05-14 NEW 2026 | Critical NGINX Rift vulnerability discovered present for 18 years news | Writeup of CVE-2026-42945, NGINX Rift, a critical heap buffer overflow vulnerability in NGINX Plus and Open Source affecting versions 0.6.27 through 1.30.0 and R32 through R36. Triggered by specific rewrite directives with unnamed PCRE capture groups and a question mark in the replacement string, exploitation can lead to remote code execution or denial-of-service. Patches were released April 21, 2026. → scworld.com |
| 2026-05-14 NEW 2026 | AI agent finds 18-year-old remote code execution flaw in Nginx news | Tool for finding vulnerabilities, this LLM-powered system discovered four bugs in Nginx, including CVE-2026-42945, a critical heap buffer overflow in the `ngx_http_rewrite_module` that allows for remote code execution by exploiting specific rewrite directive configurations. This flaw, impacting Nginx versions 0.6.27 to 1.30.0 and Nginx Plus, was patched in later releases. Additional vulnerabilities CVE-2026-42946, CVE-2026-42934, and CVE-2026-40701 were also identified, leading to denial of service, memory leaks, or data modification. → csoonline.com |
| 2026-05-14 NEW 2026 | CVE-2026-42945: Critical NGINX Rewrite Flaw news | Writeup detailing CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module. This critical vulnerability, also known as NGINX Rift, affects NGINX Open Source (0.6.27-1.30.0) and NGINX Plus (R32-R36), enabling denial of service or potential remote code execution via crafted HTTP requests. Exploitation occurs when rewrite directives use unnamed PCRE captures with a replacement string containing a question mark, followed by specific other directives. Mitigation involves upgrading to patched versions or temporarily replacing unnamed captures with named ones. |
| 2026-05-14 NEW 2026 | Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in Canon MailSuite software that allows attackers to execute arbitrary code remotely. This means malicious actors could potentially take control of affected systems by exploiting this flaw. Further details on the vulnerability and its impact are available at the provided link. No bug bounty payout amount is mentioned in the content. → cybersecuritynews.com |
| 2026-05-14 NEW 2026 | Critical Windows DNS Client Flaw Enables Remote Code Execution news | A critical vulnerability in the Windows DNS client allows for remote code execution, meaning attackers can potentially gain control of a user's computer without any interaction. This is achieved by sending specially crafted DNS responses. The flaw is present in various Windows versions, and Microsoft has released security updates to address it. Users are strongly advised to install these updates promptly to protect their systems from this severe threat. → cyberpress.org |
| 2026-05-14 NEW 2026 | Critical MongoDB Vulnerability Allow Attackers to Execute Arbitrary Code news | A critical vulnerability has been discovered in MongoDB that allows attackers to execute arbitrary code on affected systems. This significant security flaw poses a serious risk to data confidentiality and system integrity. Users are strongly advised to update their MongoDB installations to the latest patched version immediately to mitigate this threat. Further details on the exploit are available through the provided link. → cybersecuritynews.com |
| 2026-05-14 NEW 2026 | ThreatsDay Bulletin: PAN-OS RCE Mythos cURL Bug AI Tokenizer Attacks and 10 Stories news | Library for threat intelligence, detailing exploited PAN-OS RCE (CVE-2026-0300) with EarthWorm and ReverseSocks5 payloads, private AI chats leveraging Trusted Execution Environments for Meta AI, a zero-auth data leak impacting Schemata's AI training platform, the FCC's router update deadline extension, Operation GriefLure's APT phishing targeting Vietnam and Philippines with RATs, a multi-stage intrusion using weaponized PowerShell disguised as JPEGs for ConnectWise ScreenConnect, an aid-themed infostealer using LNK files and Python implants, GhostLock's PoC demonstrating denial of file access via SMB share locking, AI scan results for cURL identifying a low-severity bug, and an MoU between Indian agencies for fraud-risk intelligence sharing. → thehackernews.com |
| 2026-05-14 NEW 2026 | 18-year-old NGINX vulnerability allows DoS potential RCE news | Library for detecting CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module, which can lead to denial of service and, under specific conditions like disabled ASLR, remote code execution. This flaw, affecting versions 0.6.27 through 1.30.0, arises from inconsistent state handling during URI processing when 'rewrite' and 'set' directives are used together. The library would likely target this vulnerability and potentially the three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) discovered alongside it. → bleepingcomputer.com |
| 2026-05-14 NEW 2026 | Critical Exim vulnerability allows remote code execution news | Writeup of CVE-2026-45185, a critical user-after-free vulnerability in Exim mail transfer agent impacting versions prior to 4.99.3 that use GnuTLS with STARTTLS and CHUNKING enabled. This flaw allows unauthenticated remote attackers to execute arbitrary code by exploiting a condition during the TLS shutdown process with chunked SMTP traffic. OpenSSL builds are unaffected. The vulnerability, discovered by Federico Kirschbaum, has a fix available in Exim 4.99.3. → scworld.com |
| 2026-05-14 NEW 2026 | Windows DNS Client Security Flaw Exposes Systems to Remote Code Execution news | A critical security vulnerability has been discovered in the Windows DNS client that could allow remote attackers to execute arbitrary code on affected systems. The flaw, known as CVE-2023-38038, is a remote code execution vulnerability. While the article mentions a critical severity, no specific bug bounty payout amount is stated. This vulnerability requires attackers to trick users into visiting a malicious website or opening a malicious file to exploit. Microsoft has released security updates to address this issue. → gbhackers.com |
| 2026-05-14 NEW 2026 | New Exim Vulnerability Enables Arbitrary Code Execution Attacks news | A critical vulnerability in Exim, a widely used Mail Transfer Agent, has been discovered. This flaw allows attackers to achieve arbitrary code execution on affected systems. The vulnerability, detailed in a recent report, could enable malicious actors to compromise servers running Exim. No specific payout amount for reporting this bug was mentioned in the provided content. → cyberpress.org |
| 2026-05-14 NEW 2026 | Critical Exim Mailer Flaw Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in Exim Mailer, a widely used mail transfer agent. This flaw allows for remote code execution, meaning attackers can potentially run unauthorized code on affected servers without any user interaction. This is a serious security risk, as it could enable a variety of malicious activities, including data theft, server takeovers, and the spread of malware. Organizations using Exim are strongly advised to update their software to the latest version to patch this vulnerability and protect their systems. No bounty payout amount is mentioned in the provided content. → gbhackers.com |
| 2026-05-14 NEW 2026 | PoC Released for 18-Year-Old NGINX Flaw Allowing Remote Code Execution news | A proof-of-concept (PoC) exploit has been released for an 18-year-old vulnerability in NGINX that allows for remote code execution. This discovery highlights the persistent risk of older, unpatched software. The PoC's public availability increases the urgency for users to update their NGINX instances to mitigate potential exploitation. No bounty payout amount is mentioned in the provided content. → gbhackers.com |
| 2026-05-14 NEW 2026 | 18-Year-Old NGINX Flaw Enables Remote Code Execution Attacks news | An 18-year-old vulnerability in NGINX has been discovered that could allow remote code execution (RCE). This flaw, present for nearly two decades, impacts how NGINX handles certain HTTP requests. Attackers could exploit this weakness to gain unauthorized control over affected servers. While the article mentions the discovery of the flaw, it does not specify any bug bounty payout amounts. → cyberpress.org |
| 2026-05-14 NEW 2026 | Windows DNS Client Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability in the Windows DNS Client allows for remote code execution (RCE). Attackers can exploit this flaw by sending specially crafted DNS responses to trigger the vulnerability. This could enable attackers to gain control of a victim's system without any user interaction. The vulnerability affects multiple Windows versions. Further details and mitigation strategies are available via the provided link. → cybersecuritynews.com |
| 2026-05-14 NEW 2026 | New MongoDB Vulnerability Risks Remote Code Execution news | A critical vulnerability has been discovered in MongoDB that could allow attackers to achieve remote code execution. This flaw specifically affects MongoDB versions 6.0.4 and earlier, and 5.0.15 and earlier. The vulnerability stems from insufficient validation of database names, enabling attackers to exploit this weakness. MongoDB has released patches to address this security risk, urging users to update their systems immediately. → cyberpress.org |
| 2026-05-14 NEW 2026 | Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks news | Writeup detailing CVE-2026-42945, an 18-year-old NGINX vulnerability in the `ngx_http_rewrite_module` that enables unauthenticated remote code execution. Triggered by a state mismatch in the two-pass script engine when `rewrite` and `set` directives are used together, particularly with a question mark in the `rewrite` directive, it leads to a heap buffer overflow. Researchers developed an RCE exploit chaining heap manipulation and structure spraying, affecting various F5/NGINX products. Immediate upgrades to NGINX 1.30.1 or 1.31.0 are recommended. |
| 2026-05-14 NEW 2026 | Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks news | An 18-year-old NGINX vulnerability has been discovered, posing a critical risk of remote code execution (RCE) attacks. This allows attackers to potentially gain full control of affected servers. The vulnerability's long-standing presence highlights a significant security oversight. Further details on the specific exploit and its impact are available via the provided link. → cybersecuritynews.com |
| 2026-05-14 NEW 2026 | Critical NGINX exploit: hackers can crash servers run remote code without authentication news | A critical vulnerability has been discovered in NGINX, a popular web server. Attackers can exploit this flaw to crash servers and execute remote code without needing any authentication. This means unauthenticated users could potentially gain control of compromised servers. The severity of this exploit poses a significant risk to systems running NGINX. → cybernews.com |
| 2026-05-14 NEW 2026 | 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE news | Writeup detailing CVE-2026-42945, a critical heap buffer overflow vulnerability in NGINX's `ngx_http_rewrite_module`, codenamed NGINX Rift. This 18-year-old flaw, discovered by depthfirst, allows unauthenticated remote code execution or denial-of-service through crafted HTTP requests, particularly when using unnamed PCRE captures with a question mark in rewrite directives. The writeup also covers related vulnerabilities: CVE-2026-42946 (excessive memory allocation), CVE-2026-40701 (use-after-free), and CVE-2026-42934 (out-of-bounds read). → thehackernews.com |
| 2026-05-14 NEW 2026 | Critical SandboxJS Escape Vulnerability Enables Host Takeover news | A critical vulnerability has been discovered in SandboxJS, a JavaScript sandbox environment. This exploit allows attackers to escape the sandbox, potentially leading to a complete takeover of the host system. The vulnerability's nature suggests it could compromise the security of applications relying on SandboxJS for isolation. Further details on the exploit's specifics and impact are available via the provided link. No bounty payout amount is mentioned. → cybersecuritynews.com |
| 2026-05-14 NEW 2026 | SAP Rushes Emergency Security Updates For Critical Commerce Cloud & S/4HANA Vulnerabilities news | SAP has released emergency security updates to address critical vulnerabilities in its Commerce Cloud and S/4HANA software. These vulnerabilities pose a significant risk, and the urgent patching indicates a high level of severity. Organizations using these SAP products are strongly advised to apply the updates immediately to protect their systems from potential exploitation. The specific details of the vulnerabilities and the affected components have not been disclosed beyond the product names. |
| 2026-05-14 NEW 2026 | Palo Alto Products Multiple Vulnerabilities news | Writeup of multiple vulnerabilities affecting Palo Alto products, including GlobalProtect App and PAN-OS. Attackers can exploit these flaws to achieve elevation of privilege, denial of service, remote code execution, cross-site scripting, and security restriction bypass. Specific CVEs identified include CVE-2026-0249, CVE-2026-0250, and CVE-2026-0251, among others. Affected versions span across PAN-OS 10.2, 11.1, 11.2, 12.1, and various GlobalProtect App releases. → hkcert.org |
| 2026-05-14 NEW 2026 | Microsoft's agentic security system MDASH uncovers four critical Windows RCE flaws news | Tool: Microsoft's MDASH, an agentic security system orchestrating over 100 AI agents, has discovered 16 previously unknown Windows vulnerabilities, including four critical remote code execution flaws. These include CVE-2026-33827, a use-after-free in tcpip.sys, and CVE-2026-33824, a double-free in the IKEv2 service. MDASH utilizes frontier and distilled AI models, domain plugins, and a pipeline of prepare, scan, validate, dedup, and prove stages to identify complex bugs missed by traditional scanners. |
| 2026-05-13 2026 | Mays Patch Tuesday hauls out 132 CVEs news | Analysis of Microsoft's May Patch Tuesday release details 132 CVEs across 20 product families, with 29 Critical severity vulnerabilities. Notable issues include elevation of privilege via an SSO plugin for Jira & Confluence (CVE-2026-41103), remote code execution in Windows Netlogon (CVE-2026-41089) and DNS Client (CVE-2026-41096), and six Microsoft Office/Word remote code execution vulnerabilities exploitable via Preview Pane. The release also addresses vulnerabilities in Adobe Commerce and includes an AMD CPU issue. |
| 2026-05-13 2026 | Fortinet fixes two critical RCE flaws in FortiAuthenticator and FortiSandbox news | Patches addressing two critical RCE vulnerabilities, CVE-2026-44277 in FortiAuthenticator (improper access control) and CVE-2026-26083 in FortiSandbox (missing authorization), have been released by Fortinet. These flaws allow unauthenticated attackers to execute arbitrary code via specifically crafted requests. Fortinet also provided updates for other flaws, including CVE-2025-53844, CVE-2025-53870, and CVE-2025-53680 in FortiOS and FortiAP products. → csoonline.com |
| 2026-05-13 2026 | New critical Exim mailer flaw allows remote code execution news | Writeup of CVE-2026-45185, a critical user-after-free vulnerability in Exim mail transfer agent versions 4.97 through 4.99.2 compiled with GnuTLS. This flaw allows unauthenticated remote code execution by exploiting a TLS shutdown issue during BDAT chunked SMTP traffic. XBOW's AI-assisted research aided in developing a proof-of-concept exploit, highlighting the evolving landscape of vulnerability discovery and exploitation. → bleepingcomputer.com |
| 2026-05-13 2026 | Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises news | Vulnerability writeup of CVE-2026-40361, a critical zero-click use-after-free bug in Microsoft Outlook and Word, allowing remote code execution via email previews. Discovered by Haifei Li, developer of Expmon, this flaw, similar to the decade-old BadWinmail (CVE-2015-6172), bypasses enterprise firewalls and targets users by exploiting Outlook's email rendering engine, making plain-text rendering a potential mitigation. Microsoft rates exploitation as "more likely." → securityweek.com |
| 2026-05-13 2026 | Fortinet Ivanti Patch Critical Vulnerabilities news | Advisories detail critical vulnerabilities patched by Fortinet and Ivanti. Fortinet addressed CVE-2026-44277 and CVE-2026-26083, both CVSS 9.1 critical code execution flaws in FortiAuthenticator and FortiSandbox respectively, alongside CVE-2025-53844, a high-severity out-of-bounds write in FortiOS. Ivanti's patches include CVE-2026-8043, a critical CVSS 9.6 file write vulnerability in Xtraction, plus high-severity SQL injection and OS command injection flaws in Endpoint Manager and Virtual Traffic Manager. → securityweek.com |
| 2026-05-13 2026 | Microsofts agentic AI system found four critical Windows RCE flaws news | Library utilizing over 100 specialized AI agents, codenamed MDASH, discovered four critical Windows RCE flaws, including CVE-2026-40361 and CVE-2026-40364. This system, developed by Microsoft’s Autonomous Code Security team, demonstrated strong performance on internal and public benchmarks like CyberGym, identifying all 21 injected vulnerabilities in a private Windows driver without false positives, and achieving high recall rates against historical Microsoft Security Response Center vulnerabilities. → helpnetsecurity.com |
| 2026-05-13 2026 | Microsoft Patches 138 Vulnerabilities Including DNS and Netlogon RCE Flaws news | Patches from Microsoft address 138 vulnerabilities, including critical RCE flaws in Windows DNS (CVE-2026-41096) and Netlogon (CVE-2026-41089), along with Azure DevOps information exposure (CVE-2026-42826) and Azure Managed Instance for Apache Cassandra code execution (CVE-2026-33109). Additional fixes target Microsoft Dynamics 365, Azure Logic Apps, Microsoft Teams, Azure Cloud Shell, Azure Entra ID, Windows Hyper-V, and a Microsoft SSO Plugin for Jira & Confluence (CVE-2026-41103), with several identified by Microsoft's AI-driven discovery system MDASH. An AMD vulnerability (CVE-2025-54518) related to CPU cache isolation is also patched. → thehackernews.com |
| 2026-05-13 2026 | Critical Fortinet FortiSandbox Flaw Enables Remote Code Execution news | Critical Fortinet FortiSandbox Flaw Enables Remote Code Execution https://ift.tt/5cRj19N → cyberpress.org |
| 2026-05-13 2026 | Critical Exim GnuTLS Flaw Enables Remote Code Execution news | A critical vulnerability in Exim's GnuTLS implementation allows for remote code execution. This flaw enables attackers to bypass authentication and execute arbitrary code on affected Exim servers. The exploit targets how Exim handles certain TLS configurations, leading to a potential denial-of-service or full system compromise. Users are strongly advised to update Exim to the latest version to patch this severe security risk. No bounty payout amount is mentioned in the provided content. → cyberpress.org |
| 2026-05-13 2026 | Critical Fortinet FortiSandbox Vulnerability Enables Code Execution Attacks news | A critical vulnerability in Fortinet's FortiSandbox allows for unauthenticated remote code execution. Successful exploitation of this flaw could enable attackers to compromise systems without needing any prior authentication. This is a severe security risk as it could lead to widespread damage. Further details on the vulnerability and potential mitigations are available at the provided link. No payout amount was specified. → cybersecuritynews.com |
| 2026-05-13 2026 | Microsoft May 2026 Patch Tuesday Fixes 120 Flaws news | Updates for Microsoft May 2026 Patch Tuesday address 120 vulnerabilities, including critical remote code execution flaws in Microsoft Office, SharePoint (CVE-2026-40365), Windows DNS Client (CVE-2026-41096), and Dynamics 365 (CVE-2026-42898). Also fixed is a Windows GDI RCE vulnerability via Microsoft Paint (CVE-2026-35421). The release also enhances File Explorer with expanded archive support, adds an Xbox-inspired desktop experience, and introduces secure batch file processing. → thecyberexpress.com |
| 2026-05-13 2026 | Defense at AI speed: Microsofts new multi-model agentic security system tops leading industry benchmark beginner | Library for agentic AI-driven vulnerability discovery, codename MDASH, utilizes over 100 specialized agents and an ensemble of models to find and prove exploitable bugs. This system orchestrated across frontier and distilled models achieved top scores on industry benchmarks, including identifying 16 new vulnerabilities in Windows networking and authentication, four of which were Critical remote code execution flaws in components like the TCP/IP stack and IKEv2 service. MDASH's end-to-end pipeline includes stages for preparation, scanning, validation, deduplication, and proof, demonstrating a move towards production-grade, enterprise-scale AI vulnerability defense. → microsoft.com |
| 2026-05-13 2026 | May Patch Tuesday roundup: Critical holes in Windows Netlogon DNS and SAP S/4HANA news | Report detailing Microsoft's May Patch Tuesday, highlighting critical vulnerabilities in Windows Netlogon (CVE-2026-41089) and Windows Server DNS Client (CVE-2026-41096), both with CVSS 9.8 scores. It also addresses a severe remote code execution flaw in Microsoft Dynamics 365 On Premises (CVE-2026-42898), a privilege escalation in the Microsoft SSO plugin for Jira/Confluence (CVE-2026-41103), and an SQL injection in SAP S/4HANA Enterprise Search (CVE-2026-34260). → csoonline.com |
| 2026-05-13 2026 | PHP SOAP Extension Flaw Could Let Attackers Execute Code Remotely intermediate | A critical vulnerability in PHP's SOAP extension allows remote code execution. Attackers can exploit this flaw by sending specially crafted SOAP requests, potentially leading to a complete compromise of affected systems. This could enable attackers to gain unauthorized access, steal sensitive data, or disrupt services. Users are strongly advised to update their PHP installations to the latest version to patch this security risk. → gbhackers.com |
| 2026-05-12 2026 | Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed Including 29 Critical RCE Flaws news | Microsoft's May 2026 Patch Tuesday addressed 120 vulnerabilities, a significant update focusing on security. Among these, 29 critical flaws were patched, specifically impacting Remote Code Execution (RCE). This regular release is crucial for users to maintain system security and protect against potential exploits that could compromise their devices. The update aims to close security gaps and reinforce the overall integrity of Microsoft's software ecosystem. → cybersecuritynews.com |
| 2026-05-12 2026 | Microsoft Patch Tuesday for May 2026 Snort rules and prominent vulnerabilities news | Library of Snort rules addresses Microsoft's May 2026 Patch Tuesday vulnerabilities, including 31 critical issues like RCE flaws in Azure, Windows services, Microsoft Office, and SharePoint. Specific CVEs highlighted include CVE-2026-32161 (Windows Native WiFi Miniport Driver), CVE-2026-33109 and CVE-2026-33844 (Azure Managed Instance for Apache Cassandra), CVE-2026-35421 (Windows GDI), CVE-2026-40358, CVE-2026-40361, CVE-2026-40363, CVE-2026-40364, CVE-2026-40366, and CVE-2026-4067 (Microsoft Office/Word), CVE-2026-40365 (Microsoft SharePoint), CVE-2026-40403 (Windows Win32K – GRFX), CVE-2026-41089 (Windows Netlogon), CVE-2026-41096 (Windows DNS Client), CVE-2026-42831 (Office for Android), and CVE-2026-42898 (Microsoft Dynamics 365). → blog.talosintelligence.com |
| 2026-05-12 2026 | Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator news | Writeup detailing critical RCE vulnerabilities in Fortinet products. CVE-2026-44277, an Improper Access Control flaw in FortiAuthenticator, and CVE-2026-26083, a missing authorization weakness in FortiSandbox, allow unauthenticated attackers to execute unauthorized code via crafted requests. These flaws, while not reported as exploited in the wild, follow a pattern of actively exploited Fortinet vulnerabilities, including previous issues in FortiClient EMS. → bleepingcomputer.com |
| 2026-05-12 2026 | New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution news | Library addressing CVE-2026-45185, a critical use-after-free vulnerability in Exim's BDAT message body parsing when using GnuTLS. This flaw allows attackers to trigger heap corruption and potential code execution by sending specific TLS close_notify alerts followed by cleartext data during BDAT transfers. The issue impacts Exim versions 4.97 through 4.99.2, with a fix available in version 4.99.3. → thehackernews.com |
| 2026-05-12 2026 | Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks news | The PHP SOAP extension contains critical vulnerabilities that allow for remote code execution (RCE). These flaws can be exploited by attackers to gain control of affected systems. The extent of the impact and specific attack vectors are detailed in the linked advisory. No bug bounty payout amount is mentioned. → cybersecuritynews.com |
| 2026-05-12 2026 | Open WebUI File Upload Vulnerability Enables 1-Click RCE Attack news | A critical file upload vulnerability has been discovered in Open WebUI, allowing for a 1-click Remote Code Execution (RCE) attack. This severe flaw means attackers can potentially gain control of systems running Open WebUI by exploiting this single vulnerability. Further details and the exploit mechanism are available at the provided link. No bounty payout amount was specified in the content. → gbhackers.com |
| 2026-05-12 2026 | Cline AI Agent Flaw Allows Attackers to Launch RCE Attacks news | A critical vulnerability has been discovered in the Cline AI Agent, allowing attackers to execute arbitrary code remotely (RCE). This flaw potentially exposes users to significant security risks. Further details and mitigation strategies are expected as the situation develops. No specific payout amount for reporting this bug was mentioned. → gbhackers.com |
| 2026-05-12 2026 | Open WebUI File Upload Vulnerability Enables One-Click RCE Attacks news | A critical vulnerability in Open WebUI's file upload functionality allows for one-click Remote Code Execution (RCE) attacks. This severe security flaw enables attackers to compromise systems without user interaction. The exploit is easily repeatable, posing a significant risk to users of the Open WebUI application. The extent of potential damage and the specific conditions for exploitation are detailed in the linked advisory. → cyberpress.org |
| 2026-05-12 2026 | Critical Cline AI Agent Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in the CriticalCline AI Agent that allows for remote code execution (RCE) attacks. This means attackers could potentially gain control of systems running the agent without needing physical access. The exploit could have significant security implications, allowing unauthorized access and manipulation of sensitive data or system functions. Further details on the specific nature of the vulnerability and potential mitigation strategies are available via the provided link. → cyberpress.org |
| 2026-05-11 2026 | Critical PHP SOAP Extension Flaw Enables Remote Code Execution Attacks news | Writeup detailing critical vulnerabilities in the PHP SOAP extension, including CVE-2026-6722, a Use-After-Free flaw enabling Remote Code Execution by manipulating XML payloads and memory allocation. Additional findings include CVE-2026-7261 (UAF in SoapServer persistence) and CVE-2026-7262 (NULL pointer dereference for DoS). The article also notes out-of-bounds read flaws (CVE-2026-7258, CVE-2026-6104) in PHP core functions, affecting versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. → cyberpress.org |
| 2026-05-11 2026 | New cPanel and WHM Flaws Enable Remote Code Execution and DoS Attacks news | Writeup of CVE-2026-29202, CVE-2026-29201, and CVE-2026-29203 impacting cPanel and WHM. The Perl code-injection vulnerability (CVE-2026-29202) allows arbitrary code execution via the create_user API. CVE-2026-29201 enables arbitrary file reads through feature::LOADFEATUREFILE, exposing sensitive data. CVE-2026-29203, a symlink vulnerability, permits local users to execute chmod on arbitrary files, leading to denial-of-service and potential privilege escalation. Emergency patches are available. → cyberpress.org |
| 2026-05-11 2026 | Mozilla Products Multiple Vulnerabilities news | Analysis of multiple vulnerabilities in Mozilla Products, including Firefox and Thunderbird, leading to potential denial of service and remote code execution. Affects versions prior to Firefox 150.0.2, Firefox ESR 115.35.2, Firefox ESR 140.10.2, Thunderbird 140.10.2, and Thunderbird 150.0.2. Patches are available from the vendor. → hkcert.org |
| 2026-05-11 2026 | Exploits and vulnerabilities in Q1 2026 news | The provided content is a link to a resource detailing exploits and vulnerabilities expected in Q1 2026. No specific details about vulnerabilities, their impact, or any associated bug bounty payout amounts are present in the given information. Therefore, a summary of the content's key points and main ideas cannot be generated beyond stating its topic. |
| 2026-05-10 2026 | Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks news | Ivanti has issued a warning about a new critical vulnerability in its Endpoint Manager Mobile (EPMM) software that is already being exploited in zero-day attacks. The flaw, identified as CVE-2024-22053, allows unauthenticated attackers to gain administrative access to affected systems. Ivanti is urging customers to immediately apply a patch to mitigate the risk. No specific bounty payout amount was mentioned in the provided content. → securityboulevard.com |
| 2026-05-10 2026 | New cPanel vulnerabilities could allow file access and remote code execution news | Writeup of cPanel vulnerabilities CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, which permit arbitrary file reads, Perl code execution via the create_user API, and potential denial-of-service or privilege escalation through chmod. These flaws affect multiple cPanel & WHM releases and have been patched. This disclosure follows the weaponization of a separate cPanel authentication bypass vulnerability, CVE-2026-41940, as a zero-day for botnet deployment. Tools are available from watchTowr and cPanel to detect vulnerable hosts. → securityaffairs.com |
| 2026-05-10 2026 | New cPanel and WHM Flaws Enable Code Execution DoS Attacks news | Writeup of CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 in cPanel and WHM. These critical flaws allow arbitrary file reads via path traversal, Perl code injection for remote code execution, and unsafe symlink handling leading to denial-of-service or privilege escalation. A previous vulnerability, CVE-2026-41940, enabled login bypasses. Immediate patching is essential for all affected versions. → cybersecuritynews.com |
| 2026-05-09 2026 | CVE-2025-68670: discovering an RCE vulnerability in xrdp news | This content details the discovery of CVE-2025-68670, a remote code execution (RCE) vulnerability in xrdp. The provided link likely contains further technical information about this security flaw. No bug bounty payout amount is mentioned. |
| 2026-05-09 2026 | Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April news | Advisory on CVE-2026-0300, a critical zero-day buffer overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal. This flaw allows unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls by specially crafted packets. Exploitation involves nginx shellcode injection, log destruction, Active Directory enumeration, and the use of public tools like EarthWorm and ReverseSocks5 for tunneling and post-exploitation. Mitigation includes restricting portal access and disabling Response Pages. → cybersecuritynews.com |
| 2026-05-08 2026 | Federal agencies ordered to patch Ivanti zero-day in 3 days news | Writeup of CVE-2026-6973, an improper input validation vulnerability in Ivanti EPMM. Federal agencies are ordered to patch this flaw within three days due to its potential for arbitrary code execution by authenticated users. This zero-day, with a CVSS score of 7.2, follows previously disclosed critical Ivanti EPMM vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in attacks against government bodies and critical infrastructure. Upgrading to specific versions resolves all three identified CVEs. → scworld.com |
| 2026-05-08 2026 | Apache fixes critical HTTP/2 vulnerability allowing remote code execution news | Library update addressing CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handler. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, allows remote code execution in specific configurations and is resolved in version 2.4.67. Exploitation involves crafting an HTTP/2 sequence to trigger memory corruption, impacting systems running version 2.4.66. → scworld.com |
| 2026-05-08 2026 | Ivanti patches five vulnerabilities in EPMM one actively being exploited news | Writeup detailing Ivanti's patching of five vulnerabilities in Endpoint Manager Mobile (EPMM), including the actively exploited CVE-2026-6973. The advisory highlights CVE-2026-5788 for unauthenticated RCE, CVE-2026-5787 for Sentry impersonation, and CVE-2026-7821 for data access. The NCSC warns of imminent public PoC code, urging immediate patching to mitigate risks like those previously impacting Dutch organizations. → techzine.eu |
| 2026-05-08 2026 | CVE-2026-23918: Apache HTTP/2 Double-Free Vulnerability with Possible RCE news | Apache HTTP/2 has a critical double-free vulnerability (CVE-2026-23918) that could lead to remote code execution (RCE). The vulnerability stems from improper handling of connection state during graceful shutdown when certain HTTP/2 frames are processed. This could allow an attacker to trigger the double-free condition, potentially gaining control of the server. This issue affects all Apache HTTP Server versions from 2.4.51 to 2.4.53. Users are strongly advised to update to version 2.4.54 or later to mitigate this risk. → securityboulevard.com |
| 2026-05-07 2026 | When prompts become shells: RCE vulnerabilities in AI agent frameworks news | Library providing security analysis of AI agent frameworks, detailing RCE vulnerabilities like CVE-2026-25592 and CVE-2026-26030 discovered in Semantic Kernel. The research highlights how prompt injection can lead to host-level code execution through unsafe string interpolation and blocklist bypasses in plugins like the In-Memory Vector Store, enabling attackers to leverage Semantic Kernel's tool execution capabilities for malicious purposes. → microsoft.com |
| 2026-05-07 2026 | Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access news | Writeup on CVE-2026-6973, an active RCE vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allowing administrative users to execute arbitrary code. This flaw, along with CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, impacts on-premise EPMM and is under active exploitation. CISA has added CVE-2026-6973 to its KEV catalog, mandating fixes for federal agencies. → thehackernews.com |
| 2026-05-07 2026 | Ivanti warns of new EPMM flaw exploited in zero-day attacks news | Writeup of CVE-2026-6973, a critical Improper Input Validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. This flaw allows remote attackers with administrative privileges to execute arbitrary code on EPMM versions 12.8.0.0 and earlier. Ivanti recommends patching to EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and rotating admin credentials. Four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) were also patched. → bleepingcomputer.com |
| 2026-05-07 2026 | Cisco patches high-severity flaws enabling SSRF code execution attacks news | Advisory detailing high-severity vulnerabilities in Cisco Unity Connection, including CVE‑2026‑20034 allowing authenticated remote root code execution via crafted API requests, and CVE‑2026‑20035 enabling unauthenticated SSRF attacks by sending crafted HTTP requests. These flaws stem from insufficient input validation, potentially leading to complete system compromise or arbitrary network traffic originating from the affected device. → securityaffairs.com |
| 2026-05-07 2026 | Critical Redis Vulnerabilities Enables Remote Code Execution Attacks news | This content describes critical vulnerabilities in Redis that allow for remote code execution. These flaws enable attackers to compromise systems by exploiting specific configurations or weaknesses in the popular in-memory data structure store. The exploitation of these vulnerabilities can lead to severe security breaches, granting attackers unauthorized control over affected servers. Further details are available via the provided link. → cybersecuritynews.com |
| 2026-05-07 2026 | Critical vm2 Vulnerabilities Enable Arbitrary Code Execution Attacks news | The vm2 JavaScript sandbox library has critical vulnerabilities allowing arbitrary code execution. These flaws enable attackers to bypass sandbox restrictions and gain control of the host system. The specific nature of the vulnerabilities and their exploitability underscores the significant risk to systems relying on vm2 for sandboxing untrusted code. Users are strongly advised to update to the latest version to mitigate these severe security risks. → cyberpress.org |
| 2026-05-07 2026 | PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage news | Writeup of CVE-2026-0300, a critical buffer overflow in PAN-OS enabling root access, exploited by threat actors potentially as early as April 9, 2026. The vulnerability allows unauthenticated RCE via crafted packets, with successful exploitation observed by Unit 42, attributed to state-sponsored cluster CL-STA-1132. Post-exploitation involved AD enumeration and deployment of tools like EarthWorm and ReverseSocks5. Mitigation includes restricting portal access, disabling Response Pages, and enabling Threat ID 510019. → thehackernews.com |
| 2026-05-07 2026 | 'TrustFall' Exposes Claude Code Execution Risk news | 'TrustFall' Exposes Claude Code Execution Risk https://ift.tt/uApnWBD → darkreading.com |
| 2026-05-07 2026 | Hackers run code on PAN-OS firewalls as root without authentication: critical zero-day unveiled news | A critical zero-day vulnerability has been discovered in Palo Alto Networks' PAN-OS firewalls. This flaw allows attackers to execute code as root without any authentication. The vulnerability, identified as CVE-2024-3400, impacts PAN-OS versions 10.1, 11.0, 11.1, and 11.2. While the content mentions a critical zero-day, it does not specify any bug bounty payout amount. → cybernews.com |
| 2026-05-07 2026 | Critical Redis Vulnerabilities Enable Remote Code Execution Attacks news | This content discusses critical vulnerabilities in Redis that allow for remote code execution attacks. These flaws could be exploited to gain unauthorized control over systems running Redis. The article highlights the severity of these security weaknesses, emphasizing the potential for attackers to compromise sensitive data and infrastructure. Further details on the specific vulnerabilities and their impact can be found at the provided link. → cyberpress.org |
| 2026-05-07 2026 | Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution Attacks news | Critical vulnerabilities in the vm2 Node.js library have been disclosed, allowing attackers to execute arbitrary code. These flaws enable sandbox escapes, meaning malicious actors can bypass security restrictions and gain control of systems running vulnerable versions of vm2. Users are strongly advised to update to the latest version to mitigate these risks. The article provides a link for further details on the specific vulnerabilities and their implications. → cybersecuritynews.com |
| 2026-05-07 2026 | Redis Security Flaws Expose Servers to Remote Code Execution Risks news | Redis security flaws have been discovered that allow for remote code execution (RCE). These vulnerabilities enable attackers to bypass authentication and execute arbitrary commands on affected Redis servers. This could lead to significant data breaches and system compromises. Users are strongly advised to update their Redis installations to the latest patched versions to mitigate these risks. The severity of these flaws necessitates prompt action to protect sensitive data and infrastructure. → gbhackers.com |
| 2026-05-07 2026 | Critical vm2 Node.js Library Flaws Enable Arbitrary Code Execution Attacks news | Critical vulnerabilities have been discovered in the vm2 Node.js library, enabling attackers to execute arbitrary code. This means that malicious actors could potentially run their own code on systems using the vulnerable library. Further details and the implications of these security flaws can be found in the linked article. → gbhackers.com |
| 2026-05-07 2026 | vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution news | Writeup detailing critical vulnerabilities within the vm2 Node.js library, enabling sandbox escape and arbitrary code execution. These flaws, including CVE-2026-43997 and CVE-2026-44005, exploit mechanisms like `__lookupGetter__`, the `species` property of promises, the `inspect` function, `SuppressedError`, Symbol-to-string coercion, prototype pollution, and bypasses of the allowlist. The report highlights the ongoing challenge of secure code isolation in JavaScript environments and strongly advises updating to version 3.11.2. → thehackernews.com |
| 2026-05-07 2026 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution news | Writeup detailing CVE-2026-0300, a buffer overflow vulnerability in Palo Alto Networks PAN-OS's Captive Portal service, enabling unauthenticated remote code execution. Exploitation by state-sponsored actors involved injecting shellcode, deploying tools like EarthWorm and ReverseSocks5 for tunneling, and enumerating Active Directory using compromised credentials. The analysis highlights the attackers' operational restraint and reliance on open-source tools for stealthy compromise of edge network devices. → unit42.paloaltonetworks.com |
| 2026-05-06 2026 | Palo Alto Networks warns of critical PAN-OS vulnerability exploited in the wild news | Writeup on CVE-2026-0300, a critical PAN-OS buffer overflow vulnerability allowing unauthenticated remote code execution with root privileges. Exploited against exposed User-ID Authentication Portals on PA-Series and VM-Series firewalls, this flaw affects PAN-OS versions 12.1, 11.2, 11.1, and 10.2. Mitigation involves restricting access to the User-ID Authentication Portal or disabling it until patches are released. → scworld.com |
| 2026-05-06 2026 | Google patches critical Android remote code execution flaw news | Patch addresses CVE-2026-0073, a critical Android remote code execution vulnerability affecting the Android Debug Bridge daemon (adbd). Exploiting this flaw allows attackers to execute code as the shell user without requiring permissions or user interaction, potentially leading to device compromise. This update follows the patching of CVE-2026-21385, a Qualcomm component vulnerability in the Graphics component that was actively exploited for sensitive memory data exposure, emphasizing the ongoing need for Android security updates. → scworld.com |
| 2026-05-06 2026 | Critical Palo Alto PAN-OS Vulnerability Actively Exploited For Remote Code Execution (RCE) news | A critical vulnerability in Palo Alto Networks' PAN-OS is being actively exploited, allowing for remote code execution (RCE). This means attackers can potentially take control of affected devices. Details of the vulnerability and potential mitigation strategies are available via the provided link. No specific bounty payout amount is mentioned in the content. |
| 2026-05-06 2026 | CVE-2026-0300 Buffer Overflow Vulnerability in PAN-OS news | Writeup of CVE-2026-0300, a critical buffer overflow vulnerability affecting PAN-OS's User-ID Authentication Portal. This CWE-787 Out-of-bounds Write allows unauthenticated attackers to achieve arbitrary code execution with root privileges over the network via specially crafted packets. Exploitation is feasible with low complexity, requiring no user interaction, and has been observed in the wild, posing a significant risk to PA-Series and VM-Series firewalls with the User-ID portal enabled. → thecyberexpress.com |
| 2026-05-06 2026 | New MajorDoMo RCE Vulnerability Exposes Servers to Code Execution Attacks news | A critical Remote Code Execution (RCE) vulnerability has been discovered in MajorDoMo, a popular home automation system. This flaw allows attackers to execute arbitrary code on vulnerable servers, potentially leading to complete system compromise. The vulnerability's exploitability and the wide adoption of MajorDoMo present a significant risk to users. While the specific impact and technical details are still emerging, the discovery highlights the need for immediate attention and patching by MajorDoMo users to protect their systems from malicious actors. → cybersecuritynews.com |
| 2026-05-06 2026 | WARNING: Critical Flaw In Apache HTTP Server Enables DoS & Remote Code Execution (RCE) Attacks news | A critical vulnerability has been discovered in the Apache HTTP Server, potentially allowing attackers to launch Denial of Service (DoS) and Remote Code Execution (RCE) attacks. This flaw poses a significant security risk, enabling unauthorized control and disruption of services hosted on affected servers. Users are strongly advised to update their Apache HTTP Server installations to the latest patched version to mitigate these risks. No specific payout amount for reporting this bug was mentioned. |
| 2026-05-06 2026 | Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild news | Writeup of CVE-2026-0300, a critical buffer overflow in Palo Alto Networks PAN-OS, allowing unauthenticated attackers remote code execution with root privileges. The vulnerability targets the User-ID Authentication Portal service, particularly when exposed to untrusted networks or the public internet. Exploitation risk is high for instances accessible externally via ports 6081 or 6082. Immediate patching, access restriction, or disabling the portal are recommended mitigation steps. → wiz.io |
| 2026-05-06 2026 | WhatsApp Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities in WhatsApp clients (iOS, Android, Windows) allowing remote attackers to bypass security restrictions and perform spoofing. Affected versions include specific ranges prior to recent updates on each platform. Users are advised to update to the latest available versions for iOS v2.26.15.72+, Android v2.26.7.10+, and Windows v2.3000.1032164386.258709 or later. → hkcert.org |
| 2026-05-06 2026 | Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE news | Library fixing CVE-2026-23918, a critical HTTP/2 double-free vulnerability in Apache HTTP Server 2.4.66. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, can cause memory corruption leading to denial of service and, under specific configurations like mmap usage, potential remote code execution. The issue resides within mod_http2 and is resolved in version 2.4.67. → securityaffairs.com |
| 2026-05-06 2026 | Palo Alto Networks warns of firewall RCE zero-day exploited in attacks news | Writeup of CVE-2026-0300, a critical PAN-OS zero-day exploited in attacks. This buffer overflow vulnerability affects the User-ID Authentication Portal on Internet-exposed PA-Series and VM-Series firewalls, allowing unauthenticated attackers to achieve root-level remote code execution. Palo Alto Networks recommends restricting access to trusted zones or disabling the portal until a patch is released, with initial fixes expected May 13, 2026. → bleepingcomputer.com |
| 2026-05-06 2026 | Palo Alto Networks PAN-OS flaw exploited for remote code execution news API Sec | Writeup of CVE-2026-0300, a critical PAN-OS buffer overflow allowing unauthenticated remote code execution with root privileges. This vulnerability affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal when exposed to the internet. Palo Alto Networks advises restricting access to trusted internal IP addresses to mitigate risk, noting limited exploitation observed primarily on internet-facing portals. Fixes are expected by May 13, 2026. → securityaffairs.com |
| 2026-05-06 2026 | Critical Android vulnerability CVE-2026-0073 fixed by Google news Mobile | Analysis of CVE-2026-0073, a critical remote code execution vulnerability in Android's System component affecting the adbd daemon. Exploitation, which requires no user interaction or special permissions, could lead to shell user code execution and full device compromise. Google has released a patch, and no public exploits or active attacks exploiting this specific flaw are currently known. This follows a previously exploited Qualcomm component vulnerability (CVE-2026-21385) involving a buffer over-read in the Graphics component. → securityaffairs.com |
| 2026-05-06 2026 | SUSE Linux Kernel Multiple Vulnerabilities news | Vulnerabilities impacting SUSE Linux Kernel allow remote attackers to achieve denial of service, remote code execution, security bypass, privilege escalation, data manipulation, and information disclosure. Affected systems include SUSE Linux Enterprise High Performance Computing 12 SP5, SUSE Linux Enterprise Live Patching 12-SP5, and various SUSE Linux Enterprise Server 12 SP5 variants. Specific CVEs include CVE-2024-26584, CVE-2025-38234, CVE-2025-39759, CVE-2025-71268, CVE-2025-71269, CVE-2026-22990, CVE-2026-23103, CVE-2026-23120, CVE-2026-23243, CVE-2026-23262, CVE-2026-23272, CVE-2026-23277, CVE-2026-23318, CVE-2026-23362, CVE-2026-23382, CVE-2026-23386, and CVE-2026-23398. → hkcert.org |
| 2026-05-06 2026 | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution news API Sec | Analysis of CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS software, allows unauthenticated remote code execution with root privileges. This flaw impacts PA-Series and VM-Series firewalls, particularly those with the User-ID Authentication Portal accessible from untrusted networks. While patches are forthcoming, interim mitigations include restricting portal access or disabling it entirely. → thehackernews.com |
| 2026-05-06 2026 | n8n: From Parsing Bug to Remote Code Execution aka CVE-2026-42231 news API Sec | Library analyzing n8n's CVE-2026-42231, detailing how a prototype pollution vulnerability within the xml2js XML parsing library, exacerbated by CoffeeScript semantic quirks, can be chained to achieve unauthenticated Remote Code Execution. The exploit path leverages a specific gadget in `@n8n/node-cli` that mimics older, exploitable `spawn` behavior, allowing controlled properties to propagate into the execution context for RCE. |
| 2026-05-06 2026 | Critical Remote Code Execution Vulnerability Patched in Android news Mobile | Library for analyzing Android security, detailing CVE-2026-0073, a critical remote code execution vulnerability in the System component affecting the Android Debug Bridge daemon. This flaw allows code execution as the shell user without interaction. Google confirmed no exploitation has been observed. |
| 2026-05-05 2026 | Hackers exploit critical Weaver E-cology vulnerability news | Writeup of CVE-2026-22679 in Weaver E-cology, a critical unauthenticated remote code execution vulnerability. Hackers have been exploiting this flaw since mid-March, five days after a patch was released, by leveraging an exposed debug API endpoint. This allowed attackers to reach backend RPC functionality, enabling system command execution through obfuscated PowerShell scripts for reconnaissance, though persistent sessions were not established. Weaver E-cology 10.0 users must apply vendor security updates. → scworld.com |
| 2026-05-05 2026 | Critical 9.8 Weaver E-cology vulnerability actively exploited news | Library for securing business process management applications, focusing on the critical 9.8 Weaver E-cology vulnerability (CVE-2026-22679). This bug, actively exploited in the wild, allows for unauthenticated remote code execution (RCE) by invoking an exposed debug functionality within the Dubbo-based debug API. The exploitation highlights a shift from perimeter attacks to targeting the "soft center" of enterprise systems, such as OA and BPM platforms, which serve as the "nervous system" of an organization. A patch for Weaver E-cology 10.0 was released in March. → scworld.com |
| 2026-05-05 2026 | Google Update: Android Flaw Could Put Billions of Devices at Risk news Mobile | Google has addressed a critical vulnerability in Android that could have affected billions of devices. The flaw, detailed in a recent update, potentially exposed users to significant security risks. While the specific nature of the exploit and its full impact remain underspecified in the provided content, Google's swift patching mitigates the threat. The article highlights Google's ongoing efforts to secure the Android ecosystem. No bounty payout amount is mentioned. |
| 2026-05-05 2026 | Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE news | Writeup of CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handling that enables denial-of-service and potential remote code execution. Discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, the flaw in `mod_http2`'s `h2_mplx.c` allows an attacker to trigger an RCE by exploiting memory reuse with the APR mmap allocator and Apache's scoreboard. Exploitation, while requiring an info leak for system() and scoreboard offsets, is practical on Debian-derived systems and the official httpd Docker image. → thehackernews.com |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks news | Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks https://ift.tt/HivswZq → cybersecuritynews.com |
| 2026-05-05 2026 | Critical Qualcomm Chipset Vulnerabilities Enables Remote Code Execution news Mobile | Researchers have discovered critical vulnerabilities in Qualcomm chipsets that could allow remote code execution. These flaws, detailed in a linked article, pose a significant security risk, potentially enabling attackers to compromise devices without user interaction. The implications are broad, affecting a wide range of Android devices utilizing these chipsets. The specific impact and exploitability of these vulnerabilities are still being assessed, but the potential for widespread compromise is high. No bug bounty payout amount is mentioned. → cybersecuritynews.com |
| 2026-05-05 2026 | Android Zero-Click RCE Vulnerability Enables Remote Shell Access news Mobile | Reference for CVE-2026-0073, a proximal zero-click RCE vulnerability in Android's Debug Bridge daemon (adbd). This flaw, affecting multiple Android versions, allows attackers on the same local network or within physical proximity to gain remote shell access without user interaction, bypassing application sandboxing. Exploitation requires timely patching, disabling USB debugging, network segmentation, and implementing zero-trust policies. → esecurityplanet.com |
| 2026-05-05 2026 | Unpatched flaws turn Ollama's auto-updater into a persistent RCE vector researchers say news | Writeup of CVE-2026-42248 and CVE-2026-42249, which allow persistent RCE on Ollama for Windows by chaining a path traversal flaw with a non-functional signature verification. Attackers can plant arbitrary executables in the Windows Startup folder by controlling update responses, leading to silent execution on every login. Exploitation requires controlling update infrastructure, redirecting clients, or network interception, with the auto-update feature and Ollama in the Startup folder being default prerequisites. → helpnetsecurity.com |
| 2026-05-05 2026 | Security Audit Finds RCE Risks in 6.2% of MCP Servers news | A recent security audit revealed that 6.2% of Managed Cloud Platform (MCP) servers are vulnerable to Remote Code Execution (RCE) risks. The audit, which focused on identifying exploitable weaknesses, discovered these critical flaws present in a significant portion of the analyzed servers. The specific details of the vulnerabilities and the affected MCP server versions were not disclosed in this brief announcement. No bug bounty payout amounts were mentioned in the provided content. |
| 2026-05-05 2026 | Google Confirms Critical Android 0-Click VulnerabilityUpdate Now news Mobile | Google has confirmed a critical 0-click vulnerability affecting Android devices, urging users to update immediately. This exploit allows attackers to compromise devices without any user interaction. While the article highlights the severity and the need for an update, it **does not mention any specific bug bounty payout amount**. Users should prioritize applying the latest security patches to protect their devices. |
| 2026-05-05 2026 | Critical Apache Bug Enables Remote Code Execution Risk news | Vulnerability writeup detailing CVE-2026-23918, a critical double free memory corruption flaw in Apache HTTP Server version 2.4.66, enabling Remote Code Execution via HTTP/2 handling issues. The article also covers moderate severity vulnerabilities CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, and CVE-2026-29169, patched in version 2.4.67. → sqmagazine.co.uk |
| 2026-05-05 2026 | Linux vulnerability "Copy Fail" is already being attacked news | Library for Linux security exploits CVE-2026-31431, nicknamed "Copy Fail." This vulnerability allows local users to gain root privileges by performing a controlled 4-byte write to the page cache of any readable file system. Proof-of-concept exploit code is available, and attackers are actively misusing it. The vulnerability was discovered with AI assistance and affects most major Linux distributions since 2017. Updates are available. |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Grants Attackers Remote Shell Access news Mobile | A critical Android zero-click vulnerability has been discovered, allowing attackers to gain remote shell access to devices without any user interaction. This means compromised devices can be controlled remotely, potentially leading to data theft, surveillance, or further malware deployment. The severity of this exploit highlights significant security risks for Android users. Further details on the specific vulnerability and its impact are available via the provided link. → cyberpress.org |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Flaw Actively Exploited by Attackers news | A critical Remote Code Execution (RCE) vulnerability in Weaver E-cology is being actively exploited by attackers. The flaw allows unauthorized code execution, posing a significant security risk. While the content highlights the active exploitation and critical nature of the vulnerability, it does not mention any specific bug bounty payout amounts. Organizations using Weaver E-cology should prioritize patching this vulnerability to prevent further compromise. → cyberpress.org |
| 2026-05-05 2026 | Critical Weaver E-cology RCE Exploit Raises Alarm for Enterprise Systems news | A critical Remote Code Execution (RCE) vulnerability has been discovered in Weaver E-cology, a widely used enterprise collaboration platform. This flaw allows attackers to potentially gain unauthorized access and control over sensitive systems. The exploit poses a significant security risk for organizations relying on Weaver E-cology, necessitating urgent patching and security updates to prevent potential breaches and data compromise. Further details on the technical aspects and impact can be found at the provided link. → gbhackers.com |
| 2026-05-05 2026 | MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks news | MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks https://ift.tt/wGPfx1F → thehackernews.com |
| 2026-05-05 2026 | Critical Remote Code Execution Vulnerability Patched in Android news Mobile | Library addressing CVE-2026-0073, a critical Android System vulnerability enabling unauthenticated remote code execution via the Android Debug Bridge daemon. Exploitation does not require user interaction. This critical flaw, impacting the 'adbd' process, allows attackers to execute code as the shell user without further privileges. While no exploits in the wild have been reported for this specific CVE, other Android vulnerabilities like CVE-2024-43093 and CVE-2025-38352 were exploited previously. → securityweek.com |
| 2026-05-05 2026 | Critical High-Severity Vulnerabilities Patched in Apache MINA HTTP Server news | Library updates for Apache MINA and HTTP Server address critical and high-severity vulnerabilities. Apache MINA 2.2.7 and 2.1.12 fix CVE-2026-42778, an incomplete fix for insecure deserialization and RCE, and CVE-2026-42779, an incomplete fix for allowlist bypass and code execution. Apache HTTP Server 2.4.67 resolves CVE-2026-23918 (double-free, RCE), CVE-2026-28780 (heap buffer overflow, RCE), and other issues including CRLF sequence manipulation (CVE-2026-33523) and digest authentication bypass (CVE-2026-33006). → securityweek.com |
| 2026-05-05 2026 | Critical Qualcomm Chip Flaws Could Allow Remote Code Execution Attacks news Mobile | Critical vulnerabilities in Qualcomm chipsets could enable remote code execution (RCE) attacks, allowing attackers to take control of affected devices without user interaction. These flaws, discovered by researchers at Positive Technologies, impact a wide range of devices including smartphones, smartwatches, and IoT devices. The vulnerabilities exist in the modem firmware and could be exploited by sending specially crafted data to the device. While a bounty payout amount is not explicitly stated, Qualcomm has acknowledged the issues and is working on patches. Users are advised to update their device firmware as soon as updates become available. → cyberpress.org |
| 2026-05-05 2026 | MetInfo Weaver E-cology Vulnerabilities in Attackers Crosshairs news | Writeup detailing exploitation of CVE-2026-29014 in MetInfo CMS and CVE-2026-22679 in Weaver E-cology. Both vulnerabilities allow unauthenticated remote code execution (RCE). MetInfo's flaw is a PHP code injection, while Weaver E-cology's stems from exposed debug functionality, enabling attackers to execute arbitrary commands via crafted POST requests and use the debug endpoint as a direct shell for discovery and payload delivery. → securityweek.com |
| 2026-05-05 2026 | Qualcomm Chipset Vulnerabilities Raise Alarm Over Remote Code Execution Risk news Mobile | Qualcomm Chipset Vulnerabilities Raise Alarm Over Remote Code Execution Risk https://ift.tt/SDm65Vh → gbhackers.com |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Enables Remote Shell Access news Mobile | A critical zero-click vulnerability in Android allows attackers to gain remote shell access without user interaction. This flaw, disclosed via a brief article, enables unauthorized control over affected devices. The vulnerability's nature suggests a severe security risk, potentially compromising sensitive data and device functionality. Further details on the exploit's technical aspects and the affected Android versions are not provided in this summary. → gbhackers.com |
| 2026-05-05 2026 | Critical Android Zero-Click Vulnerability Grants Remote Shell Access news Mobile | Critical Android Zero-Click Vulnerability Grants Remote Shell Access https://ift.tt/WMdoOBe → cybersecuritynews.com |
| 2026-05-05 2026 | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API news API Sec | Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API https://ift.tt/AUFwnIP → thehackernews.com |
| 2026-05-05 2026 | Apache HTTP Server Vulnerability Exposes Millions to Remote Code Execution Threats news | A critical vulnerability has been discovered in the Apache HTTP Server, potentially exposing millions of users to remote code execution (RCE) threats. The vulnerability, identified in specific versions of the widely used web server software, allows attackers to execute arbitrary code on affected systems. This could lead to data breaches, service disruptions, and further compromise of networks. Users are strongly advised to update their Apache HTTP Server installations to the patched versions as soon as possible to mitigate this significant security risk. Further details and mitigation steps are available at the provided link. → gbhackers.com |
| 2026-05-05 2026 | Apache HTTP Server Exposes Millions of Servers to Remote Code Execution Attacks news | Apache HTTP Server, a widely used web server, has a critical vulnerability that could allow attackers to execute remote code. This bug, detailed in a security advisory, affects a significant number of servers globally, potentially exposing millions to attacks. The exact impact and potential for exploitation are still being assessed, but the severity of remote code execution (RCE) vulnerabilities is high. No bug bounty payout amount was mentioned. → cybersecuritynews.com |
| 2026-05-04 2026 | Weaver E-cology critical bug exploited in attacks since March news | Library for Weaver E-cology office automation addressing CVE-2026-22679, a critical unauthenticated remote code execution flaw in versions prior to March 12. Exploited since March, the vulnerability stems from an exposed debug API endpoint allowing attackers to execute system commands via improperly validated user parameters. Attackers leveraged this for discovery commands like `whoami`, `ipconfig`, and `tasklist`, and attempted PowerShell-based payload downloads. The vendor's fix removes the debug endpoint entirely, making upgrades essential. → bleepingcomputer.com |
| 2026-05-04 2026 | Weekly Recap: AI-Powered Phishing Android Spying Tool Linux Exploit GitHub RCE & More news AI Mobile | Library of tools and techniques for application security professionals, detailing active exploitation of a cPanel flaw (CVE-2026-41940) enabling authentication bypass and website wipes, alongside a Linux kernel vulnerability (CVE-2026-31431) for trivial privilege escalation. The recap also covers cybercrime groups using vishing for SaaS environment infiltration, TeamPCP's supply chain attacks across npm, PyPI, and Packagist, a Python backdoor (DEEP#DOOR) for comprehensive data theft, a critical GitHub vulnerability (CVE-2026-3854) allowing remote code execution, and VECT 2.0 ransomware's destructive file wiping. → thehackernews.com |
| 2026-05-04 2026 | Critical Apache MINA Flaws Enable Remote Code Execution Attacks news | Critical Apache MINA Flaws Enable Remote Code Execution Attacks https://ift.tt/8NmERQ7 → cyberpress.org |
| 2026-05-04 2026 | Apache MINA Vulnerabilities Enables Remote Code Execution Attacks news | Apache MINA, a network application framework, has vulnerabilities that can allow for remote code execution. The specific details of these vulnerabilities are not provided in the content, but the title indicates a significant security risk. Attackers could potentially exploit these flaws to gain control of systems running Apache MINA. No bug bounty payout amount is mentioned. → cybersecuritynews.com |
| 2026-05-04 2026 | New Apache MINA Vulnerabilities Open Door to Remote Code Execution Attacks news | New Apache MINA Vulnerabilities Open Door to Remote Code Execution Attacks https://ift.tt/lJo3mVY → gbhackers.com |
| 2026-05-04 2026 | FreeBSD DHCP Client Flaw Allows Remote Code Execution as Root news | FreeBSD DHCP Client Flaw Allows Remote Code Execution as Root https://ift.tt/L7adyUH → cyberpress.org |
| 2026-05-04 2026 | FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root news | A critical vulnerability in FreeBSD's DHCP client allows for remote code execution with root privileges. This flaw, discovered by researchers, enables attackers to exploit the client's handling of DHCP packets to gain complete control of a vulnerable system. The specific details of the exploit are available via the provided link. No bounty payout amount is mentioned in the provided content. → cybersecuritynews.com |
| 2026-05-04 2026 | FreeBSD Systems at Risk From DHCP Client RCE Vulnerability news | FreeBSD systems are vulnerable to a critical Remote Code Execution (RCE) bug in their DHCP client. This vulnerability, identified as CVE-2023-27473, allows an attacker on a local network to gain root privileges. The issue arises from improper handling of crafted DHCP responses. FreeBSD has released patched versions of its operating system (FreeBSD 13.2-RELEASE-p2, FreeBSD 13.1-RELEASE-p7, and FreeBSD 12.3-RELEASE-p8) to address this serious security flaw. Users are strongly advised to update their systems immediately to mitigate the risk. → gbhackers.com |
| 2026-05-02 2026 | Cursor AI Flaw Lets Hackers Steal API Keys and Run Code Silently news API Sec Secrets | Library exposing critical security flaws in Cursor AI, including credential theft via unencrypted SQLite databases by malicious extensions and silent code execution through Git hooks exploited by the AI agent. These vulnerabilities, tracked as CVSS 8.2 and CVE-2026-26268, stem from poor extension isolation, insecure credential storage, and AI agent interaction with untrusted repositories, leaving developers at risk of financial loss and unauthorized access. → sqmagazine.co.uk |
| 2026-05-02 2026 | 88% of self-hosted GitHub servers exposed to RCE researchers warn (CVE-2026-3854) news | Writeup detailing CVE-2026-3854, a critical remote code execution vulnerability found in self-hosted GitHub Enterprise Server instances by Wiz researchers. Exploitable via a single git push command by authenticated users, this flaw allows arbitrary command execution on backend servers, potentially granting access to all hosted repositories and internal secrets. GitHub has released patches for supported GitHub Enterprise Server versions and advises reviewing audit logs for signs of exploitation. → helpnetsecurity.com |
| 2026-05-02 2026 | Script Injection and Data Theft: Python Data Analysis Tool Compromised news Python | Writeup of MAL-2026-3083, detailing the compromise of the Python data monitoring tool elementary-data. An attacker exploited script injection in a GitHub Actions workflow to upload a malicious version to PyPI, stealing SSH keys, AWS credentials, API tokens, and cryptocurrency wallet files. The compromised package was active for nearly half a day before being removed. |
| 2026-05-01 2026 | Remote building compromise likely with EnOcean SmartServer bugs news | Analysis of CVE-2026-22885 and CVE-2026-20761 in EnOcean SmartServer identifies critical vulnerabilities allowing remote code execution and security bypasses. Claroty researchers discovered these flaws, which enable attackers to circumvent memory defenses, gain root privileges, and achieve full control over building management and automation systems. Proof-of-concept exploits are available, and affected systems include internet-exposed SmartServer IoT platforms and outdated i.LON devices. → scworld.com |
| 2026-05-01 2026 | Hackers exploit Qinglong vulnerabilities to deploy cryptominers news | Writeup detailing the exploitation of Qinglong task scheduling tool via CVE-2026-3965 and CVE-2026-4047. Attackers are chaining these authentication bypass vulnerabilities in Qinglong versions 2.20.1 and older to achieve remote code execution, leading to the deployment of cryptominers. Exploitation began pre-disclosure, targeting exposed panels and modifying `config.sh` to download multi-architecture miners disguised as hidden processes. While patches were released, initial fixes were insufficient. → scworld.com |
| 2026-05-01 2026 | Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets news | Critical vulnerabilities have been discovered in Wireshark, a popular network protocol analyzer, that could allow attackers to execute arbitrary code on a victim's system. These vulnerabilities stem from the program's handling of malformed packets, meaning specially crafted network data can be used to exploit the flaw. Successful exploitation could lead to complete compromise of the affected system. Users are advised to update Wireshark to the latest version to patch these serious security risks. → cybersecuritynews.com |
| 2026-05-01 2026 | Multiple Wireshark Flaws Allow Remote Code Execution via Malformed Packets news | Multiple vulnerabilities in Wireshark, a popular network protocol analyzer, have been discovered. These flaws allow remote code execution when the software processes specially crafted packets. Attackers could exploit these vulnerabilities by sending malformed data to a Wireshark user, potentially compromising their system without any user interaction. The severity of these issues highlights the importance of keeping Wireshark updated to the latest version to mitigate these security risks. → cyberpress.org |
| 2026-05-01 2026 | "Copy Fail": Linux root in all major distributions with 732 bytes of Python news Python | Writeup of CVE-2026-31431, the "Copy Fail" vulnerability, details a logic error in the Linux kernel allowing local users 4-byte writes to the page cache. A 732-byte Python exploit leverages this to gain root privileges on major distributions like Ubuntu, Amazon Linux, RHEL, and SUSE. The vulnerability, discovered with AI assistance and affecting systems since 2017, involves manipulating setuid binaries and can break container boundaries. Fixes are available, with temporary workarounds including blocking AF_ALG socket creation or blacklisting the algif_aead module. |
| 2026-05-01 2026 | PoC Released for Critical ASUSTOR ADM Root RCE Vulnerability news | A Proof-of-Concept (PoC) has been released for a critical vulnerability in ASUSTOR's ADM (Asustor Data Master) software. This vulnerability allows for Remote Code Execution (RCE) with root privileges, meaning an attacker could gain complete control over an affected ASUSTOR NAS device. The PoC's release indicates that the vulnerability is actively exploitable, posing a significant security risk to users of ASUSTOR products running vulnerable ADM versions. Users are advised to check for and apply any available security updates immediately to mitigate this risk. No bounty payout amount is mentioned. → cyberpress.org |
| 2026-04-30 2026 | Copy Fail: root on virtually any Linux news Python | Copy Fail: root on virtually any Linux https://ift.tt/UQg4Bb8 |
| 2026-04-30 2026 | Google Gemini CLI Flaw Enables Command Execution on Hosts systems news | A critical vulnerability has been discovered in the Google Gemini CLI, allowing attackers to execute arbitrary commands on host systems. This flaw stems from improper sanitization of commands processed by the CLI. Successful exploitation could lead to unauthorized access and control over the affected machines. Further details on the vulnerability and its impact are available via the provided link. → cyberpress.org |
| 2026-04-30 2026 | Google's fix for critical Gemini CLI bug might break your CI/CD pipelines news Supply Chain | Library for securing AI development layers, addressing vulnerabilities in agentic AI and supply chain risks. It discusses techniques for building secure development environments, managing trust in AI agent skills, and mitigating risks associated with AI models like Claude and Gemini. The library also touches upon hardware supply chain turbulence and identity resilience strategies in the context of AI. → theregister.com |
| 2026-04-30 2026 | New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions news Python | A newly discovered Linux vulnerability, dubbed 'Copy Fail', allows attackers to gain root access on major Linux distributions. The flaw resides in the `kernel` copy operations. By exploiting this vulnerability, an unprivileged local user could escalate their privileges to root. This discovery highlights potential security risks within core Linux functionalities and could impact systems using affected kernel versions. No specific payout amount was mentioned in the provided content. → thehackernews.com |
| 2026-04-30 2026 | OpenWrt 23.05 Authenticated Remote Code Execution (RCE) Vulnerability: Risk Analysis Impact and Mitigation (CVE-2025-62526) news | Analysis of CVE-2025-62526, an authenticated RCE vulnerability in OpenWrt 23.05, details how attackers can compromise devices by exploiting flaws in inter-process communication and sandboxing mechanisms, particularly on Lantiq, Intel, and MaxLinear SoCs. Mitigation involves upgrading to OpenWrt 24.10.4, securing credentials, restricting management interface access, and monitoring for unauthorized changes, with historical exploitation of similar flaws by groups like APT41 and Lazarus serving as a precedent. → rescana.com |
| 2026-04-30 2026 | Critical Authenticated Remote Code Execution Vulnerability in JuzaWeb CMS 3.4.2 (CVE-2025-5425) Exploit in the Wild and Mitigation Guidance news | Writeup detailing CVE-2025-5425, a critical authenticated RCE vulnerability in JuzaWeb CMS 3.4.2. This flaw, stemming from broken access control (CWE-266), allows low-privilege users to access the Theme Editor, inject PHP code, and achieve full server compromise. Exploits are publicly available, and exploitation in the wild has been observed. Mitigation involves restricting access to the Theme Editor endpoint and auditing user roles. The vulnerability maps to MITRE ATT&CK techniques T1190 and T1059. → rescana.com |
| 2026-04-30 2026 | Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host Systems news API Sec | Vulnerabilities discovered in Google's Gemini CLI allow attackers to execute arbitrary commands on host systems. These flaws, detailed in a recent report, pose a significant security risk. The specific bounty payout amount for this discovery is not mentioned in the provided content. → cybersecuritynews.com |
| 2026-04-30 2026 | GitHub rushed to fix a critical vulnerability in less than six hours news | Writeup of a critical remote code execution vulnerability in GitHub's internal git infrastructure, discovered using AI models by Wiz Research. GitHub's security team validated the bug bounty report, reproduced the vulnerability, and deployed a fix to GitHub.com and GitHub Enterprise Server in under six hours. The vulnerability, described as "remarkably easy to exploit" despite its complexity, highlights the emerging role of AI in identifying flaws in closed-source binaries. |
| 2026-04-30 2026 | Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild news API Sec | Qinglong Task Scheduler is facing widespread exploitation of Remote Code Execution (RCE) vulnerabilities in the wild. These security flaws allow attackers to gain unauthorized control over systems running the scheduler. Organizations using Qinglong are urged to update to the latest versions and implement immediate security patches to mitigate the risk of compromise. The exploitation of these vulnerabilities highlights the critical need for prompt security updates and diligent monitoring of task scheduling systems. → cybersecuritynews.com |
| 2026-04-30 2026 | Critical Gemini CLI Flaw Enabled Host Code Execution Supply Chain Attacks news Supply Chain | Writeup of the critical Gemini CLI vulnerability (CVE-2024-XXXX, unassigned) discovered by Novee Security, which allowed for host code execution through untrusted agent configurations loaded from workspaces. Attackers could exploit this to steal secrets, gain lateral movement, and conduct supply chain attacks within CI/CD pipelines, bypassing prompt injection. This is distinct from prior research demonstrating hijacking of AI agents like Claude Code Security Review and GitHub Copilot Agent via malicious GitHub comments. → securityweek.com |
| 2026-04-30 2026 | Max-severity RCE flaw found in Google Gemini CLI news | Library update fixes a critical remote code execution (RCE) vulnerability in Google Gemini CLI. Disclosed by Novee Security, this flaw (related to CWE-77 and CWE-78) allowed attackers to inject malicious configurations and execute arbitrary commands on the host system, particularly in CI/CD environments processing untrusted input. Patched versions 0.39.1 and 0.40.0-preview.3, along with the run-gemini-cli GitHub Action fix (v0.1.22), address the vulnerability by removing implicit workspace trust and enforcing stricter tool allowlisting, aligning non-interactive execution with interactive safeguards. → csoonline.com |
| 2026-04-30 2026 | CISA adds ConnectWise Microsoft flaws to KEV catalog news | Catalog of CVE-2024-1708, a ConnectWise ScreenConnect path traversal vulnerability, and CVE-2026-32202, a Microsoft Windows protection mechanism failure. CVE-2024-1708, patched in ScreenConnect version 23.9.8, could be chained with CVE-2024-1709 for remote code execution. CVE-2026-32202, an incomplete patch for CVE-2026-21510 exploited by APT28, allows NTLM relay attacks via SMB connections when rendering malicious LNK files. Both vulnerabilities are now on CISA's Known Exploited Vulnerabilities catalog, requiring patching by May 12, 2026, for federal agencies. → scworld.com |
| 2026-04-30 2026 | ProFTPDs SQL Injection Vulnerability Enables Remote Code Execution Attacks news SQLi | A critical SQL injection vulnerability in ProFTPD, an open-source FTP server, allows attackers to execute arbitrary code remotely. This flaw, identified in version 1.3.5 and potentially affecting older versions, stems from insecure handling of SQL queries. Successful exploitation grants attackers full control over the affected server. Users are strongly advised to update to ProFTPD version 1.3.6 or later, which addresses this severe security risk. → cybersecuritynews.com |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Opens Door To Remote Code Execution Attacks news SQLi | A critical SQL injection vulnerability has been discovered in ProFTPD, a popular FTP server. This flaw allows attackers to exploit the server by injecting malicious SQL code through the `mod_sql` module. Successful exploitation can lead to remote code execution, giving attackers full control over affected systems. This poses a significant security risk for servers running ProFTPD with vulnerable configurations. Users are strongly advised to update their ProFTPD installations to the latest version to patch this critical vulnerability. → gbhackers.com |
| 2026-04-30 2026 | Qinglong Vulnerabilities Enable RCE Exploited in Attacks news | Security researchers have identified critical vulnerabilities in the Qinglong system that allow for Remote Code Execution (RCE). These flaws have already been actively exploited in real-world attacks. The nature of the vulnerabilities suggests a significant security risk for users of the Qinglong system. No specific bounty payout amount is mentioned in the provided content. → cyberpress.org |
| 2026-04-30 2026 | Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution news | Google has patched two critical vulnerabilities. One, a CVSS 10 rated Remote Code Execution (RCE) flaw in Gemini CLI CI, allowed attackers to execute arbitrary code. The other, a flaw in Cursor, also enabled code execution. Details were not provided regarding specific bounty payouts for these fixes. → thehackernews.com |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Enables Remote Code Execution news SQLi | ProFTPD SQL Injection Flaw Enables Remote Code Execution https://ift.tt/CoblFZy → cyberpress.org |
| 2026-04-30 2026 | GitHub Flaw Enables Remote Code Execution With a Single Git Push news | Writeup detailing CVE-2026-3854, a vulnerability in GitHub's internal git protocol allowing authenticated users to achieve remote code execution. Exploitation leveraged an injection flaw in the X-Stat header, where semicolon-delimited options, unsanitized by GitHub, could override security controls via a "last-write-wins" parsing model. This flaw affected both GitHub.com and GitHub Enterprise Server, potentially leading to repository compromise and server takeover. Mitigation involves upgrading GHES, enforcing least privilege, monitoring git activity, and hardening configurations. → esecurityplanet.com |
| 2026-04-30 2026 | Critical GitHub RCE bug exposed millions of repositories news | Writeup of CVE-2026-3854, a critical RCE vulnerability in GitHub affecting millions of repositories. Exploiting the handling of server-side "git push" operations, specifically the X-STAT component, an authenticated user could execute arbitrary commands via crafted input. This command injection flaw, rated CVSS 8.8, was discoverable using AI-augmented tooling like IDA MCP, and impacted GitHub.com and Enterprise Server, granting full server compromise in self-hosted environments. |
| 2026-04-29 2026 | GitHub vulnerability CVE-2026-3854 allows code execution with a single git push news | Analysis of CVE-2026-3854, a critical GitHub vulnerability allowing remote code execution. This command injection flaw, discovered by Wiz researchers, affects GitHub Enterprise Cloud and Server, enabling attackers with push access to execute arbitrary commands by exploiting unsanitized push option values. The vulnerability, patched by GitHub within two hours, could lead to system compromise and exposure of repositories on GitHub.com, with many instances remaining vulnerable. → scworld.com |
| 2026-04-29 2026 | Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining news | Library for securing the Qinglong open-source task scheduler, addressing CVE-2026-3965 and CVE-2026-4047. These vulnerabilities, stemming from authentication bypass and path traversal flaws in versions 2.20.1 and older, allow for remote code execution. Attackers have been exploiting these issues to deploy cryptominers, disguised by the process name '.fullgc,' on developer servers by injecting shell commands into `config.sh` and downloading binaries from `file.551911.xyz`. → bleepingcomputer.com |
| 2026-04-29 2026 | AI Finds 38 Security Flaws in OpenEMR news AI | An AI security tool, DeepScribe, has identified 38 vulnerabilities in OpenEMR, a popular open-source electronic health record system. These flaws range in severity, with DeepScribe flagging 10 as critical. The company plans to disclose these findings responsibly to OpenEMR's development team. This discovery highlights the potential of AI in uncovering security weaknesses in complex software. The specific bounty payout amount for this discovery is not mentioned. → darkreading.com |
| 2026-04-29 2026 | Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks news | A critical vulnerability in Hugging Face's LeRobot library allows unauthenticated remote code execution (RCE) attacks. Attackers can exploit this flaw to compromise systems without needing any prior authentication. This could lead to significant security breaches. The report does not mention a specific bug bounty payout amount. → cybersecuritynews.com |
| 2026-04-29 2026 | Critical Cursor Vulnerability Exposes Developer Workstations To Remote Code Execution news | A critical vulnerability has been discovered that allows remote code execution on developer workstations. The flaw, related to cursor handling, poses a significant security risk, enabling attackers to compromise sensitive developer environments. This could lead to widespread data breaches and the theft of proprietary code. Further details are available via the provided link. → cyberpress.org |
| 2026-04-29 2026 | Critical Chrome Vulnerabilities Enables Remote Code Execution Attacks news | Critical vulnerabilities in Google Chrome have been discovered, posing a significant security risk. These flaws allow for remote code execution (RCE) attacks, meaning malicious actors could potentially run unauthorized code on a user's system without their direct interaction. This could lead to data theft, system compromise, or other harmful actions. Users are strongly advised to ensure their Chrome browsers are updated to the latest version to patch these critical security holes and protect themselves from potential exploitation. No specific bounty payout amount was mentioned in the provided content. → cybersecuritynews.com |
| 2026-04-29 2026 | LeRobot Vulnerability Enables Unauthenticated Remote Code Execution news Python | A critical vulnerability in LeRobot has been discovered, allowing unauthenticated remote code execution (RCE). This means an attacker can compromise systems without needing any login credentials. The exploit leverages flaws in the robot's software to gain unauthorized control, posing a significant security risk. Further details on the specific exploit can be found via the provided link. The potential impact includes data breaches, system manipulation, and denial-of-service attacks. → letsdatascience.com |
| 2026-04-29 2026 | GitHub fixes RCE flaw that gave access to millions of private repos news Supply Chain | Writeup of CVE-2026-3854, a critical RCE vulnerability affecting GitHub.com and GitHub Enterprise Server, allowing attackers with push access to gain read/write access to millions of private repositories. The flaw stems from unsanitized user-supplied options during 'git push' operations, enabling arbitrary code execution and potential server compromise. Administrators of GitHub Enterprise Server instances are urged to upgrade immediately, as a significant percentage remain vulnerable. → bleepingcomputer.com |
| 2026-04-29 2026 | Cursor AI Vulnerability Enables Remote Code Execution news AI | A security researcher discovered a critical vulnerability in Cursor AI that allows for remote code execution. This exploit could enable attackers to gain unauthorized access and control over affected systems. The vulnerability's nature suggests a significant security risk, potentially impacting users of the AI platform. Further details regarding the specific exploit mechanism and potential mitigations were not provided in the initial announcement. → letsdatascience.com |
| 2026-04-29 2026 | Critical GitHub RCE bug exposed millions of repositories news Supply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub's Git push processing, specifically within the X-STAT component. This flaw, found by Wiz researchers using AI-augmented tooling, allowed authenticated users to execute arbitrary commands server-side, leading to potential remote code execution and full compromise of GitHub Enterprise Server instances, exposing millions of repositories. Patches were released for GitHub.com and Enterprise Server. → csoonline.com |
| 2026-04-29 2026 | Cursor AI IDE vulnerability allows code execution via hidden Git hooks news Supply Chain | Tool for arbitrary code execution in Cursor AI IDE. CVE-2026-26268, a high-severity vulnerability (CVSS 8.1), leverages hidden Git hooks within nested bare repositories. The Cursor AI agent, when performing tasks like `git checkout`, inadvertently triggers these malicious pre-commit hooks, allowing attackers to execute arbitrary code without user interaction. This exploit targets the autonomous nature of AI agents operating on untrusted code, posing a significant risk to developer machines holding sensitive data. → hackread.com |
| 2026-04-29 2026 | Critical GitHub Vulnerability Exposed Millions of Repositories news Supply Chain | Writeup of CVE-2026-3854, a critical remote code execution flaw in GitHub's internal Git infrastructure. This injection vulnerability allowed authenticated users to execute arbitrary commands on backend servers via a simple `git push` command, potentially compromising millions of repositories on GitHub Enterprise Server and GitHub.com. Wiz researchers discovered the issue, which affected various GitHub Enterprise offerings, and a patch was subsequently released. → securityweek.com |
| 2026-04-29 2026 | GitHub.com and Enterprise Server Vulnerability Allows Remote Code Execution news Supply Chain | A critical vulnerability affecting GitHub.com and GitHub Enterprise Server allows for remote code execution (RCE). This means attackers could potentially run arbitrary code on vulnerable systems without needing prior authentication. The severity of this flaw necessitates prompt patching by affected users. Specific details about exploitation or the impact of the vulnerability are limited, but RCE flaws are generally considered high-risk due to their potential for complete system compromise. → gbhackers.com |
| 2026-04-29 2026 | Critical Google Chrome Flaws Allow Remote Code Execution Exploits news | Google Chrome is facing critical vulnerabilities that could allow for remote code execution. These security flaws, if exploited, could enable attackers to compromise user systems without any interaction required from the user. The severity of these issues highlights the ongoing need for prompt patching and vigilant security practices for web browsers. No specific bounty payout amounts were mentioned in the provided content. → cyberpress.org |
| 2026-04-29 2026 | Mozilla Firefox Multiple Vulnerabilities news | Library of advisories detailing multiple vulnerabilities in Mozilla Firefox. These issues, impacting versions prior to Firefox 150.0.1, Firefox ESR 115.35.1, and Firefox ESR 140.10.1, can lead to remote code execution, security restriction bypass, and information disclosure. Patches are available from the vendor. → hkcert.org |
| 2026-04-29 2026 | GitHub patches critical 'git push' remote code execution bug news | Writeup on a critical vulnerability in GitHub's `git push` command, allowing authenticated users to achieve remote code execution on backend infrastructure. Discovered by Wiz researchers using IDA's MCP server, the flaw exploited GitHub's internal protocol by adding malicious options to the `git push` command. GitHub patched the issue on GitHub.com and released a fix for GitHub Enterprise Server. |
| 2026-04-28 2026 | Major Security Flaw In GitHub Enables Remote Code Execution Across Millions of Repositories news | A significant security vulnerability has been discovered in GitHub that could allow for remote code execution across millions of repositories. This flaw, if exploited, could have widespread implications for developers and organizations relying on GitHub for code hosting and collaboration. The exact impact and potential severity are still being assessed, but the discovery highlights the ongoing challenges in securing large-scale software development platforms. Further details on the vulnerability are expected to be released as the situation unfolds and mitigation efforts are implemented. |
| 2026-04-28 2026 | CVE-2026-3854 GitHub flaw enables remote code execution news | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub Enterprise allowing remote code execution. Exploitable via a crafted git push, attackers can inject malicious metadata, bypass sandbox protections, and run arbitrary commands. Wiz researchers reported the flaw, which GitHub fixed with patches for Enterprise Server versions. The vulnerability underscores risks in inter-service communication and sanitization of user-controlled data in complex systems. → securityaffairs.com |
| 2026-04-28 2026 | GitHub RCE Vulnerability: CVE-2026-3854 Breakdown news | Tool for analyzing CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git infrastructure. This flaw, exploitable via a single git push from an authenticated user, allowed arbitrary command execution on GitHub.com's backend servers, potentially exposing millions of repositories. On GitHub Enterprise Server, it granted full server compromise. The analysis details the X-Stat header injection flaw and the exploitation chain involving `rails_env`, `custom_hooks_dir`, and `repo_pre_receive_hooks` fields to bypass sandboxing and achieve remote code execution. → wiz.io |
| 2026-04-28 2026 | Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push news Supply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server. Exploitable via a single "git push" command, this flaw allows authenticated users with push access to achieve remote code execution by injecting malicious metadata into internal service headers. Researchers from Wiz demonstrated a technique chaining three injections to bypass sandboxing, redirect hooks, and execute arbitrary commands as the git user, potentially leading to cross-tenant repository exposure on GitHub.com. → thehackernews.com |
| 2026-04-28 2026 | Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise news Supply Chain | A critical Remote Code Execution (RCE) vulnerability has been discovered in GitHub.com and GitHub Enterprise Server. This flaw allows attackers to achieve full server compromise. The vulnerability's details have been shared via a link, but no specific payout amount for reporting it has been mentioned. This discovery highlights a significant security risk for users and organizations relying on GitHub's platforms. → cybersecuritynews.com |
| 2026-04-28 2026 | Securing the git push pipeline: Responding to a critical remote code execution vulnerability intermediate Supply Chain | Writeup of CVE-2026-3854, a critical remote code execution vulnerability in GitHub's `git push` pipeline. The vulnerability allowed arbitrary command execution on the server by crafting a `git push` command with unsanitized push options that manipulated internal metadata, bypassing sandboxing. GitHub deployed a fix within hours to github.com and released patches for GitHub Enterprise Server, recommending immediate upgrades. The investigation found no evidence of exploitation. → github.blog |
| 2026-04-28 2026 | Hugging Face LeRobot Vulnerability Enables Unauthenticated Remote Code Execution Attacks news Supply Chain | A critical vulnerability, CVE-2024-31586, has been discovered in Hugging Face's LeRobot library. This flaw allows unauthenticated attackers to execute arbitrary code remotely on vulnerable systems. The vulnerability stems from LeRobot's insecure handling of certain files, specifically when unpacking archives. Exploitation is possible without prior authentication. → cyberpress.org |
| 2026-04-28 2026 | Hugging Face LeRobot Flaw Opens Door to Remote Code Execution Attacks news Supply Chain | A critical vulnerability has been discovered in Hugging Face's LeRobot library, potentially allowing remote code execution. The flaw, detailed in a security advisory, enables attackers to exploit the library to gain unauthorized control over systems. This discovery highlights significant security risks for users and developers relying on LeRobot. No specific bounty payout amount was mentioned in the provided content. → gbhackers.com |
| 2026-04-28 2026 | Critical Cursor bug could turn routine Git into RCE news Supply Chain | Library for securing AI-augmented IDEs against RCE vulnerabilities, exemplified by CVE-2026-26268 in Cursor IDE. This flaw, which allowed arbitrary code execution via malicious Git repositories and AI agent interaction with Git hooks and bare repositories, is patched in Cursor version 2.5. The exploit leverages Git's documented features, making detection challenging due to its integration into normal development workflows. → csoonline.com |
| 2026-04-28 2026 | Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE news | Writeup on CVE-2026-25874, a critical unauthenticated RCE vulnerability in Hugging Face's LeRobot platform. The flaw, found in version 0.4.3, stems from unsafe data deserialization using Python's pickle format within the async inference pipeline, allowing attackers to execute arbitrary code via gRPC calls. This impacts the PolicyServer and robot client components, potentially leading to network compromise, data theft, and safety risks. A fix is planned for version 0.6.0. → thehackernews.com |
| 2026-04-28 2026 | Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 news | Writeup on CVE-2026-32202, a Windows Shell spoofing vulnerability actively exploited in the wild. This zero-click flaw, with a CVSS score of 4.3, stems from an incomplete patch for CVE-2026-21510 and allows attackers to steal Net-NTLMv2 hashes via SMB connections. Russian nation-state group APT28 reportedly used it in conjunction with CVE-2026-21513, leveraging malicious LNK files to bypass Microsoft Defender SmartScreen and achieve credential theft. → thehackernews.com |
| 2026-04-27 2026 | Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability in the Gemini Command Line Interface (CLI) has been discovered, posing a significant security risk. This flaw allows for Remote Code Execution (RCE) attacks, meaning attackers could potentially run arbitrary code on a user's system without their knowledge or consent. This could lead to data breaches, system compromise, and other malicious activities. Users are strongly advised to update their Gemini CLI to the latest version to patch this vulnerability. → cybersecuritynews.com |
| 2026-04-27 2026 | Nessus Agent Vulnerability on Windows Allows Arbitrary Code Execution as SYSTEM news | A critical vulnerability has been discovered in the Nessus Agent on Windows, allowing for arbitrary code execution with SYSTEM privileges. This means an attacker could potentially gain full control of a vulnerable system. The vulnerability, detailed in the provided link, is significant due to the high level of access it grants. Details regarding specific affected versions or mitigation steps are not provided in this summary. → cyberpress.org |
| 2026-04-27 2026 | Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in the Gemini Command Line Interface (CLI) that allows for remote code execution (RCE) attacks. This means attackers could potentially run malicious code on a user's system without their knowledge or consent by exploiting this flaw in the Gemini CLI. Further details about the exploit and its potential impact are available at the provided link. → cyberpress.org |
| 2026-04-27 2026 | PoC Exploit Released for Critical Metabase Enterprise RCE Vulnerability news | A Proof-of-Concept (PoC) exploit has been released for a critical Remote Code Execution (RCE) vulnerability affecting Metabase Enterprise. This vulnerability allows unauthenticated attackers to gain control of affected servers. The release of the PoC significantly increases the risk of exploitation, as it provides a direct method for malicious actors to test and execute attacks. Users of Metabase Enterprise are strongly advised to update their systems immediately to patch this severe security flaw and mitigate potential damage. → cyberpress.org |
| 2026-04-27 2026 | Critical Gemini CLI Flaw Raises Supply Chain Security Concerns news Supply Chain | A critical flaw in the Gemini Command Line Interface (CLI) has been discovered, posing significant supply chain security risks. This vulnerability could allow attackers to compromise systems that use the Gemini CLI. The exact payout amount for the bug bounty is not stated in the provided content. This discovery highlights the ongoing importance of robust security practices within software development pipelines. → gbhackers.com |
| 2026-04-27 2026 | Metabase Enterprise RCE Flaw Now Has Public Proof-of-Concept Exploit news | A critical Remote Code Execution (RCE) vulnerability has been discovered in Metabase Enterprise. A public proof-of-concept (PoC) exploit is now available, meaning attackers can leverage this flaw to compromise Metabase instances. This poses a significant security risk for organizations using the affected enterprise version. Users are strongly advised to update to the latest version to patch this vulnerability. No specific bounty payout amount was mentioned. → gbhackers.com |
| 2026-04-27 2026 | Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges news | A critical vulnerability has been discovered in Nessus Agents on Windows, allowing for arbitrary code execution with SYSTEM privileges. This means an attacker could potentially gain complete control over a vulnerable system. The vulnerability, detailed in a linked report, highlights a significant security risk for organizations using Nessus Agents. No specific bounty payout amount is mentioned in the provided content. → cybersecuritynews.com |
| 2026-04-26 2026 | Anthropic's model context protocol includes a critical remote code execution vulnerability news AI | A critical remote code execution (RCE) vulnerability has been discovered in Anthropic's model context protocol. This flaw allows attackers to execute arbitrary code on a system through the protocol. The specifics of the vulnerability and its potential impact are detailed in the linked article, but no bug bounty payout amount is mentioned. → msn.com |
| 2026-04-24 2026 | Microsofts April Security Update of High-Risk Vulnerability Notice for Multiple Products news | Microsoft's April Security Update addresses high-risk vulnerabilities across multiple products. The notice, detailed in a linked article, highlights critical security flaws requiring immediate attention for users of affected Microsoft software. While the article itself does not specify a bug bounty payout, the update aims to patch these significant security risks to protect users from potential exploitation. → securityboulevard.com |
| 2026-04-24 2026 | Hackers exploit file upload bug in Breeze Cache WordPress plugin news | Library for detecting and preventing arbitrary file uploads, specifically addressing CVE-2026-3844 in the Breeze Cache WordPress plugin. This critical vulnerability, with a severity score of 9.8, allows unauthenticated attackers to achieve remote code execution (RCE) by exploiting a missing file-type validation in the ‘fetch_gravatar_from_remote’ function when the “Host Files Locally - Gravatars” add-on is enabled. Versions up to 2.4.4 are affected. → bleepingcomputer.com |
| 2026-04-24 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution news Supply Chain | Analysis of a critical Remote Code Execution vulnerability (CVSSv4 9.3) in a Microsoft GitHub repository, specifically within its CI/CD workflow using GitHub Actions. Attackers could inject malicious Python code into issue descriptions, triggering automatic execution on the GitHub runner and exfiltrating sensitive secrets like GITHUB_TOKEN, thereby compromising the software supply chain and potentially allowing unauthorized code execution. → cxodigitalpulse.com |
| 2026-04-24 2026 | 20th April Threat Intelligence Report news | Library of threat intelligence covering the week of April 20th, detailing data breaches at Booking.com and McGraw-Hill, supply chain compromise of EssentialPlugin, and Basic-Fit. AI threats include weaponized Claude Code and GPT-4 for government breaches, phishing campaigns impersonating Claude AI, and prompt injection on GitHub agents. Vulnerabilities addressed include Apache ActiveMQ CVE-2026-34197, Splunk CVE-2026-20204, Microsoft Defender CVE-2026-33825, and Windows Task Host CVE-2025-60710. Other intelligence covers brand impersonation phishing, ZionSiphon malware targeting industrial control, Russian C2 infrastructure, and a fake Ledger Live app. |
| 2026-04-23 2026 | Anthropic's model context protocol includes a critical remote code execution vulnerability news | Anthropic's model context protocol includes a critical remote code execution vulnerability https://ift.tt/uJoCxjU → msn.com |
| 2026-04-22 2026 | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities news | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/6dEs8aC → gbhackers.com |
| 2026-04-22 2026 | Terrarium Sandbox: Critical Vulnerability Allows Root Code news | Terrarium Sandbox: Critical Vulnerability Allows Root Code https://ift.tt/xt7SA8a → secnews.gr |
| 2026-04-22 2026 | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities news | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/oKqHTf5 → cyberpress.org |
| 2026-04-22 2026 | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models news | Writeup of CVE-2026-5760 in SGLang, a critical flaw enabling remote code execution via malicious AI models. Attackers can craft a GGUF model with a malicious tokenizer.chat_template to exploit an unsandboxed Jinja2 environment, triggering server-side template injection and executing arbitrary Python code. This high-severity vulnerability, requiring no authentication, impacts SGLang deployments serving LLMs. → cxodigitalpulse.com |
| 2026-04-22 2026 | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability news | Writeup detailing CVE-2025-68454, an authenticated Remote Code Execution vulnerability in Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Exploitation occurs via Server-Side Template Injection (SSTI) using the Twig map filter in text fields within Settings or the System Messages utility. Attackers with administrative privileges or access to System Messages can achieve arbitrary code execution by crafting malicious Twig payloads. Mitigation involves updating to patched versions 5.8.21 or 4.16.17, disabling allowAdminChanges, and restricting access to sensitive utilities. → sentinelone.com |
| 2026-04-22 2026 | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) news | Analysis of CVE-2025-53652, a critical command injection flaw in the Jenkins Git Parameter plugin, reveals its potential for remote code execution (RCE) on unauthenticated servers. VulnCheck's report details how this vulnerability, present in approximately 15,000 internet-facing Jenkins instances, allows attackers to inject malicious commands. While a patch exists, it can be manually disabled, necessitating detection rules to identify exploitation attempts. → hackread.com |
| 2026-04-22 2026 | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution news | Writeup of CVE-2025-55182, a critical RCE in React Server Components (RSC) that affects frameworks like Next.js. Attackers exploit a flaw in the flight protocol decoding, where improperly handled prototype chain lookups allow arbitrary code execution on the server. The vulnerability stems from not checking for own properties during object deserialization. Mitigation involves upgrading React packages, restricting exposure of RSC routes, and deploying IPS/WAF rules to detect malicious multipart payloads. |
| 2026-04-22 2026 | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) news | Writeup on CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM details pre-authentication remote code execution vulnerabilities. Attackers can exploit these by sending crafted requests to run arbitrary code on unpatched instances, as researchers at WatchTowr discovered. Ivanti has released an RPM patch, but it is removed upon version upgrades, requiring reapplication. These vulnerabilities were actively exploited in the wild before disclosure, and public PoC code increases immediate risk. |
| 2026-04-22 2026 | CVE-2025-57738: Apache Syncope Groovy Injection RCE news | Writeup of CVE-2025-57738, an Apache Syncope Groovy injection vulnerability allowing RCE. Vulnerable versions compile administrator-uploaded Groovy implementations using a bare `GroovyClassLoader`, enabling static initializer blocks to execute arbitrary JVM API commands like `Runtime.exec()` or `ProcessBuilder` with full process privileges. The PoC script `CVE-2025-57738.py` demonstrates this by uploading a malicious class that executes a command and writes output to `/tmp/pwned`. Patched versions implement sandboxing using Jenkins’ Script Security infrastructure to block dangerous API calls. |
| 2026-04-22 2026 | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain news | Analysis of the Model Context Protocol (MCP) reveals a fundamental design flaw enabling Arbitrary Command Execution (RCE) across its SDK implementations in Python, TypeScript, Java, and Rust. This systemic vulnerability, affecting over 7,000 projects including LiteLLM, LangChain, and Flowise, stems from unsafe defaults in STDIO transport, leading to identified CVEs like CVE-2026-30623 and CVE-2025-49596. The flaw allows attackers to inject commands through various means, including prompt injection and network requests, potentially compromising sensitive data and impacting the AI supply chain, despite Anthropic classifying the behavior as "expected." → thehackernews.com |
| 2026-04-22 2026 | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) news | Writeup of CVE-2025-49596, a critical RCE in Anthropic's MCP Inspector, details how attackers can exploit default insecure configurations and the 0.0.0.0-day browser vulnerability to execute arbitrary code on a developer's machine. This allows for data theft and network lateral movement, posing a significant risk to AI teams and enterprise adopters. The vulnerability stems from the MCP Inspector's lack of default authorization and its interaction with browser handling of the 0.0.0.0 IP address. |
| 2026-04-22 2026 | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit news | Tool for exploiting CVE-2025-24893 in XWiki, enabling unauthenticated RCE via Server-Side Template Injection. The vulnerability lies in the SolrSearch endpoint, which processes user input through the Groovy template engine without proper sanitization. Attackers can inject malicious Groovy expressions via the `text` query parameter to execute arbitrary commands on the server, with output reflected in the RSS response. The provided Python script facilitates single command execution or interactive shell access. |
| 2026-04-22 2026 | CVE-2026-34197: ActiveMQ RCE via Jolokia API news | Writeup detailing CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ Classic. Exploitation leverages the Jolokia API to invoke `addNetworkConnector` with a crafted `vm://` URI, forcing the broker to fetch and execute a remote Spring XML configuration file. This technique, similar to CVE-2023-46604, allows arbitrary OS command execution. The vulnerability is unauthenticated on ActiveMQ versions 6.0.0–6.1.1 due to CVE-2024-32114. |
| 2026-04-22 2026 | Google Antigravity in Crosshairs of Security Researchers Cybercriminals news | Writeup on Google Antigravity vulnerabilities, detailing a sandbox escape flaw allowing arbitrary code execution through insufficient input sanitization during file search operations, which bypasses Secure Mode and can be triggered via indirect prompt injection. Additionally, researchers discovered a fake website distributing a trojanized installer that deploys stealer malware, targeting browser data, cryptocurrency wallets, and employing techniques like clipboard hijacking, keystroke logging, and hidden desktop tradecraft. → securityweek.com |
| 2026-04-22 2026 | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution Container Escape news | Writeup of CVE-2026-5752, a critical sandbox escape vulnerability in Cohere AI's Terrarium, allowing root code execution via JavaScript prototype chain traversal within the Pyodide WebAssembly environment. This flaw enables attackers with local access to execute arbitrary system commands, access sensitive files like "/etc/passwd," reach other network services, and potentially escape containers. Since the open-source project is unmaintained, mitigations focus on disabling code submission, network segmentation, Web Application Firewall deployment, and rigorous container monitoring. → thehackernews.com |
| 2026-04-22 2026 | Fake SVG puts 750000 websites at risk: hackers can seize the web server news | Fake SVG puts 750,000 websites at risk: hackers can seize the web server https://ift.tt/BwtOzhU → cybernews.com |
| 2026-04-22 2026 | Adobe Acrobat Reader: Prototype pollution vulnerability enables remote code execution news | Writeup of CVE‑2026‑34621, a prototype pollution vulnerability in Adobe Acrobat Reader's JavaScript engine, enabling remote code execution through malicious PDFs. Exploitation involves manipulating object prototypes to inject arbitrary properties, overriding security-critical internal functions. This flaw, affecting Acrobat DC and Reader DC, has been observed in spear-phishing campaigns by financially motivated actors. Adobe has released patches, and interim mitigations include disabling JavaScript and strengthening email security controls. |
| 2026-04-21 2026 | 22 BRIDGE:BREAK Flaws Expose 20000 Lantronix and Silex Serial-to-IP Converters news | Writeup of BRIDGE:BREAK vulnerabilities affecting Lantronix and Silex serial-to-IP converters. Forescout Research Vedere Labs identified 22 flaws, including remote code execution (CVE-2026-32955, CVE-2025-67041), DoS (CVE-2015-5621), authentication bypass (CVE-2026-32960), and device takeover (FSCT-2025-0021), in devices like Lantronix EDS3000PS Series and Silex SD330-AC, potentially allowing attackers to hijack devices and tamper with data. → thehackernews.com |
| 2026-04-21 2026 | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool news | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool https://ift.tt/1QOIZsB → darkreading.com |
| 2026-04-21 2026 | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release news | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release https://ift.tt/hT4dgwi → gbhackers.com |
| 2026-04-21 2026 | Actively exploited Apache ActiveMQ flaw impacts 6400 servers news | Writeup on CVE-2026-34197, a code injection vulnerability in Apache ActiveMQ Classic, impacting over 6,400 exposed servers. Discovered by Horizon3 researcher Naveen Sunkavally, the flaw allows authenticated actors to execute arbitrary code due to improper input validation. Patched in versions 6.2.3 and 5.19.4, this actively exploited vulnerability has been a repeated target, with CISA urging federal agencies to secure their systems. Exploitation indicators include suspicious broker connections with VM transport and the brokerConfig=xbean:http:// parameter. Previous exploited ActiveMQ flaws include CVE-2016-3088 and CVE-2023-46604. → bleepingcomputer.com |
| 2026-04-21 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository news | Writeup of a critical RCE vulnerability in a Microsoft GitHub repository, discovered by Tenable Research. The flaw, exploitable via Python string injection in issue creation, allows attackers to exfiltrate GITHUB_TOKEN secrets, potentially enabling unauthorized modification of repository content and compromising the software supply chain. This highlights the attack surface presented by CI/CD infrastructure and emphasizes the need for strict security controls, permission reviews, and pipeline monitoring. |
| 2026-04-21 2026 | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers news | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers https://ift.tt/UTpIVmw → cyberpress.org |
| 2026-04-21 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution news | Writeup detailing a Remote Code Execution (RCE) vulnerability in a Microsoft GitHub repository affecting CI/CD pipelines. The flaw, a Python string injection within GitHub Actions workflows, allowed attackers to exfiltrate GITHUB_TOKEN secrets by creating a malicious GitHub issue, leading to potential unauthorized code execution and supply chain compromises. Recommendations include implementing strict security controls, reviewing token permissions, and monitoring automated workflows. |
| 2026-04-21 2026 | Critical Anthropics MCP Vulnerability Enables Remote Code Execution Attacks news | Critical Anthropic’s MCP Vulnerability Enables Remote Code Execution Attacks https://ift.tt/NgPh5a6 → cybersecuritynews.com |
| 2026-04-21 2026 | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers news | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers https://ift.tt/tE3rbwk → gbhackers.com |
| 2026-04-21 2026 | SGLang Enables Remote Code Execution via Malicious GGUF Models news | SGLang Enables Remote Code Execution via Malicious GGUF Models https://ift.tt/IRetcHV → letsdatascience.com |
| 2026-04-20 2026 | Critical RCE vulnerability in protobuf.js; Exploit code published news | Library for securing JavaScript applications, detailing GHSA-xq3m-2v4x-88gg, a critical RCE in protobuf.js versions 8.0.0 and 7.5.4. Exploitation involves malicious schemas enabling arbitrary code injection via unsafe dynamic code generation. Endor Labs recommends upgrading protobuf.js to patched versions (8.0.1, 7.5.5), auditing dependencies, treating schema loading as untrusted input, and considering precompiled schemas to mitigate risks. → scworld.com |
| 2026-04-20 2026 | Google Chrome Multiple Vulnerabilities news | Writeup detailing multiple vulnerabilities in Google Chrome, including CVE-2026-6296 through CVE-2026-6364. Exploitation of these weaknesses can lead to remote code execution, denial of service, information disclosure, and security restriction bypass. Affected versions are prior to 147.0.7727.101 on Linux, and prior to 147.0.7727.101/102 on Mac and Windows. Mitigation involves updating to the latest vendor-released versions. → hkcert.org |
| 2026-04-20 2026 | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution news | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution https://ift.tt/l13PHeM → cyberpress.org |
| 2026-04-20 2026 | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files news Python | Vulnerability CVE-2026-5760, a critical RCE flaw in SGLang with a CVSS score of 9.8, stems from Jinja2 server-side template injection in GGUF model files loaded via the "/v1/rerank" endpoint. Attackers craft malicious GGUF files with SSTI payloads in the tokenizer.chat_template parameter, leading to arbitrary Python code execution on the SGLang server when the endpoint is accessed. This vulnerability is similar to CVE-2024-34359 and CVE-2025-61620, and mitigation involves using ImmutableSandboxedEnvironment for template rendering. → thehackernews.com |
| 2026-04-20 2026 | Vulnerability exploitation surges often precede disclosure offering possible early warnings news | Vulnerability exploitation surges often precede disclosure, offering possible early warnings https://ift.tt/UAnQyhJ → cybersecuritydive.com |
| 2026-04-20 2026 | 52M-Download protobuf.js Library Hit by RCE in Schema Handling news | Library RCE in protobuf.js, a widely used JavaScript package for Google Cloud and Firebase, allows attackers to execute arbitrary code by manipulating schema file names. The vulnerability, GHSA-xq3m-2v4x-88gg, exploits the `Type.generateConstructor` function's dynamic JavaScript generation, treating type names as executable commands. Versions 8.0.0 and earlier, and 7.5.4 and earlier, are affected. A simple regex replacement in type names mitigates the issue, and users should update to protobuf.js 8.0.1 or 7.5.5 immediately. → hackread.com |
| 2026-04-20 2026 | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters news | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters https://ift.tt/NBwdZU2 → cybersecuritynews.com |
| 2026-04-20 2026 | Cisco ISE Vulnerabilities Enable Remote Code Execution news | Vulnerabilities in Cisco Identity Services Engine (ISE) and Webex Services enable remote code execution and user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 affect Cisco ISE, allowing authenticated attackers to execute arbitrary commands and escalate privileges. CVE-2026-20184 impacts Webex Services SSO integration, enabling user impersonation. Patching is essential as no workarounds exist for these critical flaws impacting authentication, collaboration, and network access control systems. → thecyberexpress.com |
| 2026-04-19 2026 | CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack news | Reference for CVE-2026-34197, a critical remote code execution vulnerability in Apache ActiveMQ Classic. This 13-year-old flaw, now on CISA's Known Exploited Vulnerabilities catalog, allows authenticated attackers to run arbitrary OS commands via the Jolokia management API. The vulnerability is exacerbated by common default credentials and can be chained with CVE-2024-32114 on certain versions to enable unauthenticated exploitation. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3. → theregister.com |
| 2026-04-19 2026 | CVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCE news | Writeup of CVE-2025-22457, a zero-day stack-based buffer overflow in Ivanti Connect Secure VPN exploited by UNC5221. This vulnerability allows unauthenticated remote code execution and has been used for data exfiltration and backdoor installation. Urgent patching to the latest fixed version is recommended to mitigate exploitation. → arcticwolf.com |
| 2026-04-19 2026 | Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282) news | Advisory for CVE-2025-0282, an unauthenticated RCE vulnerability in Ivanti Connect Secure and other Ivanti products, disclosed January 8, 2025, and actively exploited since mid-December 2024. This stack overflow allows arbitrary code execution. Exploitation tactics include lateral movement and SPAWN malware deployment, with links to previous Ivanti vulnerability campaigns. Ivanti's Integrity Checker Tool and Mandiant IoCs can identify compromise. |
| 2026-04-19 2026 | Command Injection in Jenkins via Git Parameter (CVE-2025-53652) intermediate | Writeup of CVE-2025-53652 in Jenkins, detailing command injection via the Git Parameter plugin. Attackers can exploit unvalidated Git parameters to achieve remote code execution, leveraging Git's GTFObin capabilities to execute arbitrary commands like `sleep` or establish reverse shells. The vulnerability requires a valid session cookie, build name, and Jenkins crumb for exploitation, even in unauthenticated instances. Detection is possible through Suricata rules and analysis of Jenkins job logs. |
| 2026-04-19 2026 | 0xMarcio/cve: Latest CVEs with PoC Exploits intermediate | 0xMarcio/cve: Latest CVEs with PoC Exploits |
| 2026-04-19 2026 | Microsoft WSUS RCE (CVE-2025-59287) Actively Exploited news | Analysis of CVE-2025-59287, a critical unauthenticated RCE in Microsoft WSUS, details its exploitation via unsafe deserialization through the GetCookie() or ReportingWebService endpoints. Observed attack chains involve PowerShell execution, network reconnaissance, and exfiltration to attacker-controlled webhooks. Affected systems include various Windows Server versions with the WSUS role enabled. Temporary mitigations include disabling the WSUS role or blocking ports 8530 and 8531. → unit42.paloaltonetworks.com |
| 2026-04-18 2026 | ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers news | Writeup detailing CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc, allowing remote code execution. Exploitable via uploading PHP web shells to servers lacking patches from October 2020 (version 2.8.7), this N-day vulnerability poses a significant risk for systems that remain unupdated, with over 2,000 exposed instances observed globally, primarily in China. → hackread.com |
| 2026-04-18 2026 | Critical flaw in Protobuf library enables JavaScript code execution news | Library vulnerability GHSA-xq3m-2v4x-88gg, a critical RCE flaw in protobuf.js, arises from unsafe dynamic code generation. Attackers can inject arbitrary JavaScript code by supplying malicious schemas, leading to code execution on servers or developer machines. Endor Labs identified the issue, impacting versions 8.0.0/7.5.4 and lower, with patches available in 8.0.1 and 7.5.5. Mitigation involves upgrading, auditing dependencies, and treating schema loading as untrusted input. → bleepingcomputer.com |
| 2026-04-18 2026 | ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers news | Library detailing CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc, allowing remote code execution. Patched in ShowDoc 2.8.7 in October 2020, this N-day vulnerability is actively exploited by threat actors targeting global servers, especially those running outdated versions. Defense requires updating to ShowDoc 3.8.1 to prevent compromised infrastructure and further attacks. → hackread.com |
| 2026-04-18 2026 | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code news | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code https://ift.tt/w79ePIr → cybersecuritynews.com |
| 2026-04-17 2026 | Multiple attacks weaponizing critical Marimo RCE identified news | Library of techniques weaponizing Marimo RCE (CVE-2026-39987) against deployed applications. Threat actors exploit this critical vulnerability to deploy NKAbuse malware via Hugging Face, execute reverse shells, steal database and .env credentials, and achieve PostgreSQL and Redis server compromise for data enumeration and exfiltration. → scworld.com |
| 2026-04-17 2026 | Apache ActiveMQ RCE bug to CISA list of exploited vulnerabilities news | Writeup detailing CVE-2026-34197, a 13-year-old Apache ActiveMQ RCE vulnerability added to CISA's KEV catalog. Discovered using the Claude AI assistant, this high-severity bug highlights how AI accelerates vulnerability research and weaponization of legacy code. The ActiveMQ flaw, exploitable with default or no credentials in some versions, requires disabling the Jolokia interface or immediate patching to mitigate risks posed by adversaries leveraging AI for rapid code auditing. → scworld.com |
| 2026-04-17 2026 | Marimo Exploits Enable Blockchain Backdoor Spread news | Marimo Exploits Enable Blockchain Backdoor Spread https://ift.tt/vhVgxEe → letsdatascience.com |
| 2026-04-17 2026 | CVE-2026-34197: Apache ActiveMQ Jolokia RCE Vulnerability news | CVE-2026-34197 is an authenticated RCE vulnerability in Apache ActiveMQ Classic stemming from how the Jolokia JMX-HTTP bridge handles management operations. Exploitation involves an attacker invoking operations like `addNetworkConnector` with a crafted `brokerConfig` parameter, forcing the broker to load and execute a remote Spring XML configuration file, leading to code execution within the broker JVM. This long-standing behavior, present for nearly 13 years, can be exacerbated by CVE-2024-32114, making it unauthenticated RCE. → securityboulevard.com |
| 2026-04-17 2026 | PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands news | PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands https://ift.tt/Cld3i9q → cyberpress.org |
| 2026-04-17 2026 | Hugging Face Abused To Spread Blockchain-Based Backdoor In CVE-2026-39987 Attacks news | Hugging Face Abused To Spread Blockchain-Based Backdoor In CVE-2026-39987 Attacks https://ift.tt/QZjdzEJ → cyberpress.org |
| 2026-04-17 2026 | U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog news | Writeup of CVE-2026-34197, a critical flaw in Apache ActiveMQ Classic impacting versions prior to 5.19.4 and 6.2.3. This vulnerability, caused by improper input validation and unsafe code execution, allows authenticated attackers to achieve remote code execution by exploiting the Jolokia JMX-HTTP bridge. The flaw leverages a crafted discovery URI to force the broker to load a malicious remote Spring XML configuration, enabling arbitrary code execution through bean factory methods like `Runtime.exec()`. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. → securityaffairs.com |
| 2026-04-17 2026 | Microsoft and Adobe Patch Tuesday April 2026 Security Update Review news | Analysis of April 2026 Patch Tuesday updates from Microsoft and Adobe reveals 163 vulnerabilities addressed by Microsoft, including eight critical-severity issues and two zero-days: an access-control flaw in Windows Defender and an input validation flaw in Microsoft Office SharePoint, both actively exploited. Adobe patched 56 vulnerabilities across various products, with 38 critical. Notable Microsoft issues include use-after-free flaws in Remote Desktop Client and Microsoft Office, and race conditions in Windows Active Directory and TCP/IP, enabling remote code execution or privilege escalation. |
| 2026-04-17 2026 | Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation news | Writeup detailing CVE-2026-34197, a critical Apache ActiveMQ Classic vulnerability allowing code injection via the Jolokia API. This flaw, actively exploited and added to CISA's KEV catalog, has been present for 13 years and is exacerbated by CVE-2024-32114 on certain versions, enabling unauthenticated RCE. Horizon3.ai and SAFE Security highlight its exploitation targeting exposed management endpoints, with Fortinet noting dozens of attempts. Upgrading to versions 5.19.4 or 6.2.3 is recommended. → thehackernews.com |
| 2026-04-16 2026 | Empirical Study on RCE in ML Model Hosting Ecosystems advanced | Survey of Remote Code Execution risks in ML model hosting ecosystems, analyzing custom code execution on platforms like Hugging Face and ModelScope. The study employs static analysis tools Bandit, CodeQL, and Semgrep, alongside YARA for pattern detection, to identify vulnerabilities. It also examines platform security mechanisms and developer discussions to understand perceptions, revealing widespread unsafe defaults and developer confusion about executing remote code. → arxiv.org |
| 2026-04-16 2026 | Method Confusion in Go SSTIs Lead to File Read and RCE advanced | Library for researching Go Server-Side Template Injection (SSTI) vulnerabilities, focusing on method confusion within the `html/template` module. This library demonstrates how to achieve arbitrary file reads and Remote Code Execution (RCE) by leveraging exported methods of rendered objects, such as the `Secret` method for command execution or the `File` method from the `echo` framework for local file disclosure. → onsecurity.io |
| 2026-04-16 2026 | SmarterTools SmarterMail Pre-Auth RCE (CVE-2025-52691) news | Writeup of CVE-2025-52691, a pre-authentication remote code execution vulnerability in SmarterTools SmarterMail. This analysis details how an unauthenticated file upload endpoint, which accepts a JSON-deserializable `contextData` parameter, allows an attacker to control a `guid` property. The patched build 9413 introduces GUID validation, suggesting its exploitation was previously possible by manipulating this field during upload processing, as detailed by Mr Chua Meng Han from CSIT. |
| 2026-04-16 2026 | Dissecting and Exploiting CVE-2025-62507: RCE in Redis intermediate | Writeup of CVE-2025-62507, a stack buffer overflow in Redis's XACKDEL command, details how an attacker can trigger this vulnerability by providing an excessive number of stream IDs. This overflow allows for overwriting the return address on the stack, potentially leading to remote code execution, especially in unauthenticated Redis instances. The analysis demonstrates exploiting this flaw by crashing the server with carefully crafted commands, revealing the path to weaponized exploits. |
| 2026-04-16 2026 | Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) intermediate | Writeup detailing CVE-2025-23120, a domain-level RCE in Veeam Backup & Replication. This vulnerability arises from a flawed blacklist-based deserialization mechanism, allowing domain users to achieve SYSTEM privileges on the Veeam server. The attack leverages the .NET Remoting Channel and a specific class, `Veeam.Backup.Model.CDbCryptoKeyInfo`, which ultimately leads to inner deserialization with a blacklist. This writeup follows previous research on CVE-2024-40711, also in Veeam, highlighting the persistent issues with blacklist-based security. |
| 2026-04-16 2026 | Exploitation Walkthrough - Ivanti Connect Secure RCE (CVE-2025-0282) intermediate | Walkthrough of CVE-2025-0282 in Ivanti Connect Secure, detailing a stack-based buffer overflow in the `ift_handle_1` function. Exploitation involves crafting a malicious `clientCapabilities` block exceeding 256 bytes to trigger an out-of-bounds write. While direct return address overwriting is complicated by a preceding `free()` call on `object_to_be_freed`, an alternative exploitation path leverages a virtual function call at offset 0x48 within `a1`. |
| 2026-04-16 2026 | React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics advanced | Library detailing CVE-2025-55182, dubbed "React2Shell," a critical RCE vulnerability in React Server Components. This library breaks down the exploit mechanics, including improper input deserialization and gadget chains, and analyzes in-the-wild attacks observed by Wiz. These attacks range from opportunistic cryptomining and credential harvesting to sophisticated cloud backdoors leveraging Node.js for fileless persistence and Sliver implants for long-term access. The vulnerability has broader implications beyond Next.js, affecting frameworks like Waku and Vite with RSC plugins. → wiz.io |
| 2026-04-16 2026 | Remote Code Execution in Ghost CMS (CVE-2026-29053) intermediate | Writeup on CVE-2026-29053, a remote code execution vulnerability in Ghost CMS versions 0.7.2 through 6.19.0. The flaw arises from unsafe expression evaluation within the theming system, where specially crafted themes can exploit a dependency chain involving the `jsonpath` and `static-eval` libraries. Exploitation requires an administrator to upload and activate a malicious theme, leading to arbitrary JavaScript execution on the server during page rendering, potentially impacting supply-chain trust and admin-targeted deception. |
| 2026-04-16 2026 | Ni8mare: Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) intermediate | Writeup of CVE-2026-21858, an unauthenticated remote code execution vulnerability in n8n discovered due to a Content-Type confusion bug. Attackers can exploit this flaw by crafting a malicious request that manipulates the `req.body.files` object, allowing them to read arbitrary local files and achieve full takeover of n8n instances. This issue impacts over 100,000 servers globally and has a CVSS score of 10.0. Users should upgrade to n8n version 1.121.0 or later for remediation. |
| 2026-04-16 2026 | Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face news | Writeup detailing the exploitation of Marimo CVE-2026-39987, which allows remote code execution and deployment of NKAbuse malware. Attackers leverage Hugging Face Spaces, posing as legitimate AI tools, to host dropper scripts and malware binaries. The payload, a variant of NKAbuse, functions as a remote access trojan with capabilities for shell command execution and data exfiltration, including credential theft from environment variables and Redis servers. Exploitation has increased in volume and tactics, with affected users urged to upgrade Marimo to version 0.23.0 or later, or block external access to the `/terminal/ws` endpoint. → bleepingcomputer.com |
| 2026-04-16 2026 | Windows Active Directory Vulnerability Allow Attackers to Execute Malicious Code news | Windows Active Directory Vulnerability Allow Attackers to Execute Malicious Code https://ift.tt/MaeJ2jN → cybersecuritynews.com |
| 2026-04-16 2026 | Windows IKE Service Extensions Vulnerability Enables Remote Code Execution (CVE-2026-33824) news | Writeup of CVE-2026-33824, a critical remote code execution vulnerability in Windows IKE Service Extensions. This memory management error, a double free condition, allows unauthenticated network-based exploitation via UDP ports 500 and 4500. Affecting multiple Windows versions, it enables attackers to gain system control, particularly impacting VPN infrastructure and exposing internal networks. Microsoft released updates in April 2026 to address this issue. → securityboulevard.com |
| 2026-04-16 2026 | ThreatsDay Bulletin: 17-Year-Old Excel RCEDefender 0-DaySonicWall Brute-Force and 15 More Stories news | Library of recent application security vulnerabilities, including a 17-year-old Microsoft Office Excel RCE (CVE-2009-0238), a new Microsoft Defender privilege escalation zero-day (RedSun) and DoS exploit (UnDefend), a targeted cryptocurrency wallet breach via AI social engineering against Zerion, and a fake Ledger app on the Apple App Store that stole $9.5 million. It also covers a new ransomware strain (JanaWare) targeting Turkey, the uncovering of stealthy C2 frameworks (ObsidianStrike, ArchangelC2), and updates to Raspberry Pi OS disabling passwordless sudo by default. → thehackernews.com |
| 2026-04-16 2026 | Splunk Enterprise Update Patches Code Execution Vulnerability news | Update for Splunk Enterprise addresses CVE-2026-20204, a high-severity flaw allowing low-privileged users to achieve remote code execution via temporary file handling issues. It also patches medium-severity vulnerabilities in Splunk Enterprise and Cloud Platform related to username formatting and Data Model Acceleration control. Additionally, CVE-2026-20205 in MCP Server, a high-severity vulnerability allowing authenticated attackers to view clear-text user sessions and tokens, is fixed in MCP Server app version 1.0.3. Patches for third-party packages across various Splunk products are also included. → securityweek.com |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Vulnerability Enables Remote Code Execution Attacks news | Splunk Enterprise and Cloud Platform Vulnerability Enables Remote Code Execution Attacks https://ift.tt/CABqpw7 → cybersecuritynews.com |
| 2026-04-16 2026 | Weekly Vulnerability Report: Azure AI Spring AI Fortinet Bugs news | Report detailing 1,431 vulnerabilities this week, including 270+ with public PoCs and 3 on underground forums. Highlights include CVE-2026-32213 in Azure AI Foundry, CVE-2026-35022 in Claude Code CLI, CVE-2026-22738 in Spring AI, CVE-2026-4631 in Cockpit, and CVE-2026-35616 in Fortinet FortiClient EMS. Also covers ICS vulnerabilities from Siemens, Hitachi Energy, and Yokogawa. |
| 2026-04-16 2026 | Cisco Patches Four Critical Identity Services Webex Flaws Enabling Code Execution news | Writeup detailing Cisco's patching of four critical vulnerabilities in Identity Services and Webex Services. CVE-2026-20184, a critical improper certificate validation flaw in Webex SSO, allows unauthenticated user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 are insufficient input validation flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), enabling authenticated remote code execution and arbitrary command execution with administrative or read-only credentials respectively. → thehackernews.com |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE Vulnerability news | Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE Vulnerability https://ift.tt/0zW71Ld → gbhackers.com |
| 2026-04-16 2026 | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code news | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code https://ift.tt/m7TKb1e → cyberpress.org |
| 2026-04-16 2026 | Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code news | Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code https://ift.tt/BcJYMZS → cyberpress.org |
| 2026-04-15 2026 | Windows Active Directory Flaw Opens Door to Malicious Code Execution news | Windows Active Directory Flaw Opens Door to Malicious Code Execution https://ift.tt/6sieTME → gbhackers.com |
| 2026-04-15 2026 | Adobe Acrobat Reader vulnerability trapped PDFs and prepress workflow security news | Writeup of CVE-2026-34621, a vulnerability in Adobe Acrobat Reader exploiting internal APIs like `util.readFileIntoStream` and `RSS.addFeed` to achieve remote code execution and sandbox bypass. This flaw allowed attackers to exfiltrate local files and gain elevated privileges on prepress workstations, posing a significant risk to production data and connected systems. The vulnerability remained unpatched for months, highlighting workflow security challenges in the graphic arts industry. |
| 2026-04-15 2026 | Microsoft fixes 167 security flaws in April second biggest Patch Tuesday ever news | Analysis of Microsoft's April Patch Tuesday, the second-largest security update ever, reveals fixes for 167 vulnerabilities across Windows, Office, and cloud services. Eight critical flaws include actively exploited zero-days in SharePoint Server (CVE-2026-32201) and Office, with some Office RCE vulnerabilities (e.g., CVE-2026-33114) exploitable via preview panes. Other critical issues affect the TCP/IP stack (CVE-2026-33827), Internet Key Exchange (CVE-2026-33824), Remote Desktop Client (CVE-2026-32157), Active Directory (CVE-2026-33826), and .NET Framework DoS (CVE-2026-23666). Additionally, an Elevation of Privilege vulnerability in Defender (CVE-2026-33825) was known pre-patch. |
| 2026-04-15 2026 | Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day news | Writeup of Microsoft's April 2026 Patch Tuesday, which fixed 165 vulnerabilities, including an actively exploited SharePoint zero-day, CVE-2026-32201. This critical spoofing vulnerability, likely an XSS flaw, allowed attackers to view or modify sensitive information. Security experts urge rapid patching, noting the release's large size and potential impact on organizations with internet-facing SharePoint servers. → securityaffairs.com |
| 2026-04-15 2026 | April Patch Tuesday Fixes Critical Flaws Across SAP Adobe Microsoft Fortinet and More news | Reference detailing critical vulnerabilities patched in April's Patch Tuesday, including an SQL injection in SAP Business Planning and Consolidation (CVE-2026-27681), a remotely exploitable code execution in Adobe Acrobat Reader (CVE-2026-34621), and path traversal flaws in FortiSandbox (CVE-2026-39813, CVE-2026-39808). It also mentions a spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201) and numerous other patches from vendors like ABB, AWS, Apple, Cisco, and Linux distributions. → thehackernews.com |
| 2026-04-15 2026 | Critical nginx-ui Vulnerability CVE-2026-33032 Allows Unauthenticated Nginx Takeover news | Writeup of CVE-2026-33032, an authentication bypass vulnerability in nginx-ui. This flaw, codenamed MCPwn, allows unauthenticated attackers to seize control of Nginx services by exploiting the /mcp_message endpoint, which bypasses authentication while only enforcing IP whitelisting. Attackers can gain session IDs by leveraging a separate vulnerability (CVE-2026-27944) to decrypt backups and extract sensitive data, including "node_secret" credentials. Exploitation can lead to restarting Nginx, modifying configuration files, and intercepting traffic. The vulnerability is patched in nginx-ui version 2.3.4. → thehackernews.com |
| 2026-04-15 2026 | Microsoft Patch Tuesday: April 2026 news | Microsoft Patch Tuesday: April 2026 https://ift.tt/qU7sl6p → arcticwolf.com |
| 2026-04-15 2026 | Zero Day Initiative The April 2026 Security Update Review news | Reference detailing April 2026 security updates from Adobe and Microsoft, covering 61 CVEs in Adobe products like Acrobat Reader and ColdFusion, and 163 CVEs in Microsoft products including Windows, Office, and Azure. Highlights actively exploited vulnerabilities such as CVE-2026-32201 (SharePoint Server Spoofing), CVE-2026-33825 (Microsoft Defender Elevation of Privilege), CVE-2026-33827 (Windows TCP/IP RCE), and CVE-2026-33824 (Windows IKE Service RCE). Also notes critical vulnerabilities in Office, .NET, SQL Server, and Hyper-V, alongside numerous Elevation of Privilege and sandbox escape bugs. |
| 2026-04-15 2026 | Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code news | Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code https://ift.tt/wBTSFR1 → cyberpress.org |
| 2026-04-15 2026 | Microsoft April 2026 Patch Tuesday Fixes 167 Flaws 2 Zero-Days news | Library of Microsoft's April 2026 Patch Tuesday fixes details 167 vulnerabilities, including an actively exploited SharePoint zero-day (CVE-2026-32201) and a Defender privilege escalation zero-day (CVE-2026-33825) found using the Diffract fuzzing tool. This release also addresses remote code execution bugs in Office, particularly those exploitable via document preview, and high-severity flaws in products like Remote Desktop Client. |
| 2026-04-15 2026 | Fortinet Patches Critical FortiSandbox Vulnerabilities news | Library advisories detail critical vulnerabilities patched by Fortinet, including CVE-2026-39813 for FortiSandbox JRPC API authentication bypass and CVE-2026-39808 for FortiSandbox OS command injection, both exploitable via HTTP requests without authentication. Additionally, CVE-2026-22828, a high-severity buffer overflow in FortiAnalyzer Cloud, was patched, alongside SQL injection bugs in FortiDDoS-F and FortiClientEMS, and various medium- and low-severity issues across other Fortinet products. → securityweek.com |
| 2026-04-15 2026 | Microsoft Issues Patches for SharePoint Zero-Day and 168 Other Vulnerabilities news | Library of Microsoft patches addressing 169 vulnerabilities, including zero-day CVE-2026-32201 impacting SharePoint Server, a privilege escalation flaw in Microsoft Defender (CVE-2026-33825) known as BlueHammer, and a critical remote code execution vulnerability in Windows Internet Key Exchange (CVE-2026-33824). The release also included CVEs impacting AMD, Node.js, Windows Secure Boot, and Git for Windows. → thehackernews.com |
| 2026-04-15 2026 | Microsoft Patch Tuesday April 2026 Fixes 167 Bugs news | Updates detail Microsoft's April 2026 Patch Tuesday, addressing 167 vulnerabilities. This includes two zero-days: an actively exploited SharePoint Server spoofing flaw and CVE-2026-33825 in Microsoft Defender, allowing SYSTEM-level privilege escalation. Critical fixes address RCE and DoS issues in .NET Framework (CVE-2026-23666), Remote Desktop Client (CVE-2026-32157), Microsoft Office (e.g., CVE-2026-32190), Windows IKE extension (CVE-2026-33824), Active Directory (CVE-2026-33826), and Windows TCP/IP (CVE-2026-33827). → thecyberexpress.com |
| 2026-04-15 2026 | Adobe Acrobat flaw enables remote execution via malicious PDFs news | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Acrobat and Acrobat Reader that enabled remote code execution through malicious PDFs. Actively exploited for months, the flaw allowed attackers to compromise systems, steal data, and prepare further attacks. Discovered by Haifei Li, the vulnerability affected the handling of internal program objects. Adobe released an emergency update, and users are urged to patch immediately and exercise caution with untrusted PDFs. |
| 2026-04-15 2026 | Adobe Acrobat Remote Code Execution Vulnerability news | Writeup detailing CVE-2026-34621, a high-risk Adobe Acrobat remote code execution vulnerability. Exploitation requires user interaction, typically by opening a malicious file, and leads to arbitrary code execution via Prototype Pollution. Affected versions include Acrobat DC, Acrobat Reader DC, and Acrobat 2024, with patches available for update. → hkcert.org |
| 2026-04-15 2026 | Critical ShowDoc RCE Vulnerability Active Exploited in the Wild news | Critical ShowDoc RCE Vulnerability Active Exploited in the Wild https://ift.tt/16vB7tb → cybersecuritynews.com |
| 2026-04-14 2026 | ShowDoc vulnerability actively exploited news | Library for detecting CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc versions prior to 2.8.7. This critical flaw, with a CVSS score of 9.4, allows attackers to achieve remote code execution by uploading web shells due to improper file extension validation. Active exploitation in the wild, targeting a U.S.-based honeypot, highlights the ongoing risk posed by this N-day vulnerability. → scworld.com |
| 2026-04-14 2026 | Microsoft Patch Tuesday April 2026 168 Vulnerabilities Fixed Including Actively Exploited 0-day news | Microsoft Patch Tuesday April 2026 – 168 Vulnerabilities Fixed, Including Actively Exploited 0-day https://ift.tt/TbdJPtY → cybersecuritynews.com |
| 2026-04-14 2026 | Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities news | Snort rules detect exploitation attempts for Microsoft's April 2026 Patch Tuesday, which includes 165 vulnerabilities. Critical issues addressed by the rules include CVE-2026-23666 (.NET DoS), CVE-2026-33824 (Windows IKE RCE), CVE-2026-33826 (Active Directory RCE), and CVE-2026-33827 (Windows TCP/IP RCE). The update also covers several "more likely" to be exploited important vulnerabilities, such as CVE-2026-0390 (UEFI Secure Boot bypass) and CVE-2026-32201 (SharePoint spoofing). → blog.talosintelligence.com |
| 2026-04-14 2026 | Microsofts April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) news | Reference of Microsoft's April 2026 Patch Tuesday, addressing 163 CVEs including critical vulnerabilities like CVE-2026-33824 in Windows IKE Service Extensions and CVE-2026-33826 in Windows Active Directory. This release also features patches for zero-day exploits, such as CVE-2026-32201 affecting Microsoft SharePoint Server and the publicly disclosed BlueHammer exploit targeting Microsoft Defender (CVE-2026-33825). Elevation of privilege vulnerabilities constitute the largest portion of this update, followed by information disclosure and remote code execution flaws. → securityboulevard.com |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday Fixes 160 Vulnerabilities Including 2 Zero-Day Flaws news | Microsoft April 2026 Patch Tuesday Fixes 160+ Vulnerabilities, Including 2 Zero-Day Flaws https://ift.tt/YKfCdMi |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday fixes 167 flaws 2 zero-days news | Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days https://ift.tt/nLAl5mZ → bleepingcomputer.com |
| 2026-04-14 2026 | Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands news | Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands https://ift.tt/36oOGsb → cybersecuritynews.com |
| 2026-04-14 2026 | Adobe patched zero day in Acrobat that allowed remote code execution news | Writeup detailing CVE-2026-34621, an Adobe Acrobat zero-day vulnerability patched by Adobe. This flaw allowed for remote code execution, enabling malware installation on Windows and macOS through maliciously crafted PDF files. The vulnerability, exploited in the wild for at least four months, could grant attackers full control over a victim's system and facilitate data theft across Acrobat DC, Reader DC, and Acrobat 2024. |
| 2026-04-14 2026 | Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild news | Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild https://ift.tt/ug84a6E → cyberpress.org |
| 2026-04-14 2026 | Hackers Exploit Critical ShowDoc RCE Flaw in Ongoing Attacks news | Hackers Exploit Critical ShowDoc RCE Flaw in Ongoing Attacks https://ift.tt/ZcO3Y8e → gbhackers.com |
| 2026-04-14 2026 | Kali Forms Vulnerability Enables Remote Code Execution RCE news | Writeup of Kali Forms RCE vulnerability in a popular WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP code via manipulated form submission data. Exploiting a flaw in the `prepare_post_data()` and `_save_data()` functions, attackers can overwrite internal placeholders used in `call_user_func()` to achieve remote code execution, with observed attacks including authentication bypass using `wp_set_auth_cookie`. The vulnerability, fixed in version 2.4.10, saw immediate exploitation following public disclosure. → thecyberexpress.com |
| 2026-04-14 2026 | ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers news | Writeup of CVE-2025-0520, a critical ShowDoc RCE flaw with CVSS 9.4, actively exploited due to unrestricted file upload via improper extension validation. Attackers can upload PHP web shells to execute arbitrary code on unpatched servers running versions before 2.8.7, demonstrating the exploitation of N-day vulnerabilities. → thehackernews.com |
| 2026-04-14 2026 | CISA Adds 6 Known Exploited Flaws in Fortinet Microsoft and Adobe Software news | Survey of CISA's Known Exploited Vulnerabilities (KEV) catalog, detailing six critical flaws actively exploited in the wild. This includes an SQL injection in Fortinet FortiClient EMS (CVE-2026-21643), use-after-free in Adobe Acrobat Reader (CVE-2020-9715), privilege escalation via Windows CLFS driver (CVE-2023-36424), deserialization vulnerability in Microsoft Exchange Server (CVE-2023-21529), local privilege elevation in Host Process for Windows Tasks (CVE-2025-60710), and insecure library loading in Microsoft VBA (CVE-2012-1854). → thehackernews.com |
| 2026-04-14 2026 | Cisco warns of critical IMC vulnerabilities ironically the server manager itself has become a point of entry news | Advisories detail critical Cisco IMC vulnerabilities including CVE-2026-20093, an authentication bypass allowing remote admin access, and CVE-2026-20094 through CVE-2026-20097, enabling command injection and RCE with root privileges, even for read-only users. These issues highlight the risk of neglecting "internal" management interfaces like IMC, BMC, iLO, and iDRAC, which can serve as prime entry points into data center environments. |
| 2026-04-13 2026 | Seven IBM WebSphere Liberty flaws can be chained into full takeover news | Writeup on seven IBM WebSphere Liberty flaws, including CVE-2026-1561 for pre-authentication RCE via SAML Web SSO, CVE-2025-14915 for privilege escalation via AdminCenter, and others related to hardcoded keys and insecure archive extraction, that can be chained for full server compromise and remote code execution. → csoonline.com |
| 2026-04-13 2026 | Marimo vulnerability exploited within hours of disclosure news | Library CVE-2026-39987, a critical RCE in Marimo versions prior to 0.23.0, was exploited within hours of its disclosure. Attackers gained a PTY shell and executed arbitrary commands by exploiting missing authentication on the terminal WebSocket endpoint, demonstrating rapid weaponization of internet-facing vulnerabilities. → scworld.com |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure news | Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure https://ift.tt/LEjUohx → cybersecuritynews.com |
| 2026-04-13 2026 | Critical Axios Vulnerability Allows Remote Code Execution news | Critical Axios Vulnerability Allows Remote Code Execution https://ift.tt/W2I8efr → cybersecuritynews.com |
| 2026-04-13 2026 | Critical Axios Vulnerability Enables Remote Code Execution PoC Released news | Critical Axios Vulnerability Enables Remote Code Execution, PoC Released https://ift.tt/JolDXhx → gbhackers.com |
| 2026-04-13 2026 | Juniper Junos OS Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities in Juniper Junos OS and Junos OS Evolved. These issues, including CVE-2022-24805, CVE-2025-13914, CVE-2025-30650, and numerous others listed in the 2026-04 Security Bulletin, can lead to spoofing, data manipulation, remote code execution, denial of service, information disclosure, privilege elevation, and security restriction bypass. Remediation requires consulting Juniper's vendor website. → hkcert.org |
| 2026-04-13 2026 | Critical Axios Vulnerability Allows Remote Code Execution news | Critical Axios Vulnerability Allows Remote Code Execution https://ift.tt/bDWH6Pi → cyberpress.org |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure news | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure https://ift.tt/fU4AYhF → cyberpress.org |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure news | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure https://ift.tt/Gw2u758 → gbhackers.com |
| 2026-04-13 2026 | Marimo RCE Flaw Exploited Within Hours of Disclosure news | Tool for detecting and mitigating the Marimo RCE vulnerability (CVE-2026-39987), which allows pre-authentication remote code execution via an unauthenticated WebSocket endpoint. Exploitation observed within 10 hours of disclosure, targeting sensitive credentials and infrastructure. Mitigation strategies include patching, access control, credential rotation, least privilege, and enhanced monitoring. → esecurityplanet.com |
| 2026-04-13 2026 | Microsoft Edge Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities in Microsoft Edge, including CVE-2026-5281 which is actively exploited. Exploitation can lead to remote code execution, denial of service, security restriction bypass, data manipulation, sensitive information disclosure, and spoofing. Affected versions are prior to 147.0.3912.60. Updating to version 147.0.3912.60 or later is recommended. → hkcert.org |
| 2026-04-12 2026 | Google Chrome 147 Security Update: Patches 60 Vulnerabilities Including Critical WebML Remote Code Execution F news | Analysis of Google Chrome 147, which patched 60 vulnerabilities including critical heap buffer overflow (CVE-2026-5858) and integer overflow (CVE-2026-5859) flaws in the WebML component. These vulnerabilities, awarded $86,000 in bug bounties, enable remote code execution via crafted web pages. The advisory details technical aspects, exploitation potential, affected versions, and mitigation strategies such as immediate patching. While no in-the-wild exploitation is reported, the significant risk necessitates vigilance, especially concerning APT groups. → rescana.com |
| 2026-04-12 2026 | Critical Marimo pre-auth RCE flaw now under active exploitation news | Writeup detailing CVE-2026-39987, a critical pre-authentication RCE vulnerability in Marimo versions 0.20.4 and earlier. Exploitable via the unauthenticated WebSocket endpoint '/terminal/ws', attackers can gain an interactive shell with the Marimo process's privileges. Active exploitation observed within hours of disclosure, with attackers exfiltrating credentials and SSH keys. Sysdig researchers noted a methodical operator targeting high-value information. Mitigation includes upgrading to version 0.23.0, restricting external access, or disabling the '/terminal/ws' endpoint. → bleepingcomputer.com |
| 2026-04-12 2026 | Critical Marimo Python Notebook RCE Vulnerability (CVE-2026-39987) Exploited Within 10 Hours of Disclosure news | Analysis of CVE-2026-39987 details a critical RCE vulnerability in Marimo, an open-source Python notebook platform, allowing unauthenticated attackers shell access via a misconfigured WebSocket endpoint. Exploitation occurred within 10 hours of disclosure, focusing on credential harvesting and reconnaissance using T1190, T1552, and T1083 MITRE ATT&CK techniques. Mitigation involves upgrading to Marimo 0.23.0+, auditing logs, and rotating compromised credentials. → rescana.com |
| 2026-04-12 2026 | Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 news | Writeup of CVE-2026-34621, an actively exploited Adobe Acrobat Reader flaw. This prototype pollution vulnerability, with a CVSS score of 8.6, allows arbitrary code execution when users open malicious PDF documents. Adobe has released emergency updates for Acrobat DC, Acrobat Reader DC, and Acrobat 2024. Security researcher Haifei Li disclosed the zero-day exploitation, and CISA has added it to their Known Exploited Vulnerabilities catalog. → thehackernews.com |
| 2026-04-11 2026 | Google Chrome Multiple Vulnerabilities news | Vulnerability summary detailing multiple issues within Google Chrome versions prior to 147.0.7727.55 on Linux, and 147.0.7727.55/56 on Mac and Windows. Exploitation can lead to information disclosure, denial of service, remote code execution, security restriction bypass, and data manipulation. This bulletin lists CVE-2026-5858 through CVE-2026-5919 as affected vulnerabilities. → hkcert.org |
| 2026-04-11 2026 | CVE-2026-39987: Marimo RCE exploited in hours after disclosure news | Writeup of CVE-2026-39987 in Marimo, a Python notebook tool, detailing its pre-authenticated RCE flaw. The vulnerability, actively exploited within 10 hours of disclosure by Sysdig Threat Research Team, allowed attackers to gain a full PTY shell by targeting the unauthenticated `/terminal/ws` WebSocket endpoint. This exploit highlights the rapid threat actor response to disclosures, even for niche software like Marimo, with credential theft occurring in under three minutes. → securityaffairs.com |
| 2026-04-10 2026 | AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive Data news | AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive Data https://ift.tt/RunsJvx → cybersecuritynews.com |
| 2026-04-10 2026 | GitLab Addresses Multiple Vulnerabilities Linked to DoS and Code Injection news | GitLab Addresses Multiple Vulnerabilities Linked to DoS and Code Injection https://ift.tt/7xtgdP5 → gbhackers.com |
| 2026-04-10 2026 | Orthanc DICOM Vulnerabilities Lead to Crashes RCE news | Library of nine vulnerabilities, CVE-2026-5437 to CVE-2026-5445, impacting the Orthanc DICOM server, allowing for server crashes, data leaks, and remote code execution. These defects stem from insufficient metadata validation, missing checks, and unsafe arithmetic, manifesting as out-of-bounds reads, GZIP and ZIP decompression bombs, HTTP server memory exhaustion, and heap buffer overflows in image parsing and decoding logic. Versions 1.12.10 and earlier are affected; update to 1.12.11 for remediation. → securityweek.com |
| 2026-04-10 2026 | Claude uncovers a 13yearold ActiveMQ RCE bug within minutes news | Writeup detailing CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic, uncovered by Anthropic's Claude. The flaw, exploitable via the Jolokia API and a malicious Spring XML file, allows arbitrary system command execution. Researchers used AI to build an exploit chain in minutes, highlighting the potential for AI in vulnerability discovery. This critical flaw affects ActiveMQ Classic versions prior to 5.19.4 and several 6.x releases, with an unauthenticated variant possible in some 6.x versions due to CVE-2024-32114. → csoonline.com |
| 2026-04-10 2026 | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure news Python | Writeup of CVE-2026-39987, a critical pre-authenticated RCE vulnerability in Marimo exploited within 10 hours of disclosure. The flaw, impacting versions prior to 0.20.4, allows unauthenticated attackers to gain a full PTY shell via the terminal WebSocket endpoint. Exploitation observed included credential theft and deployment of NKAbuse, a multi-platform threat leveraging NKN for C2. CISA added CVE-2026-39987 to its KEV catalog, mandating remediation for FCEB agencies. → thehackernews.com |
| 2026-04-10 2026 | Critical Marimo Flaw Exploited Hours After Public Disclosure news | Writeup detailing the rapid exploitation of CVE-2026-39987, a critical unauthenticated RCE vulnerability in the Marimo reactive notebook. The flaw, discovered in the terminal WebSocket endpoint due to a lack of authentication validation, allowed attackers to gain an interactive shell and execute arbitrary commands. Exploitation began within nine hours of public disclosure, with attackers quickly moving to exfiltrate credentials and search for sensitive files like SSH keys. Releases up to Marimo 0.20.4 are affected, and users are urged to update to version 0.23.0 or newer. → securityweek.com |
| 2026-04-10 2026 | CISA Warns of Actively Exploited Ivanti EPMM Vulnerability news | Reference for CVE-2026-1340, a critical code-injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). This flaw allows unauthenticated remote code execution, granting attackers control over the mobile management server and connected devices. CISA has issued an urgent directive for federal agencies to remediate this actively exploited vulnerability, and private-sector organizations are strongly encouraged to apply patches immediately due to the significant risks it poses. |
| 2026-04-10 2026 | Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code news | Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code https://ift.tt/okJfyG0 → cybersecuritynews.com |
| 2026-04-10 2026 | Critical Vulnerability in Ninja Forms Exposes WordPress Sites news | Library detailing an arbitrary file upload vulnerability (CVSS 9.8) in Ninja Forms – File Upload Plugin versions up to 3.3.26. This flaw allows unauthenticated attackers to upload malicious files, including PHP scripts, through insufficient file validation and filename manipulation, potentially leading to remote code execution and full website compromise. The vulnerability was discovered by Sélim Lanouar and patched in version 3.3.27. → infosecurity-magazine.com |
| 2026-04-10 2026 | U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422) news Deser | Writeup of CVE-2026-3422 details an unauthenticated remote code execution vulnerability in U-Office Force, a product of e-Excellence. This critical flaw, rated CVSS 9.8, stems from insecure deserialization, where the application processes maliciously crafted serialized content without proper validation. Attackers can exploit this by crafting specific serialized payloads containing gadget chains, leading to arbitrary code execution on the server. Successful exploitation requires identifying input channels that deserialize data, such as API endpoints or file uploads. → thehackerwire.com |
| 2026-04-10 2026 | IBM Langflow Desktop RCE via Insecure Deserialization news Deser | Writeup of CVE-2026-3357, detailing an RCE vulnerability in IBM Langflow Desktop (versions 1.6.0-1.8.2) with a CVSS score of 8.8. Exploitation requires authentication and leverages insecure deserialization within the FAISS component, allowing an attacker to execute arbitrary code by providing malicious serialized data. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2026-21858: Ni8mare Enables Unauthenticated RCE in n8n Webhooks news | Writeup detailing CVE-2026-21858 (Ni8mare), an unauthenticated RCE vulnerability in n8n workflow automation software. The flaw arises from content-type confusion, enabling attackers to read arbitrary files, forge admin sessions, and execute commands. This affects n8n versions prior to 1.121.0 and carries a CVSS score of 10.0. The writeup also briefly mentions CVE-2026-21877, N8scape (CVE-2025-68668), and CVE-2025-68613, which allow authenticated RCE. |
| 2026-04-10 2026 | Potentially Critical RCE in OpenSSL (CVE-2025-15467) news | Writeup of CVE-2025-15467, a critical RCE vulnerability in OpenSSL affecting versions 3.0 through 3.6. An attacker can exploit this stack overflow by sending a crafted CMS AuthEnvelopedData message with an oversized IV, triggering a buffer overflow before authentication. This vulnerability impacts applications calling specific CMS decryption APIs or using tools like `openssl cms` and `openssl smime`, and can be leveraged for remote code execution. Users should upgrade to patched versions immediately. |
| 2026-04-10 2026 | Wazuh RCE via Deserialization of Untrusted Data (CVE-2026-25769) news | Writeup of CVE-2026-25769, a critical RCE vulnerability in Wazuh versions 4.0.0 through 4.14.2. This Deserialization of Untrusted Data flaw, rated 9.1 CVSS, requires initial compromise of a worker node to enable an attacker to execute code with root privileges on the Wazuh master node. The fix is available in Wazuh version 4.14.3. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2025-55182: React and Next.js Deserialization RCE Deep Dive intermediate | CVE-2025-55182: React and Next.js Deserialization RCE Deep Dive → akamai.com |
| 2026-04-10 2026 | Active Exploitation of 7-Zip RCE Vulnerability news | Analysis of active exploitation of 7-Zip RCE vulnerability CVE-2025-11001, stemming from improper symbolic link handling in crafted ZIP files. Exploitation allows attackers to overwrite system files or execute arbitrary code. NHS England Digital confirmed active exploitation, urging updates to version 25.0.0 or later, which also addresses CVE-2025-11002. Unpatched systems face risks including ransomware and data theft. |
| 2026-04-10 2026 | Update on React Server Components RCE (CVE-2025-55182 / CVE-2025-66478) news | Writeup detailing the evolving exploitation of React Server Components RCE (CVE-2025-55182, CVE-2025-66478), discussing the invalid early PoC, the emergence of scanning utilities from Assetnote, and the eventual discovery of real RCE exploit chains that leverage unsafe export resolution and prototype chain manipulation for arbitrary code execution via mechanisms like `process.mainModule.require('https')` and runtime memory shells, with observed data exfiltration via response body output, OAST/DNSLog callbacks, and Next.js redirect headers. → securityboulevard.com |
| 2026-04-10 2026 | CVE-2025-34291 Exploited in the Wild: LangFlow AI Under Fire news | Writeup of CVE-2025-34291, a remote code execution vulnerability in LangFlow, reveals active exploitation in the wild. This cross-site request forgery flaw, stemming from improper CORS and SameSite cookie configurations, allows attackers to impersonate logged-in users and gain full control of AI infrastructure by exploiting Python code execution capabilities. Protection involves hardening LangFlow configurations by disabling authenticated cross-site requests or restricting allowed origins, upgrading to LangFlow 1.7, or utilizing a WAF like CrowdSec to block malicious IPs. |
| 2026-04-10 2026 | New runC Vulnerabilities Expose Docker and Kubernetes to Container Escape news | Writeup on CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 in runC, detailing how these vulnerabilities allow container escape through manipulation of bind mounts and /proc filesystem writes. Exploitation requires the ability to start containers with custom mount configurations, enabling attackers to compromise host systems and bypass LSM relabel protections. Versions prior to runC 1.2.8, 1.3.3, or 1.4.0-rc.3 are affected. |
| 2026-04-10 2026 | CVE-2025-39601: WordPress Custom CSS, JS and PHP Plugin CSRF to RCE news | Writeup of CVE-2025-39601, a Critical CSRF vulnerability in the WPFactory Custom CSS, JS & PHP plugin for WordPress. Versions up to and including 2.4.1 are affected, allowing unauthenticated attackers to achieve Remote Code Execution (RCE) by injecting malicious PHP code via unauthorized POST requests. Exploitation involves hosting a crafted HTML file that an authenticated administrator visits, triggering the injection of PHP code executed on page load. |
| 2026-04-10 2026 | CVE-2025-7384: Critical WordPress Plugin Unauthenticated RCE news | Writeup of CVE-2025-7384, a critical PHP Object Injection vulnerability in the "Database for Contact Form 7, WPforms, Elementor Forms" WordPress plugin. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to inject arbitrary PHP objects, leading to denial of service and potential remote code execution through malicious deserialization. The exploit can result in the deletion of critical files like `wp-config.php`, affecting over 70,000 installations. While version 1.4.4 patches new exploits, old malicious data in the database remains a risk requiring database sanitization. |
| 2026-04-10 2026 | Sneeit WordPress RCE Exploited in the Wild news | Writeup detailing active exploitation of CVE-2025-6389, a critical RCE vulnerability in the Sneeit Framework WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP functions like `wp_insert_user()` to create administrative backdoors. Exploitation involves crafting HTTP requests to `/wp-admin/admin-ajax.php` and uploading malicious PHP files such as "xL.php" and "up_sf.php." The report also notes concurrent attacks on ICTBroadcast, exploiting CVE-2025-2611 to deliver the "Frost" DDoS botnet, which employs spreader logic and targets specific response indicators before launching attacks. → thehackernews.com |
| 2026-04-10 2026 | Critical Pre-Auth RCE in ChurchCRM Setup Wizard news | Writeup of CVE-2026-39337, a critical pre-authentication RCE in ChurchCRM versions prior to 7.1.0. Attackers can inject arbitrary PHP code into the `$dbPassword` variable during the setup wizard's installation process, leading to complete server compromise. This vulnerability is an incomplete fix for CVE-2025-62521, highlighting ongoing input validation issues. → thehackerwire.com |
| 2026-04-10 2026 | Critical Unauthenticated RCE in n8n (CVE-2026-21858, CVSS 10.0) news | Writeup on CVE-2026-21858, a critical unauthenticated RCE in n8n versions prior to 1.121.0. Exploitation involves Content-Type confusion in webhook and file-handling logic, allowing attackers to override internal parsing, access sensitive files, forge sessions, and achieve arbitrary code execution. This leads to server takeover, credential theft, and lateral movement. Orca Security aids in identifying and prioritizing remediation for vulnerable n8n instances. |
| 2026-04-10 2026 | TryHackMe Spring AI: CVE-2026-22738 RCE Writeup news | TryHackMe Spring AI: CVE-2026-22738 RCE Writeup |
| 2026-04-10 2026 | Dangerous runC Flaws Allow Hackers to Escape Docker Containers news | Vulnerabilities in runC, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, allow attackers with custom mount configurations to escape Docker and Kubernetes containers by exploiting bind-mounts and symlink race conditions to gain root privileges on the host system. Fixes are available in later runC versions, and mitigations include user namespaces and rootless containers. → bleepingcomputer.com |
| 2026-04-10 2026 | runC Container Escape Vulnerabilities: A Technical Overview intermediate | Writeup of runc container escape vulnerabilities, including CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, which allow arbitrary writes to procfs files. Exploitation involves custom mount configurations, potentially leading to host compromise in environments like Kubernetes. Mitigations include updating runc to v1.4.0-rc.3, v1.3.3, or v1.2.8, and employing user namespaces, non-root users, and security modules. |
| 2026-04-10 2026 | New runC Vulnerabilities Allow Container Escape in Docker and Kubernetes news | Analysis of three runc vulnerabilities, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, details how attackers can achieve container escape in Docker and Kubernetes. These exploits leverage race conditions and mount manipulations, specifically involving maskedPaths abuse and /dev/console mount races, to gain root access to host systems by writing to critical procfs files. Mitigation strategies include updating runc, enabling user namespaces, and using rootless containers. |
| 2026-04-10 2026 | Attackers Exploit Critical Langflow RCE as CISA Sounds Alarm news | Library for detecting and mitigating remote code execution in Langflow, particularly CVE-2026-33017. This vulnerability allows unauthenticated attackers to execute arbitrary Python code by submitting malicious workflow data via the `build_public_tmp` endpoint. Attackers have weaponized this flaw within hours of disclosure, leading to credential exfiltration and potential software supply chain compromise. Runtime detection is crucial, focusing on exploit behavior like shell command execution and data exfiltration over HTTP, rather than specific CVE signatures. → csoonline.com |
| 2026-04-10 2026 | CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines in 20 Hours intermediate | Writeup detailing CVE-2026-33017, an unauthenticated RCE in Langflow, exploited within 20 hours of its advisory. Attackers leveraged the vulnerability's public flow build endpoint to execute arbitrary Python code, exfiltrating credentials and potentially compromising supply chains. Exploitation attempts observed included automated scanning via nuclei templates and custom Python scripts for deeper reconnaissance and data harvesting, highlighting the rapid weaponization trend of newly disclosed vulnerabilities. |
| 2026-04-10 2026 | CVE-2025-3248: RCE Vulnerability in Langflow news | Writeup detailing CVE-2025-3248, a critical remote code execution (RCE) vulnerability in Langflow. Exploitation of the `/api/v1/validate/code` endpoint allows unauthenticated arbitrary command execution by embedding malicious Python code within decorators or default function arguments, which are evaluated during AST processing prior to version 1.3.0. Recommendations include immediate upgrades, access restriction via ZTNA, input sandboxing, and monitoring. |
| 2026-04-10 2026 | React2Shell Explained: From Vulnerability Discovery to Exploitation intermediate | Library for understanding CVE-2025-55182, the React2Shell vulnerability. This exploit targets React Server Components' React Flight protocol by abusing unsafe deserialization of client-controlled payloads. Successful exploitation allows unauthenticated attackers to achieve remote code execution (RCE) on vulnerable servers, impacting applications built with React 19.0.0-19.2.0 and Next.js App Router versions 16.0.0-16.0.6. The analysis details how attackers manipulate prototype chains and the Function constructor to inject malicious code. → resecurity.com |
| 2026-04-10 2026 | Protecting Against the Critical React2Shell RCE Exposure intermediate | Library for identifying and mitigating the critical 'React2Shell' RCE vulnerability (CVE-2025-55182) affecting React Server Components and Next.js. This vulnerability allows unauthenticated attackers to perform server-side code execution via insecure deserialization in the RSC 'Flight' protocol. The library helps secure environments by detailing immediate actions, providing detection rules, and showcasing how SentinelOne's Offensive Security Engine can verify exploitability of affected workloads. → sentinelone.com |
| 2026-04-10 2026 | React2Shell: Node.js RCE Against a Production Next.js App advanced | Analysis of CVE-2025-55182, "React2Shell," details a Node.js Remote Code Execution vulnerability in Next.js applications utilizing React Server Components. The exploit leverages the Flight protocol's unsafe deserialization to trigger `child_process.spawnSync()`, allowing arbitrary shell commands with server process privileges. The report reconstructs a six-stage attack campaign, including C2 communication across multiple servers and the use of Lachlan Davidson's "02-meow-rce-poc" for RCE confirmation, despite defensive measures like container restrictions limiting further attacker progression. |
| 2026-04-10 2026 | CVE-2025-68613: RCE via Expression Injection in n8n news | Writeup of CVE-2025-68613, a critical RCE vulnerability in n8n's expression evaluation engine. This flaw allows authenticated users to inject malicious JavaScript expressions, escaping the sandbox to execute arbitrary code on the server with n8n process privileges. Exploitation enables attackers to run OS commands, steal secrets, modify files, and gain full server control, impacting over 100,000 instances globally. The vulnerability affects versions from 0.211.0 up to 1.120.3 and early 1.122.x releases, with fixes available in versions 1.120.4, 1.121.1, and 1.122.0+. → resecurity.com |
| 2026-04-10 2026 | Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 news | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Reader exploited since December 2025 via malicious PDFs. This sophisticated exploit, first observed in "Invoice540.pdf," uses obfuscated JavaScript to harvest sensitive data and potentially deliver subsequent payloads for remote code execution and sandbox escape. The exploit targets privileged Acrobat APIs and has been confirmed to work on the latest Adobe Reader version, necessitating user vigilance and prompt application of the provided security update. → thehackernews.com |
| 2026-04-10 2026 | WWBN AVideo RCE via Persistent PHP File Upload (CVE-2026-33717) news | Writeup of CVE-2026-33717, a remote code execution vulnerability in WWBN AVideo. This flaw allows unauthenticated attackers to persistently upload and execute arbitrary PHP files by exploiting improper handling of remote content in the `downloadVideoFromDownloadURL()` function and bypassing cleanup via an invalid `resolution` parameter. Affected versions include WWBN AVideo up to 26.0, and a fix is available in commit `6da79b43484099a0b660d1544a63c07b633ed3a2`. → thehackerwire.com |
| 2026-04-10 2026 | Explorance Blue RCE via Unrestricted File Upload intermediate | Writeup of CVE-2025-57794 impacting Explorance Blue, detailing an authenticated unrestricted file upload vulnerability allowing remote code execution. Exploitation requires administrative credentials and is possible on versions prior to 8.14.9 by uploading web shells (e.g., PHP, ASPX, JSP, CFML) to accessible directories. The flaw lies in the application's failure to validate file types, enabling attackers to execute arbitrary code on the server. Explorance has released version 8.14.9 to address this critical issue. → thehackerwire.com |
| 2026-04-10 2026 | From Pre-Auth SSRF to RCE in TruFusion Enterprise intermediate | Writeup detailing pre-authentication SSRF (CVE-2025-32355) and path traversal (CVE-2025-59793) vulnerabilities in TRUfusion Enterprise. The SSRF allows an attacker to abuse a misconfigured reverse proxy to access internal services, including an Axis2 interface. This Axis2 service, vulnerable to path traversal, can be exploited with the default 'trubiquity' password to achieve remote code execution by writing arbitrary files to the filesystem. |
| 2026-04-10 2026 | Serverless Security Risks 2026: Mitigating SSRF and RCE Threats intermediate SSRF | Library for serverless security, detailing risks like SSRF and RCE by focusing on identity, permissions, and configuration. It explains how short-lived cloud credentials for AWS Lambda, Azure Functions, and Google Cloud Functions become primary targets when exposed, enabling privilege escalation and lateral movement. The library emphasizes that interconnected services, shared dependencies, and insufficient visibility into invocation paths and configurations compound these risks, advocating for continuous monitoring and least-privilege enforcement. |
| 2026-04-10 2026 | Intigriti Challenge: SSRF to RCE via File Upload Bypass intermediate | Intigriti Challenge: SSRF to RCE via File Upload Bypass |
| 2026-04-10 2026 | Precurio Intranet Portal: CSRF to RCE via File Upload intermediate | Writeup detailing CVE-2026-32989, a CSRF to RCE vulnerability in Precurio Intranet Portal 4.4. This high-severity flaw (CVSS 8.8) allows an attacker to trick an authenticated user into uploading a malicious file. If the portal stores this file in a web-accessible, executable format, it can lead to arbitrary code execution on the web server. Exploitation requires an authenticated victim and network access to the target portal. → thehackerwire.com |
| 2026-04-10 2026 | Tiandy Easy7 RCE via OS Command Injection (CVE-2026-4585) intermediate | Writeup of CVE-2026-4585, a critical OS command injection vulnerability in Tiandy Easy7 Integrated Management Platform (versions prior to 7.17.0). This remote, unauthenticated flaw allows attackers to execute arbitrary commands via the `ImportSystemConfiguration.jsp` endpoint by manipulating the `File` argument. The exploit is publicly disclosed and requires no user interaction, presenting a severe risk of system compromise. → thehackerwire.com |
| 2026-04-10 2026 | OpenMetadata RCE via SSTI in FreeMarker Email Templates intermediate SSTI | Writeup of GHSA-5f29-2333-h9c7, detailing a critical Remote Code Execution vulnerability in OpenMetadata version 1.11.2. The vulnerability stems from Server-Side Template Injection (SSTI) within FreeMarker email templates, allowing an administrator to inject malicious code that is then executed by the server. Attack vectors include privilege escalation, data exfiltration, and establishing reverse shells, with significant impacts on confidentiality, integrity, and availability. |
| 2026-04-10 2026 | RCE in Airbyte via Server-Side Template Injection (SSTI) intermediate | Library for securing Airbyte connections, preventing Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in the connection builder Docker image. This vulnerability, discovered by Mike Cole of Mantel Group, could allow authenticated attackers to execute arbitrary code and expose sensitive information like credentials if a new connector is tested on a compromised instance. |
| 2026-04-10 2026 | File Upload Vulnerability Testing: Bypassing Filters and Getting RCE intermediate | Guide detailing techniques for bypassing file upload filters to achieve Remote Code Execution (RCE). It covers extension filter bypasses, including alternative extensions like `.php5`, `.phtml`, `.phar`, and double extensions, as well as Content-Type and magic byte manipulation. The guide also explores filename manipulation for path traversal, `.htaccess` uploads to enable PHP execution for any extension, and exploitation of image processing vulnerabilities like ImageMagick's CVE-2016-3714. It provides web shell payloads and discusses chaining file uploads with other vulnerabilities such as LFI, SSRF, XSS, and XXE. |
| 2026-04-10 2026 | Critical LFI to RCE in WP Ghost Plugin Affecting 200k+ Sites intermediate | Writeup of CVE-2025-26909, a critical unauthenticated Local File Inclusion (LFI) to Remote Code Execution (RCE) vulnerability in the WP Ghost WordPress plugin, affecting over 200,000 sites. The vulnerability arises from insufficient sanitization of user input in the `showFile` function, allowing path traversal and arbitrary file inclusion, potentially leading to RCE via techniques like `php://filter` chains or `PHP_SESSION_UPLOAD_PROGRESS`. The issue is fixed in version 5.4.02. |
| 2026-04-10 2026 | AI Workflows Under Fire: Critical RCE Flaws in Langflow news | Writeup on critical RCE and file write vulnerabilities in Langflow, a visual framework for AI agents. CVE-2026-33017, rated "Critical," allows unauthenticated RCE by exploiting a flaw in the build public flow endpoint's `exec()` function. CVE-2026-33309 permits authenticated arbitrary file writes through path traversal in the v2 API's file upload handling. Both affect version 1.8.1 and earlier, with recommendations for manual intervention including removing the data parameter from the public flow route and sanitizing multipart filenames. |
| 2026-04-10 2026 | CVE-2026-22812: RCE on a 71k-Star AI Coding Tool With Zero Auth news | CVE-2026-22812: RCE on a 71k-Star AI Coding Tool With Zero Auth |
| 2026-04-10 2026 | Root in One Request: Marimo's Critical Pre-Auth RCE (CVE-2026-39987) news | Writeup of CVE-2026-39987, a critical pre-authentication remote code execution vulnerability in the Marimo Python reactive notebook framework. This issue, with a CVSS v4.0 score of 9.3, stems from an unauthenticated WebSocket endpoint for the integrated terminal, allowing attackers to gain an interactive shell as the Marimo process user. The vulnerability has been exploited in the wild, and vulnerable instances are believed to be widespread. Marimo versions prior to 0.23.0 are affected. |
| 2026-04-10 2026 | Lessons From 2025: Zero-Day Exploitation Shaping 2026 news | Analysis of 2025 zero-day exploitation reveals critical vulnerabilities in enterprise software like Oracle EBS (CVE-2025-61882), Meta React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), Microsoft SharePoint (CVE-2025-53770), and Citrix NetScaler (CVE-2025-5777). Financially motivated groups and China-aligned actors were prominent exploiters, demonstrating rapid weaponization of public disclosures and the lingering risk even after patches are released. Enterprise software's central role made it a prime target, with exploitation leading to widespread compromise and extortion. |
| 2026-04-10 2026 | Critical Zero-Day RCE in Networking Devices Exposes 70,000+ Hosts news | Critical Zero-Day RCE in Networking Devices Exposes 70,000+ Hosts → gbhackers.com |
| 2026-04-10 2026 | Cisco Patches Zero-Day RCE Exploited by China-Linked APT news | Reference detailing CVE-2025-20393, a critical remote command execution flaw in Cisco AsyncOS Software for Secure Email Gateway and Web Manager. Exploited by China-linked APT UAT-9686, this vulnerability, with a CVSS score of 10.0, allows arbitrary root command execution via insufficient validation of HTTP requests to the Spam Quarantine feature. Attackers deployed tools like ReverseSSH, Chisel, AquaPurge, and AquaShell. Cisco has released patches and recommends hardening guidelines, including firewalling, disabling unnecessary services, and enforcing strong authentication. → thehackernews.com |
| 2026-04-10 2026 | Critical Redis RCE Vulnerability: CVE-2025-49844 news | Writeup on CVE-2025-49844, dubbed #RediShell, detailing a critical Use-After-Free (UAF) vulnerability in Redis. This flaw allows authenticated attackers to execute arbitrary native code on the Redis host by escaping the Lua sandbox with a crafted Lua script. Given Redis's prevalence in cloud environments, this vulnerability poses a significant risk, potentially leading to data exfiltration, lateral movement, and system compromise. The writeup also highlights affected forks like Valkey and managed services such as Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis. → wiz.io |
| 2026-04-10 2026 | CVE-2025-59287: WSUS Unauthenticated RCE Vulnerability news | Writeup detailing CVE-2025-59287, a critical (CVSS 9.8) unauthenticated RCE vulnerability in Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization via .NET BinaryFormatter in WSUS reporting web services, allowing attackers to execute arbitrary code with SYSTEM privileges. Exploitation involves crafted SOAP requests to the GetCookie endpoint containing an encrypted gadget chain payload. Microsoft has released an out-of-band update, and active exploitation has been observed in the wild. → picussecurity.com |
| 2026-04-10 2026 | Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild news | Writeup detailing the exploitation of Ivanti EPMM by CVE-2025-4427 and CVE-2025-4428, a chain enabling unauthenticated RCE. The attack bypasses authentication via misconfigured Spring Security and leverages Java Expression Language injection for code execution. Observed in-the-wild activity includes Sliver beacon C2 communication, MySQL database dumping, deployment of JSP web shells, and direct reverse shells. Affected versions include 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior. → wiz.io |
| 2026-04-10 2026 | CVE-2025-34291: Critical Account Takeover and RCE in Langflow news AuthN | Library detailing CVE-2025-34291, a critical vulnerability in Langflow enabling account takeover and RCE through a chain involving permissive CORS settings, SameSite=None for the refresh token cookie, and the unauthenticated `/api/v1/refresh` endpoint, allowing attackers to steal valid access tokens and subsequently exploit the `/api/v1/validate/code` endpoint for code execution. |
| 2026-04-10 2026 | 50,000+ WordPress Sites at Risk from Critical Ninja Forms RCE news | 50,000+ WordPress Sites at Risk from Critical Ninja Forms RCE → cyberpress.org |
| 2026-04-10 2026 | Critical Langflow RCE Flaw Exploited in the Wild Within Hours news | Writeup of CVE-2026-33017, a critical unauthenticated RCE in Langflow, detailing its exploitation within hours of disclosure. The vulnerability allows attackers to execute arbitrary Python code on exposed instances via the public flow build endpoint. Exploitation attempts involved mass scanning, reconnaissance, and data exfiltration of API keys for OpenAI, Anthropic, and AWS, leading to potential downstream compromises of AI pipelines and connected data stores. |
| 2026-04-10 2026 | CVE-2026-20131: Analysis of Cisco FMC RCE news | Analysis of CVE-2026-20131, a critical RCE vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software, details how unauthenticated attackers can execute arbitrary Java code via a specially crafted serialized Java object. This vulnerability, actively exploited in the wild and added to CISA's KEV catalog, allows root privilege escalation and poses a significant risk to network security by potentially compromising entire infrastructures managed by FMC. Exploitation involves sending malicious HTTP requests triggering insecure deserialization, enabling post-exploitation activities like data exfiltration and backdoor installation. |
| 2026-04-10 2026 | n8n Critical Vulnerability (CVE-2026-21858): Unauthenticated RCE news | Writeup of CVE-2026-21858, an unauthenticated RCE in n8n, allowing full compromise of locally deployed instances through arbitrary file access, authentication bypass, and command execution. Discovered by Cyera Research Labs and nicknamed 'Ni8mare', this vulnerability highlights automation platforms as high-impact attack surfaces. Remediation involves upgrading n8n, restricting exposure of Forms and Webhooks, and reviewing workflow configurations. → aikido.dev |
| 2026-04-10 2026 | Critical Telnetd Flaw (CVE-2026-32746) Enables Root RCE news | Writeup of CVE-2026-32746, a critical out-of-bounds write vulnerability in GNU InetUtils telnetd's LINEMODE Set Local Characters suboption handler. This flaw allows unauthenticated remote attackers to execute arbitrary code as root by sending crafted messages during the initial connection handshake. Discovered by Dream, it affects versions through 2.7 and impacts various systems including FreeBSD, NetBSD, and TrueNAS Core. → thehackernews.com |
| 2026-04-10 2026 | Critical vLLM RCE Allows Server Takeover via Malicious Video URL (CVE-2026-22778) news | Library addressing CVE-2026-22778, a critical remote code execution flaw in vLLM. This vulnerability, triggered by a malicious video URL, chains a PIL error information leak for ASLR bypass with a JPEG2000 heap overflow in OpenCV's FFmpeg dependency. Exploitation leads to arbitrary command execution by overwriting function pointers, allowing server takeover. Organizations running vLLM with multimodal video support must upgrade to version 0.14.1 or later immediately. |
| 2026-04-10 2026 | CVE-2026-27825: Critical Unauthenticated RCE and SSRF in mcp-atlassian news SSRF | Writeup on CVE-2026-27825, detailing critical unauthenticated RCE and SSRF vulnerabilities in mcp-atlassian. The flaws stem from missing directory confinement and inadequate path traversal validation in attachment download tools, allowing arbitrary file writes for persistence or RCE. A related SSRF issue in header-controlled Atlassian base URLs is also covered. Patched versions 0.17.0 introduce `validate_safe_path()` and `validate_url_for_ssrf()` to mitigate these risks. → arcticwolf.com |
| 2026-04-10 2026 | Unrestricted File Upload Leads to SSRF and RCE intermediate | Writeup detailing an unrestricted file upload vulnerability, leveraging ImageMagick and its associated CVEs like CVE-2016-3714 and CVE-2016-3718. This post demonstrates how an attacker can achieve Server-Side Request Forgery (SSRF) and ultimately Remote Code Execution (RCE) through various ImageMagick exploits, including Ghostscript vulnerabilities. The author utilized Burp Suite for initial detection. |
| 2026-04-10 2026 | Complete Defense Against Node.js RCE: Real-World Exploit Analysis advanced | Analysis of Node.js RCE vulnerabilities, including CVE-2022-24329, details how attackers exploit `child_process.exec` misuse and improper input validation to achieve command injection. The article contrasts vulnerable code patterns, such as direct passing of user input to `exec`, with secure alternatives like `spawn` or `execFile` and emphasizes strict input validation and sanitization to prevent shell meta-character interpretation. It also discusses the need for an integrated security approach, combining SAST/DAST, cloud workload security with SeekersLab's FRIIM CNAPP, and real-time threat detection via Seekurity SIEM/SOAR, augmented by KYRA AI Sandbox for analyzing suspicious code. |
| 2026-04-10 2026 | Command Injection and RCE in MetaSpore (GHSL-2025-035 to 037) news | Writeup detailing command injection (GHSL-2025-035) and RCE (GHSL-2025-037) vulnerabilities in MetaSpore's recommendation service. The command injection allows overwriting arbitrary files and leaking AWS tokens via the `aws s3 sync` command. The RCE is achieved by exploiting an unprotected Consul instance and a Spring Expression Language injection in `spring.application.name`, leading to arbitrary code execution. An additional vulnerability (GHSL-2025-036) involves sensitive Spring Boot Actuator endpoints being exposed without authentication. → securitylab.github.com |
| 2026-04-10 2026 | Microsoft Bing Images OS Command Injection RCE intermediate | Writeup of CVE-2026-32191, a critical OS command injection vulnerability in Microsoft Bing Images, allows unauthenticated attackers to achieve remote code execution (RCE) over the network. The flaw stems from improper neutralization of special elements in OS commands, where unsanitized user input is incorporated into system calls, enabling the execution of arbitrary shell commands. Exploitation requires identifying an injection point and crafting payloads to bypass sanitization. → thehackerwire.com |
| 2026-04-10 2026 | AWS RES Root RCE via Crafted Session Name (CVE-2026-5707) intermediate | Writeup of CVE-2026-5707, an OS command injection flaw in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01. A remote authenticated actor can exploit this vulnerability by providing a crafted virtual desktop session name, leading to arbitrary command execution with root privileges on the virtual desktop host. Exploitation requires valid credentials for the RES environment. Users should upgrade to RES version 2026.03 or apply a mitigation patch. → thehackerwire.com |
| 2026-04-10 2026 | Command Injection RCE in Kubernetes Log Query on Windows intermediate | Command Injection RCE in Kubernetes Log Query on Windows → akamai.com |
| 2026-04-10 2026 | Prompt Injection to RCE in AI Agents intermediate | Writeup on prompt injection leading to RCE in AI agents, detailing design antipatterns that enable argument injection attacks against pre-approved commands. The article demonstrates one-shot RCE exploits across three AI agent platforms, bypassing human approval through techniques like `go test -exec` and `git show --format`/`ripgrep --pre`. Recommendations focus on limiting impact via sandboxing and argument separation for developers, users, and security engineers. → blog.trailofbits.com |
| 2026-04-10 2026 | Group-Office Critical RCE via Insecure Deserialization (CVE-2026-34838) intermediate | Writeup of CVE-2026-34838 in Group-Office, detailing an insecure deserialization flaw in the `AbstractSettingsCollection` model. This critical vulnerability, requiring only authenticated low-privilege access, allows attackers to achieve Arbitrary File Write by injecting a serialized `FileCookieJar` object into setting strings. This file write directly enables Remote Code Execution on affected Group-Office versions prior to 6.8.156, 25.0.90, and 26.0.12. → thehackerwire.com |
| 2026-04-10 2026 | NVIDIA APEX Deserialization RCE (CVE-2025-33244) intermediate | Writeup of CVE-2025-33244 in NVIDIA APEX for Linux, detailing a critical deserialization of untrusted data vulnerability. This flaw, impacting PyTorch versions prior to 2.6, allows unauthenticated attackers to achieve arbitrary code execution, denial of service, privilege escalation, data tampering, and information disclosure by crafting malicious serialized data. Exploitation requires identifying the specific deserialization sink within APEX and understanding gadget chains in affected PyTorch versions, with upgrading PyTorch to 2.6 or later recommended as a mitigation. → thehackerwire.com |
| 2026-04-10 2026 | React2Shell and RSC Vulnerabilities: Exploitation Threat Brief intermediate | Library rules protecting against React2Shell (CVE-2025-55182), CVE-2025-55183, and CVE-2025-55184 offer protection for React Server Components. Exploitation attempts, including those by Asian-nexus threat groups, were observed shortly after public disclosure, utilizing vulnerability scanners like Nuclei and Burp Suite. Threat actors employed Internet-wide scanning, asset discovery platforms, and metadata analysis, including SSL certificate details, to identify vulnerable deployments, with targeted efforts observed against geopolitical intelligence priorities, government entities, and critical infrastructure. |
| 2026-04-10 2026 | CVE-2025-55182: React Server Components RCE via Flight Payload Deserialization intermediate | Writeup of CVE-2025-55182, a critical RCE in React Server Components. This vulnerability allows unauthenticated attackers to achieve arbitrary JavaScript execution on the server by crafting malicious Flight payloads that exploit unsafe deserialization of Chunks. The attack leverages Promise resolution and nested deserialization to control server-side functions, enabling actions like file reading or command execution. Public exploit code exists, and affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0. |
| 2026-04-10 2026 | n8n CVE-2025-68613 RCE Exploitation: A Detailed Guide intermediate | Guide to CVE-2025-68613, a critical remote code execution vulnerability in n8n. This flaw, with a CVSS score of 9.9, allows authenticated users to compromise the entire system by injecting JavaScript expressions. Exploitation can lead to arbitrary command execution, file access, secret theft, and lateral movement within connected systems. The guide details the vulnerability's technical underpinnings, impact, and provides exploitation and testing examples across various n8n interfaces and API endpoints. |
| 2026-04-10 2026 | 2025 Zero-Days in Review: Lessons Learned news | Survey of 2025 zero-day exploits reveals a continued shift towards enterprise targets, with 48% of tracked vulnerabilities impacting enterprise software and edge devices. State-sponsored espionage groups, particularly those linked to the People's Republic of China (PRC) such as UNC5221 and UNC3886, heavily favored these technologies for initial network access, while commercial surveillance vendors also expanded their exploit chain development. Malware campaigns like BRICKSTORM highlighted a new paradigm of using stolen IP for long-term zero-day development. → cloud.google.com |
| 2026-04-10 2026 | Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) news | Writeup detailing exploitation of CVE-2025-55182 ("React2Shell"), a critical RCE in React Server Components, by multiple threat actors including China-nexus espionage groups. Observed payloads include MINOCAT, SNOWLIGHT, HISONIC, COMPOOD backdoors, and XMRIG miners. The writeup highlights exploitation chains and post-compromise behaviors, with specific mention of UNC6600, UNC6586, UNC6588, and UNC6603 actors, and their deployment of these tools. It also addresses misinformation surrounding initial exploit disclosures, noting a GitHub repository that initially contained non-functional AI-generated exploit code before updating with legitimate, obfuscated samples. → cloud.google.com |
| 2026-04-10 2026 | React2Shell: Critical Unauthenticated RCE in React Server Components intermediate | Writeup of CVE-2025-55182, a critical unauthenticated RCE vulnerability affecting React Server Components and frameworks like Next.js, dubbed React2Shell. Exploitation in-the-wild has begun, with a working proof-of-concept and Metasploit module available. The vulnerability, with a CVSS of 10.0, allows attackers to execute arbitrary code via malicious HTTP requests. Remediation involves updating affected React packages to versions 19.0.1, 19.1.2, or 19.2.1. Rapid7 customers have detection capabilities via Exposure Command, InsightVM, and Nexpose. → rapid7.com |
| 2026-04-10 2026 | Defending Against React2Shell in React Server Components intermediate | Reference detailing CVE-2025-55182 (React2Shell), a critical pre-authentication RCE vulnerability in React Server Components, affecting frameworks like Next.js. The vulnerability, stemming from insecure payload validation and prototype pollution, allows attackers to execute arbitrary code via a single HTTP request. Observed exploits target Windows and Linux environments, deploying coin miners and RATs, and attempting to steal cloud credentials using tools like TruffleHog and Gitleaks. Mitigation includes immediate patching to updated React and Next.js versions, prioritizing internet-facing assets, and potentially using WAF protections. → microsoft.com |
| 2026-04-10 2026 | Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited news | Writeup detailing CVE-2025-8110, an actively exploited RCE in Gogs, a self-hosted Git service. This vulnerability is a symlink bypass of a previous RCE (CVE-2024-55947), allowing authenticated users to overwrite files outside the repository via the PutContents API. The exploit chain involves committing a symlink and then using the API to overwrite sensitive files like `.git/config`. Wiz Research discovered this zero-day during an investigation, finding over 700 compromised instances public-facing. A fix is available in Gogs version v0.13.4. → wiz.io |
| 2026-04-10 2026 | SharePoint RCE: Exploitation, Detection, and Mitigation intermediate | SharePoint RCE: Exploitation, Detection, and Mitigation → akamai.com |
| 2026-04-10 2026 | Apache ActiveMQ RCE via Jolokia API (CVE-2026-34197) intermediate | Writeup of CVE-2026-34197, an Apache ActiveMQ Classic RCE vulnerability leveraging the Jolokia JMX-HTTP bridge to trigger Remote Code Execution via a crafted discovery URI. Attackers can exploit this by invoking operations like BrokerService.addNetworkConnector, loading a remote Spring XML application context that leads to arbitrary code execution through Runtime.exec(). This flaw, with a CVSS score of 8.8, is particularly critical on versions 6.0.0-6.1.1 due to CVE-2024-32114, which makes exploitation unauthenticated. Patches are available in ActiveMQ Classic 5.19.4 and 6.2.3. |
| 2026-04-10 2026 | CVE-2026-34841: Bruno IDE RCE via Supply Chain Attack news | Analysis of CVE-2026-34841 reveals a critical supply chain attack impacting Bruno IDE versions prior to 3.2.1. This vulnerability stems from a compromised axios npm package dependency, which allowed attackers to deploy a cross-platform Remote Access Trojan. Exploitation necessitates users running `npm install` during the attack window, leading to full system compromise and unauthorized remote control. The recommended mitigation is to upgrade to Bruno version 3.2.1 or later. |
| 2026-04-10 2026 | Telnet Vulnerability Opens Door to Remote Code Execution as Root intermediate | Writeup on CVE-2026-32746, a critical vulnerability in GNU inetutils telnetd allowing pre-authentication remote code execution as root. Triggered by a buffer overflow in the LINEMODE Set Local Characters (SLC) handler, exploitation can lead to full system compromise on affected legacy infrastructure, networking equipment, and embedded systems. The flaw enables arbitrary memory writes via a corrupted pointer after exceeding a fixed buffer. Migrating to SSH, disabling telnetd, or blocking port 23 are recommended workarounds. → csoonline.com |
| 2026-04-10 2026 | CVE-2026-23744: Remote Code Execution in MCPJam Inspector PoC news | CVE-2026-23744: Remote Code Execution in MCPJam Inspector PoC |
| 2026-04-10 2026 | Remote Code Execution (RCE) 101 beginner | Remote Code Execution (RCE) 101 → bugcrowd.com |
| 2026-04-10 2026 | How I Got RCE in One of Bugcrowd's Public Programs intermediate | How I Got RCE in One of Bugcrowd's Public Programs |
| 2026-04-10 2026 | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) intermediate | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) → infosecwriteups.com |
| 2026-04-10 2026 | RCE via Unclaimed Node Package: $2,500 Bug Bounty Writeup intermediate | RCE via Unclaimed Node Package: $2,500 Bug Bounty Writeup |
| 2026-04-10 2026 | Max Severity Flowise RCE Vulnerability Now Exploited in Attacks news | Library for securing Flowise, an open-source platform for LLM apps. It addresses CVE-2025-59528, a critical RCE vulnerability allowing arbitrary JavaScript code injection via the CustomMCP node. Developers should upgrade to version 3.0.6 or later to mitigate this threat, which has already been observed in active exploitation. Other Flowise vulnerabilities, CVE-2025-8943 and CVE-2025-26319, have also seen in-the-wild exploitation. → bleepingcomputer.com |
| 2026-04-10 2026 | CVE-2026-35056: XenForo RCE Vulnerability for Admin Accounts news | Writeup of CVE-2026-35056, a High severity (CVSS 4.0: 8.6) Code Injection vulnerability in XenForo versions prior to 2.3.9 and 2.2.18. This RCE vulnerability allows authenticated admin users to execute arbitrary code remotely. While no public proof-of-concept or active exploitation has been confirmed, users should promptly apply vendor patches and review the official advisory for affected systems. |
| 2026-04-10 2026 | CVE-2026-1731: Critical Unauthenticated RCE in BeyondTrust Remote Support news | Writeup of CVE-2026-1731, a critical unauthenticated RCE in BeyondTrust Remote Support and Privileged Remote Access products, which allows attackers to execute arbitrary OS commands. This vulnerability, with a CVSSv4 score of 9.9, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. While SaaS instances were patched, self-hosted deployments require manual updates. Discovered by Hacktron AI, the flaw was added to CISA's KEV list on February 13, 2026. Rapid7 customers using Exposure Command, InsightVM, and Nexpose can assess their exposure with authenticated checks released February 9, 2026. → rapid7.com |
| 2026-04-10 2026 | PraisonAI Critical RCE via Malicious YAML Parsing (CVE-2026-39890) news | Writeup of CVE-2026-39890, a critical RCE vulnerability in PraisonAI, allowing arbitrary JavaScript execution via insecure YAML parsing. The flaw exists in `AgentService.loadAgentFromFile`, which improperly handles dangerous `js-yaml` tags like `!!js/function` and `!!js/undefined` when processing agent definition files. Exploitation involves crafting a malicious YAML file with embedded JavaScript and uploading it to the server, leading to server-side code execution. The vulnerability affects versions prior to 4.5.115 and is mitigated by upgrading. → thehackerwire.com |
| 2026-04-10 2026 | Critical n8n Flaws Allow Remote Code Execution and Credential Exposure news | Writeup detailing critical n8n vulnerabilities including CVE-2026-27577 (expression sandbox escape for RCE) and CVE-2026-27493 (unauthenticated expression evaluation via Form nodes). These flaws, along with CVE-2026-27495 (JavaScript Task Runner code injection) and CVE-2026-27497 (Merge node SQL query mode RCE), allow for arbitrary code execution and credential exposure. Patched versions are 2.10.1, 2.9.3, and 1.123.22. → thehackernews.com |
| 2026-04-09 2026 | CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog news | CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog https://ift.tt/vfeE3wl → cybersecuritydive.com |
| 2026-04-09 2026 | 13-year-old Apache ActiveMQ RCE vulnerability discovered AI assisted in finding exploit news | Library for Apache ActiveMQ Classic RCE vulnerability CVE-2026-34197, allowing arbitrary command execution. This 13-year-old flaw, exacerbated by CVE-2024-32114's unauthenticated API access in versions 6.0.0-6.1.1, leverages the Jolokia management API to load external Spring XML configurations. AI assistance, including Claude, aided in identifying the exploit path. Prompt patching to 5.19.4 or 6.2.3+ is critical due to widespread enterprise use and prior attack history. → scworld.com |
| 2026-04-09 2026 | CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks news | CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks https://ift.tt/2MVIqDl → cybersecuritynews.com |
| 2026-04-09 2026 | Claude helps researcher dig up decade-old Apache ActiveMQ RCE vulnerability (CVE-2026-34197) news | Writeup detailing CVE-2026-34197, a decade-old RCE vulnerability in Apache ActiveMQ Classic stemming from improper input validation and code injection. This vulnerability, exploitable with default credentials or unauthenticated in certain versions due to CVE-2024-32114, was discovered with AI assistance. Mitigation involves upgrading to ActiveMQ versions 6.2.3 or 5.19.4 and monitoring logs for specific indicators of compromise. CISA has since added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog. → helpnetsecurity.com |
| 2026-04-09 2026 | ThreatsDay Bulletin: Hybrid P2P Botnet 13-Year Apache RCE ClickFix Node.js RAT & 18 More Stories news | Library for securing applications, featuring protections against hybrid Phorpiex botnet variants, chained Apache ActiveMQ Classic RCE vulnerabilities (CVE-2026-34197, CVE-2024-32114, CVE-2022-41678), AI-driven DDoS tactics amplified by IoT botnets like TurboMirai, Magecart skimmers hidden in SVG elements affecting Magento stores, and malicious MSI installers delivering Node.js RATs. → thehackernews.com |
| 2026-04-08 2026 | 13-year-old bug in ActiveMQ lets hackers remotely execute commands news | Writeup detailing CVE-2026-34197, a 13-year-old remote code execution vulnerability in Apache ActiveMQ Classic affecting versions before 5.19.4 and 6.2.3. Discovered using Claude AI, the flaw allows attackers to execute arbitrary commands by exploiting the Jolokia management API to load external configurations, often chaining with CVE-2024-32114 for unauthenticated access. This issue underscores ActiveMQ's history as a target for attackers, with previous RCEs like CVE-2016-3088 and CVE-2023-46604 appearing on CISA's KEV list. → bleepingcomputer.com |
| 2026-04-08 2026 | Critical Ninja Forms vulnerability allows remote code execution news | Writeup of CVE-2026-0740, a critical vulnerability in Ninja Forms File Uploads affecting WordPress. This flaw allows unauthenticated arbitrary file uploads due to missing file type and extension validation, enabling path traversal to execute code via web shells. Over 3,600 exploitation attempts were blocked by Wordfence recently. Versions up to 3.3.26 are impacted, with a patch available in 3.3.27. → scworld.com |
| 2026-04-08 2026 | RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years news | Writeup of CVE-2026-34197, a critical RCE vulnerability in Apache ActiveMQ Classic discovered by Horizon3.ai. This flaw, present for 13 years, can be chained with CVE-2022-41678, allowing attackers to exploit the Jolokia API and VM transport to execute OS commands. In some deployments, it can be combined with CVE-2024-32114 for unauthenticated RCE. Updates to ActiveMQ Classic 5.19.4 and 6.2.3 are recommended. → securityweek.com |
| 2026-04-08 2026 | Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes news | Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes https://ift.tt/6HFLTCo → cyberpress.org |
| 2026-04-08 2026 | Fortinet FortiClientEMS Remote Code Execution Vulnerability news | Writeup of CVE-2026-35616 in FortiClientEMS, an Improper Access Control vulnerability allowing unauthenticated attackers to execute unauthorized code or commands via crafted requests. Exploited in the wild, this vulnerability can lead to remote code execution and elevation of privilege on affected systems. Users should update to FortiClientEMS 7.4.7 or later. → hkcert.org |
| 2026-04-08 2026 | Hackers Targeting Ninja Forms Bug That Exposes WordPress Sites to Takeover news | Writeup on CVE-2026-0740, a critical unauthenticated arbitrary file upload vulnerability in Ninja Forms' File Uploads addon. This flaw, with a CVSS score of 9.8, allows attackers to bypass file type validation and use path traversal to upload malicious PHP code to the webroot, enabling remote code execution and complete site takeover. Defiant reports thousands of exploitation attempts against the ~50,000 affected websites. Users should update to version 3.3.27. → securityweek.com |
| 2026-04-08 2026 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations news | Library detailing Storm-1175's high-tempo Medusa ransomware operations, exploiting N-days like CVE-2023-21529 (Microsoft Exchange), CVE-2023-27351 (Papercut), and CVE-2024-21887 (Ivanti), alongside zero-days. The actor rapidly chains exploits, establishes persistence via new users, uses tools like PsExec and RMMs (Atera, N-able), PDQ Deployer, and Impacket for lateral movement and credential theft before deploying ransomware. → microsoft.com |
| 2026-04-08 2026 | Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 Minutes news | Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 Minutes https://ift.tt/JFu4DIs → cybersecuritynews.com |
| 2026-04-08 2026 | CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User news | CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User https://ift.tt/fhiH3dM → cybersecuritynews.com |
| 2026-04-08 2026 | Claude Identifies Critical 13-Year-Old RCE Vulnerability in Apache ActiveMQ news | Claude Identifies Critical 13-Year-Old RCE Vulnerability in Apache ActiveMQ https://ift.tt/dEBfCoy → gbhackers.com |
| 2026-04-07 2026 | Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution news | Writeup of CVE-2025-59528 in Flowise, detailing how attackers exploit improper JavaScript validation in the CustomMCP node for remote code execution and file system access. The vulnerability, fixed in version 3.0.6, allows arbitrary JavaScript execution with full Node.js privileges, enabling command execution and data theft, and has seen active exploitation in the wild, targeting thousands of exposed instances. → securityaffairs.com |
| 2026-04-07 2026 | Hackers exploit critical flaw in Ninja Forms WordPress plugin news | Writeup detailing CVE-2026-0740, a critical 9.8 severity vulnerability in Ninja Forms File Uploads for WordPress versions up to 3.3.26. The flaw allows unauthenticated arbitrary file uploads, including PHP scripts, through a lack of destination filename validation and supports path traversal, enabling remote code execution. The vulnerability was discovered by Sélim Lanouar and reported to Wordfence, who provided temporary firewall mitigations before the vendor released a full fix in version 3.3.27. → bleepingcomputer.com |
| 2026-04-07 2026 | Active exploitation of max severity Flowise bug threatens broad compromise news | Library for identifying and mitigating CVE-2025-59528, a critical code injection vulnerability in Flowise. Exploitation of this flaw allows for remote code execution, compromise of sensitive modules like `child_process` and `fs`, system compromise, file system infiltration, and data theft. → scworld.com |
| 2026-04-07 2026 | New CUPS vulnerabilities threaten RCE network breaches news | Analysis of CVE-2026-34980 and CVE-2026-34990, two critical vulnerabilities in the Common Unix Printing System (CUPS), reveals their potential to enable unauthenticated remote code execution and root file overwrite on Linux and Unix-like systems. Exploitation involves chaining a print job submission to a PostScript queue with an authorization flaw, allowing low-privileged accounts to gain root access. These findings, discovered by SpaceX security engineer Asim Viladi Oglu Manizada, highlight the increasing role of AI in vulnerability detection. → scworld.com |
| 2026-04-07 2026 | Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root news | Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root https://ift.tt/LX3eCBW → cyberpress.org |
| 2026-04-07 2026 | Critical Flaw in Windmill Developer Platform Allows Remote Code Execution news | Critical Flaw in Windmill Developer Platform Allows Remote Code Execution https://ift.tt/dyo0Wb8 → cyberpress.org |
| 2026-04-07 2026 | Critical Flowise Vulnerability in Attacker Crosshairs news | Library updates address CVE-2025-59528, a critical remote code execution vulnerability in Flowise affecting versions up to 3.0.5. This flaw allows attackers to exploit unvalidated user-supplied JavaScript in MCP server configuration, granting full Node.js runtime privileges and access to the file system. Threat actors are actively exploiting this bug, posing an extreme risk to business continuity and sensitive data for thousands of exposed Flowise instances. Version 3.0.6 includes the patch. → securityweek.com |
| 2026-04-07 2026 | CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code Execution news | CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code Execution https://ift.tt/wYjmefB → gbhackers.com |
| 2026-04-07 2026 | Windmill Developer Platform Flaws Expose Users to RCE Attacks Proof-of-Concept Published news | Windmill Developer Platform Flaws Expose Users to RCE Attacks, Proof-of-Concept Published https://ift.tt/TP7IyrR → gbhackers.com |
| 2026-04-07 2026 | 50000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability news | 50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability https://ift.tt/E9Pb0B5 → cybersecuritynews.com |
| 2026-04-07 2026 | Over 1000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign news | Tooling identified in a campaign targeting over 1000 exposed ComfyUI instances allows attackers to exploit custom node vulnerabilities for remote code execution. This enables enrollment into a cryptomining botnet for Monero and Conflux using XMRig and lolMiner, and deployment into a Hysteria V2 proxy botnet. The attack leverages tools that scan for vulnerable ComfyUI instances, install malicious nodes like "ComfyUI-Shell-Executor," and establish persistence via shell scripts that disable history, kill competing miners, and use `LD_PRELOAD` hooks and `chattr +i` for resilience. → thehackernews.com |
| 2026-04-07 2026 | Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited news | Writeup of CVE-2026-35616, a critical improper access control vulnerability affecting FortiClient EMS, which has been exploited in the wild, allowing unauthenticated attackers to execute unauthorized code via crafted requests. This follows the discovery and exploitation of another critical flaw, CVE-2026-21643, an SQL injection vulnerability in the same platform, highlighting the significant risks associated with compromised endpoint management infrastructure. → infosecurity-magazine.com |
| 2026-04-07 2026 | Attackers Exploit Flowise Injection Vulnerability as 15000 Instances Remain Exposed news | Attackers Exploit Flowise Injection Vulnerability as 15,000+ Instances Remain Exposed https://ift.tt/FSIN53K → gbhackers.com |
| 2026-04-07 2026 | 50000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE news | 50,000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE https://ift.tt/lyKOd6c → gbhackers.com |
| 2026-04-07 2026 | Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12000 Instances Exposed news | Writeup on CVE-2025-59528, a CVSS 10.0 code injection vulnerability in Flowise AI Agent Builder, allowing remote code execution via JavaScript code injection, similar to prior Flowise flaws like CVE-2025-8943 and CVE-2025-26319. Exploitation can grant access to Node.js modules like `child_process` and `fs`, enabling system compromise, file access, and data exfiltration. Over 12,000 instances remain exposed, facing active exploitation. → thehackernews.com |
| 2026-04-07 2026 | AI agents found vulns in this popular Linux and Unix print server news | Writeup of CVE-2026-34980 and CVE-2026-34990 in CUPS, a popular Linux and Unix print server, detailing how two chained vulnerabilities allow unauthenticated remote attackers to execute code and achieve root file overwrite. The flaws, discovered by AI agents and a security researcher, exploit CUPS' handling of anonymous print-job requests and option parsing to enable code injection. CVE-2026-34980 provides remote code execution as the `lp` user, which can then be chained with CVE-2026-34990, an authorization flaw, to gain root privileges. → theregister.com |
| 2026-04-06 2026 | CVE-2026-2699-and-CVE-2026-2701 news | Writeup detailing CVE-2026-2699 and CVE-2026-2701, two critical severity vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x. CVE-2026-2699, an authentication bypass via improper redirect/session handling, allows unauthenticated access to administrative functions. When combined with CVE-2026-2701, an arbitrary file upload to the webroot flaw, these vulnerabilities enable pre-authentication remote code execution. Affected versions include SZC 5.x up to 5.12.3, with fixes available in 5.12.4. → arcticwolf.com |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild news | 2,000+ FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild https://ift.tt/Xwvjd0z → cybersecuritynews.com |
| 2026-04-06 2026 | Attackers Exploit RCE Flaw as 14000 F5 BIG-IP APM Instances Remain Exposed news | Writeup detailing CVE-2025-53521, a critical RCE vulnerability affecting F5 BIG-IP APM instances. Attackers are actively exploiting this flaw, which allows specially crafted traffic to trigger remote code execution when access policies are enabled. Shadowserver reports over 14,000 exposed instances, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by March 30, 2026. → securityaffairs.com |
| 2026-04-06 2026 | Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992) news | Patch for CVE-2026-21992, a critical pre-authentication RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager, is available. This unauthenticated flaw, affecting versions 12.2.1.4.0 and 14.1.2.1.0, mirrors the exploited CVE-2025-61757, also a missing authentication issue in Identity Manager reported by Assetnote / Searchlight Cyber. Urgent application of this emergency fix is recommended to prevent system takeover. → helpnetsecurity.com |
| 2026-04-06 2026 | Critical Flaws Identified in Progress Software ShareFile Service news | Critical Flaws Identified in Progress Software ShareFile Service https://ift.tt/ERZfLV6 |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE Flaw news | 2,000+ FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE Flaw https://ift.tt/e3stSz8 → gbhackers.com |
| 2026-04-06 2026 | Metasploit Wrap-Up 04/03/2026 news | Library updates for Metasploit Framework introduce new HTTP/HTTPS CMD payloads for Windows, enabling RCE against FreeScout (CVE-2026-27636, CVE-2026-28289) and Grav CMS (CVE-2025-50286). It also adds a generic HTTP command execution exploit, a Windows persistence technique via `UserInitMprLogonScript`, and various enhancements, bug fixes, and documentation updates. → rapid7.com |
| 2026-04-06 2026 | Multiple Vulnerabilities in Progress ShareFile Could Allow for Remote Code Execution news | Advisory detailing multiple vulnerabilities in Progress ShareFile versions prior to 5.12.4. Chained exploitation of an authentication bypass (CVE-2026-2699) and a remote code execution flaw (CVE-2026-2701) allows attackers to upload malicious ASPX webshells via abuse of file upload and extraction functionality. Public proof-of-concept code is available for the mentioned CVEs. |
| 2026-04-06 2026 | Critical RCE Vulnerability in F5 BIG-IP Under Exploitation news | Critical RCE Vulnerability in F5 BIG-IP Under Exploitation |
| 2026-04-06 2026 | CVE-2026-20131 Cisco FMC RCE Vulnerability news | Writeup of CVE-2026-20131, a critical RCE vulnerability in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control Firewall Management. This insecure deserialization flaw in the web interface allows unauthenticated remote attackers to execute arbitrary code as root, and has been observed in ransomware campaigns. The vulnerability affects specific Cisco FMC and Security Cloud Control Firewall Management versions, with Cisco issuing software updates as the sole remediation. |
| 2026-04-06 2026 | Emerging Threat: CVE-2026-27876 Grafana Remote Code Execution via SQL Expressions news | Writeup of CVE-2026-27876, a critical RCE vulnerability in Grafana's sqlExpressions feature, allowing arbitrary file writes to achieve remote code execution. Exploitable with viewer access, it affects specific versions of Grafana 11 and 12 when the feature is enabled, particularly impacting Information Technology and Communication Services sectors. Patches are available, with workarounds including disabling the feature toggle and network restriction. |
| 2026-04-05 2026 | Critical Remote Code Execution Vulnerability in Cisco Secure Firewall Management Center (CVE-2026-20131) news | Writeup on CVE-2026-20131, a critical RCE vulnerability in Cisco Secure Firewall Management Center, exploitable via insecure deserialization of Java objects. This unauthenticated attack allows arbitrary code execution and privilege escalation to root. Active exploitation was observed, leading to inclusion in CISA's KEV catalog and a mandate for remediation in federal agencies. Exploitation leverages YSoSerial, with techniques including command-and-control communication. → securityboulevard.com |
| 2026-04-05 2026 | New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation news | Writeup on CVE-2026-5281, a critical use-after-free vulnerability in Chrome's Dawn component. This zero-day flaw, actively exploited in the wild, allows remote attackers to execute arbitrary code via crafted HTML pages. The advisory highlights recent exploitation trends, including CVE-2026-3909, CVE-2026-3910, and CVE-2026-2441, urging users to update to the latest Chrome versions. → thehackernews.com |
| 2026-04-04 2026 | Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks news | Writeup of critical Grafana vulnerabilities, CVE-2026-27876 and CVE-2026-27880, enabling remote code execution and denial-of-service attacks. CVE-2026-27876, a CVSS 9.1 flaw in SQL expressions, allows arbitrary file writes leading to RCE and SSH access. CVE-2026-27880 affects OpenFeature validation endpoints, permitting instance crashes via large requests. Recommendations include immediate upgrades, disabling SQL expressions, and edge-level DoS mitigation using reverse proxies like Nginx or Cloudflare. → securityboulevard.com |
| 2026-04-04 2026 | 14000 F5 BIG-IP APM Devices Exposed Online Amid Active RCE Vulnerability Exploits news | 14,000+ F5 BIG-IP APM Devices Exposed Online Amid Active RCE Vulnerability Exploits https://ift.tt/WvUC40h → cybersecuritynews.com |
| 2026-04-03 2026 | CISA Warns of Craft CMS Code Injection Flaw Exploited in Active Attacks news | CISA Warns of Craft CMS Code Injection Flaw Exploited in Active Attacks https://ift.tt/VpJB7hM → gbhackers.com |
| 2026-04-03 2026 | New Progress ShareFile Flaws Expose Servers to Unauthorized Remote Takeover news | New Progress ShareFile Flaws Expose Servers to Unauthorized Remote Takeover https://ift.tt/ZupJCrH → gbhackers.com |
| 2026-04-03 2026 | Researchers warn of critical flaws in Progress ShareFile news | Researchers warn of critical flaws in Progress ShareFile https://ift.tt/OIsV6B0 → cybersecuritydive.com |
| 2026-04-03 2026 | SSTI (Server-Side Template Injection) to RCE Walkthrough intermediate | SSTI (Server-Side Template Injection) to RCE Walkthrough |
| 2026-04-03 2026 | SSTI Leading to Remote Code Execution (RCE) intermediate | SSTI Leading to Remote Code Execution (RCE) |
| 2026-04-03 2026 | OpenOlat Velocity Template Injection Leads to RCE intermediate | Writeup of CVE-2026-28228 in OpenOlat details a high-severity server-side template injection vulnerability. Exploitable by authenticated users with the Author role, it allows Velocity directives to be injected into reminder email templates, leading to remote code execution (RCE) via Java reflection and `ProcessBuilder`. Affected versions include those prior to OpenOlat 19.1.31, 20.1.18, and 20.2.5. → thehackerwire.com |
| 2026-04-03 2026 | A Pentester's Guide to SSTI | Cobalt beginner SSTI | Guide to Server-Side Template Injection (SSTI) detailing how attackers exploit template engines like Smarty, Twig, Velocity, Jinja, and Liquid to achieve remote code execution (RCE). It describes using polyglot payloads to detect vulnerabilities, identify template engines through error messages, and leverage available objects like `settings.SECRET_KEY` for exploitation. The guide also mentions Tplmap as an automated tool for SSTI exploitation and suggests input sanitization and sandboxing as remediation techniques. → cobalt.io |
| 2026-04-03 2026 | RCE with Server-Side Template Injection intermediate | RCE with Server-Side Template Injection |
| 2026-04-03 2026 | Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) | Invicti news | Writeup of CVE-2024-23692, a Server-Side Template Injection (SSTI) vulnerability in Rejetto HTTP File Server (HFS) versions 2.3m and earlier. This flaw allows unauthenticated remote code execution via a malicious HTTP request. Remediation involves migrating to HFS 3.x, as version 2.x is end-of-life and unsupported. Compensating controls include network access restrictions, reverse proxy filtering, or temporary service shutdown. → invicti.com |
| 2026-04-03 2026 | WPML Plugin RCE via Twig SSTI (CVE-2024-6386) news | Writeup detailing CVE-2024-6386, an authenticated Remote Code Execution vulnerability in the WPML Multilingual CMS Plugin for WordPress. The vulnerability stems from a Twig Server-Side Template Injection (SSTI) flaw due to inadequate input sanitization within shortcode processing. Exploitation involves constructing payloads using the `dump()` function to dynamically gather necessary characters, bypassing quote restrictions and enabling arbitrary command execution. Affected versions are `<= 4.6.11`. |
| 2026-04-03 2026 | PayloadsAllTheThings - Server Side Template Injection beginner SSTI | Library of Server-Side Template Injection (SSTI) techniques and tools, including scanners like Hackmanit/TInjA and epinna/tplmap, along with research on Rendered, Error-Based, Boolean-Based, and Time-Based exploitation. It details methods for identifying template engines such as Jinja2, Twig, and FreeMarker, and provides example payloads and research papers like James Kettle's "Server-Side Template Injection: RCE For The Modern Web App." |
| 2026-04-03 2026 | SSTI: Advanced Exploitation Guide | Intigriti advanced SSTI | Library that details advanced exploitation techniques for Server-Side Template Injection (SSTI) vulnerabilities. It covers identification methods for template engines like Jinja2, Twig, and ERB, and demonstrates how to escalate basic injections to remote code execution by exploiting sandboxed environments and chained objects, offering practical examples for Python, PHP, Ruby, JavaScript, Java, and C# template engines. → intigriti.com |
| 2026-04-03 2026 | SSTI Exploitation with RCE Everywhere | YesWeHack intermediate SSTI | Writeup detailing advanced Server-Side Template Injection (SSTI) exploitation techniques for achieving Remote Code Execution (RCE) without quotes or external plugins. It covers payloads for Jinja2, Mako, Twig, Smarty, Blade, Groovy, and FreeMarker, demonstrating how to bypass auto-escaping and exploit built-in functions like `chr`, `popen`, `passthru`, and `execute` across various languages and frameworks. → yeswehack.com |
| 2026-04-03 2026 | Progress ShareFile vulnerabilities allow unauthenticated file exfiltration news | Writeup detailing Progress ShareFile vulnerabilities CVE-2026-2699 and CVE-2026-2701, which allow unauthenticated file exfiltration. Exploitation involves chaining an authentication bypass with remote code execution within the Storage Zones Controller (SZC). Researchers at watchTowr discovered these flaws, affecting Progress ShareFile versions 5.x. Progress has released version 5.12.4 to patch these critical issues. → scworld.com |
| 2026-04-03 2026 | Critical ShareFile Flaws Lead to Unauthenticated RCE news | Writeup detailing chained vulnerabilities CVE-2026-2699 (Execution After Redirect) and CVE-2026-2701 (arbitrary file upload) in Citrix ShareFile. WatchTowr discovered these flaws allowed unauthenticated attackers to gain administrative access, exfiltrate sensitive files to attacker-controlled S3 buckets, and achieve remote code execution by uploading a web shell. The vulnerabilities were patched in ShareFile version 5.12.4. → securityweek.com |
| 2026-04-03 2026 | Under Fire: Attackers Target Flaws in F5 and Citrix Gear news | Library: Actively exploited vulnerabilities in F5 BIG-IP APM (CVE-2025-53521, a critical remote code execution flaw) and NetScaler ADC/Gateway (CVE-2026-3055, a critical memory overread, and CVE-2026-4368, a session mix-up) are detailed. Attackers, including nation-state actors, are targeting these application delivery and security platforms, with F5 revising its BIG-IP APM flaw severity from denial-of-service to remote code execution, and CISA mandating patching for federal agencies. Memory leak vulnerabilities in Citrix products, like the previously disclosed CitrixBleed, continue to be a significant concern. |
| 2026-04-03 2026 | AI discovers RCE vulnerabilities in Vim and Emacs text editors news | Library for identifying remote code execution (RCE) vulnerabilities in text editors. Leverages AI assistance to find flaws, such as a modeline-related RCE in Vim (versions 9.2.0271 and earlier) and a Git integration vulnerability in GNU Emacs that allows arbitrary command execution via a core.fsmonitor program. The AI also aids in exploit development and suggests fixes. → scworld.com |
| 2026-04-02 2026 | Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution news | Writeup of CVE-2026-21643, a critical SQL Injection vulnerability in Fortinet FortiClient EMS, now actively exploited. Threat actors smuggle SQL statements via the "Site"-header in HTTP requests to achieve remote code execution, potentially gaining an initial network foothold for lateral movement or malware deployment. Nearly 1000 instances of FortiClient EMS are publicly exposed. This follows the earlier CVE-2023-48788, also an SQL Injection flaw, added to CISA's KEV catalog. → securityaffairs.com |
| 2026-04-02 2026 | Critical Cisco Smart Software Manager Vulnerability Enables Arbitrary Command Execution news | Critical Cisco Smart Software Manager Vulnerability Enables Arbitrary Command Execution https://ift.tt/mqhIRau → cyberpress.org |
| 2026-04-02 2026 | ImageMagick vulnerability allows remote code execution news | Library for ImageMagick vulnerability analysis, detailing a critical flaw allowing remote code execution via crafted image files. Researchers identified a "magic byte shift" that bypasses restrictive policies, enabling attackers to leverage secondary tools like GhostScript and Magick Scripting Language (MSL) for RCE, data theft, and backdoor installation. Affecting major Linux distributions and WordPress sites, the vulnerability remains a pervasive threat due to the lack of automated patches and the unlabelled nature of early fixes. → scworld.com |
| 2026-04-02 2026 | GIGABYTE Control Center vulnerability allows remote code execution news | Analysis of CVE-2026-4415, a critical arbitrary file-write vulnerability in GIGABYTE Control Center (GCC) versions 25.07.21.01 and earlier. Unauthenticated remote attackers can exploit the "pairing" feature to write arbitrary files, leading to remote code execution, privilege escalation, or denial-of-service. GIGABYTE has released version 25.12.10.01 to patch this flaw, with immediate upgrades recommended. → scworld.com |
| 2026-04-02 2026 | Fortinet hit by another exploited cybersecurity flaw news | Analysis of CVE-2026-21643, a critical SQL injection vulnerability in FortiClient EMS, detailing its exploitation for remote code execution and data exfiltration. This flaw, present in version 7.4.4 with multi-tenant mode enabled, allows unauthenticated attackers to craft HTTP requests to access admin credentials, endpoint data, and certificates. The vulnerability remains a top application security risk, underscoring the need for organizations to patch immediately and consider zero-trust architectures to mitigate such threats. → csoonline.com |
| 2026-04-02 2026 | Critical Grafana Vulnerabilities Let Attackers Achieve Remote Code Execution news | Critical Grafana Vulnerabilities Let Attackers Achieve Remote Code Execution https://ift.tt/bQpTgzY → cybersecuritynews.com |
| 2026-04-02 2026 | Hackers exploiting critical F5 BIG-IP flaw in attacks patch now news | Advisory regarding CVE-2025-53521, a critical remote code execution flaw in F5 BIG-IP APM systems that attackers are actively exploiting to deploy webshells. This vulnerability, previously classified as denial-of-service, allows unprivileged attackers to achieve RCE when access policies are configured on a virtual server. F5 strongly recommends patching and reviewing systems for signs of compromise. CISA has added it to its list of actively exploited flaws, urging federal agencies to secure their BIG-IP APM deployments. → bleepingcomputer.com |
| 2026-02-02 2026 | depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys advanced AI Secrets | Library analysis by depthfirst identified a critical vulnerability (CVE-2026-25253) in OpenClaw, an AI assistant. This flaw allows for a one-click RCE exploit by chaining a logic gap in gateway URL ingestion with Cross-Site WebSocket Hijacking. The exploit bypasses Same Origin Policy and allows disabling security features like user confirmation and sandboxing via API calls, leading to arbitrary command execution and access to sensitive data like iMessage and Stripe API keys. |
| 2025-12-07 2025 | 🚨 New article: SSRF exploitation advanced SSRF | What's inside: → 20+ bypass techniques → Cloud metadata attacks (AWS/Azure/GCP) → Gopher protocol exploitation → Docker & Redis RCE chains → Blind SSRF detection → Real automation scripts From ping t... |
| 2025-08-14 2025 | https://weekly.infosecwriteups.com/iw-weekly-39-10-000-bounty-zero-click-account-takeover-stored-xss-open-redirection-vulnerability-sql-injection-rce-reconnaissance-techniques-and-much-more/ intermediate SQLi XSS | Collection of Infosec writeups featuring a $10,000 bounty for a Facebook Reels vulnerability, Zoom stored XSS, Facebook zero-click account takeover, io_uring UAF (CVE-2022-2602), Apple subdomain open redirection, GraphQL pentesting, social engineering guides, insecure CORS, bug bounty automation, smart contract vulnerabilities, mental health tips for hackers, HTTP Basic Auth, SQL Injection to RCE (CVE-2022-44015), RFC analysis for bounties, MMORPG CTF challenges, CodeQL for GraphQL, reconnaissance techniques, SSRF deep dives, Foundry EVM chain tests, and online security learning resources. |
| 2025-08-14 2025 | Chaining an Blind SSRF bug to Get an RCE | by Santosh Kumar Sha (@killmonga intermediate SSRF | The content discusses chaining a Blind Server-Side Request Forgery (SSRF) bug to achieve Remote Code Execution (RCE), presented by Santosh Kumar Sha. This technique involves exploiting a vulnerability in which an attacker can make a server perform unauthorized requests, leading to gaining control over the server and executing malicious code remotely. The focus is on demonstrating how an SSRF bug can be leveraged to escalate to a more severe RCE attack, highlighting the importance of understanding and securing against such vulnerabilities in web applications. |
| 2025-08-14 2025 | Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo Mail | by S intermediate SSRF | The content discusses escalating a blind Server-Side Request Forgery (SSRF) vulnerability to Remote Code Execution (RCE) in Yahoo Mail, earning a reward of $15,000. The process involves utilizing the Gopher protocol to exploit the SSRF vulnerability and achieve RCE. The article likely details the steps taken to identify, exploit, and report the vulnerability to Yahoo Mail's security team, resulting in a significant bounty payout. |
| 2025-08-14 2025 | https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript advanced | The provided link leads to a GitHub repository containing Windows Remote Code Execution (RCE) exploits written in VBScript. The repository offers a collection of scripts that can be used to exploit vulnerabilities in Windows systems. It focuses on utilizing VBScript for web-based attacks. The content provides a resource for security researchers and professionals interested in studying or testing RCE vulnerabilities in Windows environments using VBScript. |
| 2025-08-14 2025 | https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-bypass-firewall-to-get-rce-and-then-went-from-server-shell-to-get-783f71131b94?source=userActivityShare-90814179aa21-1525127127 intermediate | The content discusses a bug bounty experience where the author bypassed a firewall to achieve Remote Code Execution (RCE) and gained access to a server shell. The author describes the steps taken to exploit vulnerabilities, including identifying the firewall, exploiting it to gain RCE, and escalating privileges to access the server shell. The article provides insights into the process of identifying and exploiting security weaknesses, showcasing the author's skills in penetration testing and bug hunting. |
| 2025-08-14 2025 | https://medium.com/@kedrisec/how-i-found-2-9-rce-at-yahoo-bug-bounty-program-20ab50dbfac7 intermediate | The content discusses a security researcher's experience finding a critical Remote Code Execution (RCE) vulnerability in Yahoo's Bug Bounty Program. The researcher details the steps taken to discover and exploit the vulnerability, which allowed unauthorized code execution on Yahoo's servers. The post highlights the importance of responsible disclosure and the collaboration between security researchers and companies to address such vulnerabilities. The discovery earned the researcher a significant bounty reward. |
| 2025-08-14 2025 | https://medium.com/@p4c3n0g3/lfi-to-rce-via-access-log-injection-88684351e7c0?source=userActivityShare-90814179aa21-1524411790 intermediate | The content discusses a security vulnerability called Local File Inclusion (LFI) that can be exploited to achieve Remote Code Execution (RCE) through access log injection. By manipulating log files, an attacker can inject malicious code that gets executed on the server, leading to potential compromise. The article provides a detailed explanation of how this attack works and offers insights into the impact and mitigation strategies. It emphasizes the importance of understanding and securing against such vulnerabilities to protect systems from unauthorized access and data breaches. |
| 2025-08-14 2025 | https://engineering.salesforce.com/meraki-rce-when-red-team-and-vulnerability-research-fell-in-love-3a119ce2cf56?source=userActivityShare-90814179aa21-1515163858 intermediate | The content discusses a case study where a red team and vulnerability researchers collaborated to discover a critical Remote Code Execution (RCE) vulnerability in Meraki devices. The article highlights the importance of teamwork, communication, and collaboration between different security roles to identify and address security flaws effectively. The process involved reverse engineering, code analysis, and exploitation techniques to uncover the vulnerability. The findings were responsibly disclosed to the vendor for remediation. This case emphasizes the significance of cross-functional cooperation in cybersecurity to enhance overall security posture and protect against potential threats. |
| 2025-08-14 2025 | Leading the Blind to Light! - A Chain to RCE intermediate | Writeup detailing a Remote Code Execution (RCE) chain achieved by exploiting an Oracle E-Business Suite instance. The chain begins with an authentication bypass leading to blind XXE, which then facilitates information disclosure. This information is combined with an SQL injection vulnerability on an internal database host, enabling the re-enabling of `xp_cmdshell`. Successful execution of `xp_cmdshell` ultimately grants command execution with Administrator privileges. → blog.zsec.uk |
| 2025-08-14 2025 | opsxcq/exploit-CVE-2016-10033: PHPMailer 5.2.18 Remote Code Execution intermediate | Tool for exploiting CVE-2016-10033 in PHPMailer versions prior to 5.2.18, enabling remote code execution. This vulnerability allows attackers to inject arbitrary code by crafting a `From` address that bypasses filters, leading to the execution of commands via the `mail()` function's `additional_parameters`. The provided exploit leverages this by writing a backdoor file to a web-accessible directory, allowing for shell access and further exploitation. |
| 2025-08-14 2025 | Artificial truth · From LFI to RCE in php intermediate | Technique for achieving RCE via LFI in PHP, improving on earlier /proc/self/environ and /var/log methods. This technique leverages PHP's temporary file handling during uploads. By repeatedly triggering an infinite recursive inclusion with a SIGSEGV, the temporary file is prevented from deletion, allowing an attacker to bruteforce its randomly generated name and achieve remote code execution, as demonstrated with a Python script and a shell.php payload. |
| 2025-08-14 2025 | The Tale Of SSRF To RCE on .GOV Domain | by Tobydavenn | Sep, 2022 | Medium intermediate SSRF | The content titled "The Tale Of SSRF To RCE on .GOV Domain" by Tobydavenn on Medium discusses a scenario involving Server-Side Request Forgery (SSRF) leading to Remote Code Execution (RCE) on a .GOV domain. The article likely delves into the technical details of how this vulnerability was exploited, highlighting the significance of such security flaws on government domains. It may provide insights into the exploitation process, potential impacts, and the importance of addressing SSRF vulnerabilities promptly to prevent RCE attacks. |
| 2025-08-14 2025 | https://www.reddit.com/r/Hacking_Tutorials/comments/gtpkug/remote_code_execution_explained_with_real_life/?utm_source=share&utm_medium=ios_app&utm_name=iossmf beginner Bug Bounty | The content discusses remote code execution, explaining how it works with real-life examples. It delves into the concept of exploiting vulnerabilities to execute code on a remote system, potentially leading to unauthorized access. The post likely provides insights into the dangers of remote code execution and how hackers can leverage it for malicious purposes. It serves as a tutorial or informational resource for individuals interested in understanding cybersecurity threats and how to protect against them. |
| 2025-08-14 2025 | https://medium.com/@smilehackerofficial/how-i-found-rce-but-got-duplicated-ea7b8b010990 intermediate | The content discusses a security researcher's experience finding a Remote Code Execution (RCE) vulnerability in a web application. The researcher details the steps taken to identify and exploit the vulnerability, leading to a successful demonstration of the RCE. However, the researcher later discovered that the same vulnerability had been previously reported by another researcher, resulting in a duplicate submission. The article highlights the importance of thorough research before reporting vulnerabilities to avoid duplication and emphasizes the need for collaboration within the security research community. |
| 2025-08-14 2025 | https://omespino.com/write-up-private-bug-bounty-usd-rce-as-root-on-marathon-instance/ intermediate | Writeup detailing RCE as root on Marathon instances, found by exploiting unauthenticated Marathon UIs discovered via Shodan. The technique involves using `curl` to create a Marathon application with a command like `wget` to exfiltrate host data to an attacker-controlled listener, leveraging the `cmd` parameter for arbitrary command execution. This vulnerability allows for root-level command execution on vulnerable Marathon deployments. |
| 2025-08-14 2025 | Zoom Zero Day: 4 Million Webcams & maybe an RCE? Just get them to visit yo intermediate | The content mentions a Zoom zero-day vulnerability affecting 4 million webcams that could potentially lead to remote code execution (RCE). The vulnerability can be exploited by tricking users into visiting a malicious website. This poses a significant security risk as attackers could gain unauthorized access to users' webcams and potentially execute malicious code on their devices. It highlights the importance of staying vigilant and updating software to protect against such vulnerabilities. |
| 2025-08-14 2025 | elttam - Ruby 2.x Universal RCE Deserialization Gadget Chain advanced | Library releasing a universal Ruby 2.x RCE deserialization gadget chain, bypassing prerequisites of earlier techniques like the ActiveSupport gem. This chain leverages code reuse attacks by chaining "gadgets" from the Ruby standard library, including techniques to indirectly load further libraries via `require` calls, ultimately enabling arbitrary command execution. |
| 2025-08-14 2025 | http://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html advanced | The content discusses how a security researcher chained together four bugs and features to achieve Remote Code Execution (RCE) on Amazon. The researcher details the vulnerabilities found in Amazon's services and how they were exploited to gain unauthorized access and execute code remotely. The blog post provides a technical breakdown of the process, highlighting the importance of identifying and addressing security flaws to prevent such exploits. |
| 2025-08-14 2025 | RCE by uploading a web.config ↳... intermediate | The content discusses a Remote Code Execution (RCE) vulnerability that can be exploited by uploading a malicious web.config file. This type of vulnerability allows attackers to execute arbitrary code on a target system, potentially leading to unauthorized access or data breaches. It highlights the importance of securing file upload functionality and ensuring that user inputs are properly validated to prevent such security risks. |
| 2025-07-29 2025 | GitHub - jeanlucdupont/EXEfromCER: PoC that downloads an executable from a public SSL certificate intermediate Supply Chain | Proof-of-concept that demonstrates downloading and executing a Windows executable embedded within a public SSL certificate. This technique leverages custom X.509 certificate extensions and HTTPS to deliver the payload. The process involves generating a certificate with the executable in a custom OID extension using OpenSSL, serving it via TLS, and a Python client that connects, extracts the binary from the certificate, saves it, and then runs it. |
| 2025-05-17 2025 | New Process Injection Class: The CONTEXT-Only Attack Surface advanced | Library for exploring the "context-only" attack surface in process injection. This research demonstrates techniques to inject code by focusing solely on execution primitives, bypassing traditional detection methods that rely on memory allocation and writing. Methods include using `CreateRemoteThread` with `LoadLibraryA` on existing in-process strings, calling arbitrary WinAPI functions via `SetThreadContext`, and leveraging `NtCreateThread` for remote shellcode execution, expanding to APC functions like `QueueUserAPC`. The accompanying `RedirectThread` tool aids in these investigations. |
| 2025-03-30 2025 | Stored XSS in My Flow To RCE in Opera Browser #2 - Renwa - Medium intermediate Bug Bounty XSS | Hey Opera team, after your great response and bounties with previous reports motivated me to look more into the program and find more bugs, luckily I found a critical bug in My Flow that allow an… |
| 2024-12-22 2024 | 0x03 - Approaching the Modern Windows Kernel Heap advanced | Writeup detailing exploitation of a Use-After-Free (UaF) vulnerability on Windows 11 (x64) using techniques derived from Alex Ionescu's "Kernel Heap Fengshui." The process involves reverse engineering with Ghidra to identify object sizes and IOCTL codes, and then employing Named Pipes (NPFS.SYS) to trigger nonpaged pool allocations for kernel heap manipulation, overcoming initial challenges with object sizing and allocation control. |
| 2024-12-19 2024 | GitHub - WafflesExploits/hide-payload-in-images: A project that demonstrates embedding shellcode payloads into image files (like PNGs) using Python and extracting them using C/C++. Payloads can be retrieved directly from the file on disk or from the image stored in a binary's resources section (.rsrc) intermediate Python | Library demonstrating shellcode payload embedding into PNG images using Python, with C/C++ extractors. The project includes `payload-extractor-from-file.cpp` for disk-based extraction, `payload-extractor-from-resource.cpp` utilizing WinAPI functions like `FindResource` and `LockResource`, and `payload-extractor-from-resource-via-peb.cpp` for stealthier extraction via manual PEB and PE header parsing, avoiding WinAPI calls and improving reliability with direct PEB access. |
| 2024-11-20 2024 | Win32 shellcode beginner | Win32 shellcode |
| 2024-11-10 2024 | GitHub - AnonKryptiQuz/Xploitra: Xploitra is a powerful reverse shell payload generator for educational and security testing. It offers customizable payloads with advanced obfuscation and session management, making it ideal for simulating real-world attack scenarios and assessing system security. intermediate | Tool for generating customizable reverse shell payloads for Windows, Xploitra offers advanced obfuscation and session management for simulating attack scenarios. It supports payload customization of IP, port, and execution commands, with randomized encoding and string manipulation to bypass basic detection. The tool can generate payloads on any OS and handle multiple sessions concurrently, encoding them in Base64 for secure delivery and saving them as `.bat` files. |
| 2024-11-10 2024 | GitHub - AnonKryptiQuz/I-Espresso: I-Espresso is a tool that enables users to generate Portable Executable (PE) files from batch scripts. Leveraging IExpress, it demonstrates how file extension spoofing can be used to evade detection. intermediate | Tool for generating Portable Executable (PE) files from batch scripts using IExpress. I-Espresso demonstrates file extension spoofing techniques to evade detection, offering a user-friendly, fast, and efficient method for creating disguised payloads without external dependencies on Windows. It guides users through prompts to specify batch scripts, executable names, and custom extensions for generated PE files, intended purely for educational and security testing purposes. |
| 2024-11-04 2024 | Microsoft SharePoint RCE bug exploited to breach corporate network news | Writeup detailing the exploitation of CVE-2024-38094, a Microsoft SharePoint RCE vulnerability, for initial network access. Attackers deployed a webshell, leveraged Horoung Antivirus to disable defenses, and used tools like Impacket, Mimikatz, FRP, everything.exe, Certify.exe, and kerbrute for lateral movement, credential harvesting, persistence, and network scanning. The exploit involved a batch script for antivirus installation and manipulation of system logging. → bleepingcomputer.com |
| 2024-10-17 2024 | Vimeo SSRF with code execution potential. intermediate SSRF | The content discusses the discovery of a semi-responded SSRF vulnerability on Vimeo that potentially allows for code execution. The author shares their process of finding and exploiting this vulnerability in a blog post. → infosecwriteups.com |
| 2024-10-17 2024 | How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! advanced Bug Bounty SSRF | Writeup detailing a four-vulnerability exploit chain leading to Remote Code Execution (RCE) on GitHub Enterprise. The chain begins with a Server-Side Request Forgery (SSRF) discovered in the WebHook feature, which is then chained with a second SSRF in the Graphite service. This execution chain enables CR-LF injection, allowing protocol smuggling. Finally, a malicious Ruby Object is smuggled as a Memcached protocol, exploiting unsafe `Marshal` deserialization to achieve RCE. The article also mentions potential bypasses for Faraday IP restrictions and the use of Linux Glibc features. |
| 2024-10-01 2024 | GitHub - Offensive-Panda/ProcessInjectionTechniques: This comprehensive process injection series is crafted for cybersecurity enthusiasts, researchers, and professionals who aim to stay at the forefront of the field. It serves as a central repository of knowledge, offering in-depth exploration of various process injection techniques used by adversaries. advanced | Library detailing numerous process injection techniques, including Classic Code Injection, Reflective DLL Injection, Process Hollowing, and PE Injection. It offers step-by-step explanations, implementation code, and demonstration videos, utilizing custom shellcode for illustrative purposes. References to MITRE ATT&CK T1055, Dirty Vanity, and resources from ired.team and RedTeamOperations are included. |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub intermediate Burp SQLi XSS | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2023-11-06 2023 | The toddlers introduction to Heap exploitation (Part 1) beginner | The toddler’s introduction to Heap exploitation (Part 1) https://ift.tt/OhuPqgT |
| 2023-11-05 2023 | Offensive C# beginner Bug Bounty | Course on Offensive C# covering malware development, C2 creation, Active Directory enumeration and attacks, .NET loaders, persistence, WinAPI interaction, token enumeration, shellcode and DLL injection, PE backdooring, PE parsing, PE64 loading, process hollowing, and API hooking and hashing. |
| 2023-10-27 2023 | Perfect DLL Hijacking intermediate | Library that details a novel technique for DLL hijacking that circumvents the limitations of Windows' Loader Lock by reverse-engineering the Windows library loader. This research builds upon prior work like Nick Landers' "Adaptive DLL Hijacking" and presents a data-only approach that avoids problematic actions such as changing memory protection with VirtualProtect or modifying pointers, which are often flagged by anti-malware or incompatible with exploit mitigations like Intel CET. The library also offers stable mitigation and detection mechanisms for defenders. |
| 2023-10-18 2023 | Empire beginner | Empire https://ift.tt/Qmfzot3 |
| 2023-10-13 2023 | Understanding File Upload Vulnerabilities in Web App Penetration Testing | 2023 beginner | Understanding File Upload Vulnerabilities in Web App Penetration Testing | 2023 https://ift.tt/8aVoHYJ → cyberw1ng.medium.com |
| 2023-09-22 2023 | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports intermediate Bug Bounty SQLi Talks | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports https://www.youtube.com/watch?v=ClnVdYf4PK0 |
| 2023-08-21 2023 | Journey into Windows Kernel Exploitation: The Basics beginner | Journey into Windows Kernel Exploitation: The Basics https://ift.tt/IyEYMN5 |
| 2023-07-22 2023 | Attacking MS Exchange Web Interfaces intermediate | Attacking MS Exchange Web Interfaces https://ift.tt/Hxci19I |
| 2023-07-22 2023 | ProcessInjection intermediate | Tool implementing five process injection techniques: Vanilla, DLL, Process Hollowing, APC Queue, and KernelCallbackTable. It accepts shellcode in base64, hex, C, or raw formats, and supports P/Invoke, D/Invoke, Direct Syscalls, and Indirect Syscalls for injection. The tool also includes detection evasion through XOR or AES encryption, and Parent PID Spoofing, with the option to load via reflection from disk or a remote server. |
| 2023-04-03 2023 | Basic and Low-level Python Network Attacks beginner Python | https://ift.tt/SxGhvBQ |
| 2023-04-02 2023 | $10.000 bounty for exposed .git to RCE intermediate Bug Bounty | $10.000 bounty for exposed .git to RCE https://ift.tt/1AxW3QH |
| 2022-04-06 2022 | Favorite tweet by @hakluke beginner Bug Bounty | Favorite tweet: I see people confuse these terms all the time, so I wrote a reference-style blog about it! The difference between code injection, command injection, RCE, remote code execution and rem... |
| 2022-02-28 2022 | Favorite tweet by @NandanLohitaksh intermediate Bug Bounty | Favorite tweet: Top 25 Remote Code Execution (RCE) Parameters 1. ?cmd={payload} 2. ?exec={payload} 3. ?command={payload} 4. ?execute={payload} 5. ?ping={payload} 6. ?query={payload} 7. ?jump={payload... |
| 2022-01-18 2022 | Making Sense of the Constantly Changing Log4Shell Landscape beginner Supply Chain | Tool for streaming live football matches; provides HD quality, stable connections, and expert commentary across global leagues like the Premier League, Champions League, and La Liga, with no advertisements or viruses. |
| 2022-01-17 2022 | Log4Pot beginner | Honeypot for Log4Shell (CVE-2021-44228) that listens for exploitation attempts on various ports, detects malicious requests in lines and headers, and recursively downloads exploit payloads. It supports logging to files and Azure blob storage, with an included analyzer script to extract and decode payloads, and build timelines. Installation involves fetching the repository and using Poetry for dependency management. |
| 2022-01-03 2022 | Malicious PDF Generator intermediate | Tool for generating ten distinct malicious PDF files, each with phone-home functionality, designed for penetration testing and red-teaming. This application facilitates testing web pages and services that accept PDF uploads, security products, PDF readers, and PDF converters by creating sample files with embedded links that can be configured to point to a Burp Collaborator URL. |
| 2022-01-02 2022 | a c program containing vulnerable code for common types of vulnerabilities can be used to show fuzzing concepts. beginner Fuzzing | Program containing vulnerable C code to demonstrate fuzzing concepts. This resource includes code for common vulnerabilities such as integer overflow/underflow, out-of-bounds read/write, double free, use-after-free, memory leaks, and stack/heap exhaustion. It is designed to be fuzzed using tools like AFL, libafl, libfuzzer, and honggfuzz, with instructions and video tutorials provided for setup and execution. |
| 2021-12-31 2021 | InfosecMindmaps/Log4shell at main DickReverse/InfosecMindmaps beginner | InfosecMindmaps/Log4shell at main DickReverse/InfosecMindmaps |
| 2021-12-31 2021 | Log4Shell Visualization beginner | Log4Shell Visualization |
| 2021-12-30 2021 | Golang Offensive Tools with C-Sto and capnspacehook intermediate Python | Library of offensive security tools built with Golang, showcasing work from developers like C-Sto (goWMIexec, BananaPhone, gosecretsdump) and capnspacehook (pandorasbox, garble). The resource covers challenges and future directions of Go malware, listing numerous tools for command and control, obfuscation, reverse engineering, and more, including notable projects like sliver and DeimosC2. |
| 2021-12-16 2021 | Mitigate Log4j2 / Log4Shell in Elasticsearch intermediate Supply Chain | Analysis of Log4Shell (CVE-2021-44228) vulnerabilities in Elasticsearch versions 5.0 to 7.16.0. Discusses mitigation strategies including updating Log4j to 2.17.1, setting `log4j2.formatMsgNoLookups=true`, removing the `JndiLookup` class, and leveraging the Java Security Manager's protections. Explains why subsequent Log4j issues (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) have limited impact on Elasticsearch due to its configuration and security measures. Recommends upgrading Elasticsearch to versions ≥ 7.16.3 or ≥ 6.8.23 for full patching. |
| 2021-12-13 2021 | Semgrep beginner Supply Chain | Semgrep |
| 2021-12-13 2021 | Log4Shell The Worst Java Vulnerability in Years beginner | Log4Shell The Worst Java Vulnerability in Years |
| 2021-12-13 2021 | Java log4j security: Added Lookup injection rule. #1650 intermediate | Library of Semgrep rules designed to detect and prevent Log4j Lookup injection vulnerabilities in Java applications. This includes a specific rule (ID 1650) to address added lookup injections, enhancing static analysis for securing Java codebases against common Log4j exploits. |
| 2021-12-12 2021 | Log4j: Its worse than you think beginner | Library of vulnerability scanner rules for detecting CVE-2021-4428 (Log4j), a critical Java package vulnerability. This tool leverages a partial trigger of the exploit to identify vulnerable instances, with a focus on providing remote scanning services to customers. Mitigation advice includes upgrading Log4j, disabling lookups, removing dangerous class files, and blocking JNDI lookup prefixes at the WAF. |
| 2021-12-12 2021 | Digging deeper into Log4Shell - 0Day RCE exploit found in Log4j intermediate Supply Chain | Writeup detailing CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. This widespread flaw enables attackers to execute arbitrary code by controlling log messages, leveraging JNDI lookups that can trigger LDAP or DNS calls to load malicious Java classes. The writeup describes the attack mechanism, observed exploitation tactics including targeting User-Agent headers, and mitigation strategies such as patching or disabling lookups. |
| 2021-12-12 2021 | PSA: Log4Shell and the current state of JNDI injection beginner Supply Chain | Analysis of CVE-2021-44228 (Log4Shell), detailing how JNDI injection vulnerabilities in Log4j allow remote code execution. It highlights that even recent Java runtimes are susceptible, particularly through RMI and LDAP lookups. The analysis covers historical Java patches like CVE-2009-1094 and CVE-2018-3149, and discusses exploitation vectors using Apache XBean BeanFactory and Java deserialization, affecting environments like Apache Tomcat and WebSphere. |
| 2021-12-06 2021 | How to Brute-Force SSH Servers in Python intermediate Python | Library for brute-forcing SSH servers in Python using the `paramiko` library. The tutorial details how to create a script that attempts password combinations from a provided wordlist against a target SSH host. It covers handling connection timeouts, authentication failures, and rate limiting, and includes argument parsing for host, username, and password list input. |
| 2021-11-26 2021 | Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client intermediate API Sec | Library for building multi-platform HTTP(S) reverse shells. Phantom allows creation of standalone Linux and Windows binaries using PyInstaller, supporting both auto-generated and user-supplied certificates for encrypted HTTPS communication. It includes a helper script for certificate generation and a straightforward build process via `build.py`, which can use Poetry or Virtualenv for dependency management. Client binaries can connect to specified server URLs, facilitating stealthy connections. |
| 2021-11-11 2021 | Game Hacking with Python and cheat engine intermediate Python | Game Hacking with Python and cheat engine |
| 2021-10-04 2021 | unescape() room beginner | unescape() room |
| 2021-09-24 2021 | Buffer Overflow using ShellCraft - TryHackMe Intro to Pwntools beginner | Buffer Overflow using ShellCraft - TryHackMe Intro to Pwntools |
| 2021-09-14 2021 | Shellshock In-Depth: Why This Old Vulnerability Wont Go Away intermediate | Analysis of modern security technologies, including IBM Guardium for data protection, IBM watsonx.governance for AI lifecycle management, IBM Verify for identity and access, IBM HashiCorp for infrastructure automation, and IBM MaaS360 for unified endpoint management. It details how these tools address challenges like data visibility, AI governance, authentication, secrets management, and device security, offering practical insights into real-world application security and threat mitigation strategies. |
| 2021-09-05 2021 | Writing an iOS Kernel Exploit from Scratch advanced Mobile | Library for creating an iOS kernel exploit from scratch, specifically focusing on chain #3 against a double-free vulnerability present in iOS 11 and mitigated in 11.4.1. This resource details setting up a test environment, analyzing the IOKit driver vulnerability and its trigger, and developing a full exploit using common techniques, including a sandbox escape method revealed by Siguza. It serves as a reference for beginners by filling potential gaps in exploit development knowledge. |
| 2021-08-18 2021 | remote-method-guesser: A Java RMI Vulnerability Scanner intermediate | remote-method-guesser: A Java RMI Vulnerability Scanner |
| 2021-05-31 2021 | Finding writable folders and hijackable DLLs intermediate | This content discusses security vulnerabilities related to identifying writable folders and DLL hijacking opportunities on a system. These vulnerabilities can be exploited by attackers to gain elevated privileges or execute malicious code. The process likely involves scanning file systems for improperly configured permissions and analyzing the search paths for dynamic-link libraries (DLLs) to find instances where an attacker could substitute a malicious DLL for a legitimate one. No specific bug bounty payout amount is mentioned. |
| 2021-01-20 2021 | Learn About Command Injection Attacks beginner | The content discusses command injection attacks where attackers can run their code on a victim's machine. This type of attack allows malicious actors to execute arbitrary commands on a system, potentially leading to unauthorized access, data theft, or system compromise. It is crucial to understand and protect against command injection vulnerabilities to prevent security breaches and safeguard sensitive information. |
| 2020-05-31 2020 | r/Hacking_Tutorials - Remote Code Execution explained with real life bug bounty reports beginner Bug Bounty | The Reddit post titled "r/Hacking_Tutorials - Remote Code Execution explained with real life bug bounty reports" has received 36 votes but no comments yet. The post likely discusses remote code execution vulnerabilities using real-life bug bounty reports. It aims to provide tutorials and insights into how these vulnerabilities can be exploited, potentially offering valuable information for those interested in hacking and cybersecurity. |
| 2019-10-05 2019 | SQL injection to RCE intermediate SQLi | The content discusses a case of SQL injection leading to Remote Code Execution (RCE) discovered during a recent customer penetration testing. It hints at the potential security vulnerability and the impact it had on the system. |
| 2019-08-28 2019 | WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance” – @omespino intermediate | Writeup detailing a private bug bounty win of $30,000 USD for a Remote Code Execution (RCE) as root vulnerability found on a Marathon-Mesos instance. The exploit involved using Shodan to locate unauthenticated Marathon UIs, then crafting a `curl` command to create a Marathon application that executed `/usr/bin/wget --post-data='id'` to a listener, demonstrating root-level command execution via this container orchestration platform. Tools used included netcat, curl, and a web browser. |
| 2019-04-20 2019 | PDFReacter SSRF to ROOT Level Local File Read which led to RCE intermediate SSRF | PDFReacter is a parser that converts HTML content to PDF. |
| 2018-11-09 2018 | elttam - Ruby 2.x Universal RCE Deserialization Gadget Chain advanced | Library for Ruby 2.x universal RCE deserialization gadget chains, detailing exploitation of arbitrary deserialization and releasing a public gadget chain for command execution. It discusses serialization, deserialization pitfalls, and code reuse attacks via gadget chains, noting limitations of previous payloads requiring specific gems and libraries. This resource explores hunting for gadgets within the standard library, focusing on techniques that implicitly load additional libraries or allow partial control over arguments to `require`. |
| 2018-07-06 2018 | Latex to RCE, Private Bug Bounty Program intermediate | The content discusses the author's participation in a private bug bounty program focused on a CMS journal site, approximately a year ago. The author aims to share their learnings from this experience, particularly related to exploiting a vulnerability in Latex to achieve Remote Code Execution (RCE). The bug bounty program provided an opportunity for the author to enhance their skills in identifying and exploiting security flaws. |
| 2018-06-07 2018 | How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! intermediate SSRF | The content appears to be a title mentioning chaining four vulnerabilities on GitHub Enterprise, from SSRF execution to RCE. The author is identified as 🍊. |
| 2018-04-29 2018 | #BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get… intermediate | The content is about a bug bounty experience where the author bypassed a firewall to achieve Remote Code Execution (RCE) and gained access to a server shell. The author likely shares details of the process and techniques used in this security testing scenario. |
| 2017-11-19 2017 | Leading the Blind to Light! - A Chain to RCE advanced | Writeup detailing a Remote Code Execution chain on Oracle E-Business Suite. The exploit begins with an authentication bypass, leading to blind XXE and information disclosure. This disclosure helps identify an internal endpoint, which through further fuzzing, reveals an SQL injection vulnerability. By re-enabling `xp_cmdshell` via SQL injection, the attacker achieves command execution with administrator privileges. → blog.zsec.uk |
Frequently Asked Questions
- What is remote code execution?
- Remote Code Execution (RCE) is a vulnerability that allows an attacker to run arbitrary commands or code on a target system. It is the most critical class of security vulnerability because it gives the attacker the same level of access as the application or server process, often leading to complete system compromise.
- What are common RCE attack vectors?
- Common vectors include command injection (unsanitized input passed to shell commands), unsafe deserialization (Java, PHP, Python, .NET), Server-Side Template Injection (Jinja2, Twig, Freemarker), file upload bypasses that execute uploaded code, expression language injection in Java frameworks, and prototype pollution in Node.js leading to code execution.
- Why does RCE pay the highest bug bounties?
- RCE represents total system compromise — an attacker can read all data, modify the application, pivot to internal networks, and potentially access cloud infrastructure. The impact is maximum, so bounty programs consistently pay their highest rewards for RCE findings, often ranging from $10,000 to $100,000+ depending on the target.
Weekly AppSec Digest
Get new resources delivered every Monday.