Remote Code Execution (RCE)
Remote Code Execution (RCE) is the ability for an attacker to execute arbitrary commands or code on a target machine or process. RCE vulnerabilities represent the most critical class of security bugs — they give an attacker the same level of control as a system administrator.
RCE can manifest through many different attack vectors. Command injection occurs when user input is passed unsanitized to system shell commands. Deserialization attacks exploit unsafe object reconstruction in languages like Java, PHP, Python, and .NET. Server-Side Template Injection (SSTI) allows code execution through template engines like Jinja2, Twig, or Freemarker. File upload vulnerabilities can lead to RCE when executable files bypass upload filters and are served by the web server.
In modern applications, RCE often appears in less obvious places: expression language injection in Java frameworks, prototype pollution leading to code execution in Node.js, unsafe use of eval() or dynamic code loading, and vulnerabilities in PDF generators, image processors, and other libraries that shell out to system commands.
RCE bugs consistently command the highest payouts in bug bounty programs because the impact is total system compromise. Chaining lower-severity bugs into RCE — such as SSRF to cloud metadata to code execution — is a common and highly rewarded approach.
This page collects RCE techniques, exploitation writeups, and research across all major platforms and languages.
From Wikipedia
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-30 NEW 2026 | GitHub Flaw Enables Remote Code Execution With a Single Git Push news | Writeup detailing CVE-2026-3854, a vulnerability in GitHub's internal git protocol allowing authenticated users to achieve remote code execution. Exploitation leveraged an injection flaw in the X-Stat header, where semicolon-delimited options, unsanitized by GitHub, could override security controls via a "last-write-wins" parsing model. This flaw affected both GitHub.com and GitHub Enterprise Server, potentially leading to repository compromise and server takeover. Mitigation involves upgrading GHES, enforcing least privilege, monitoring git activity, and hardening configurations. → esecurityplanet.com |
| 2026-04-30 NEW 2026 | Critical GitHub RCE bug exposed millions of repositories news | Writeup of CVE-2026-3854, a critical RCE vulnerability in GitHub affecting millions of repositories. Exploiting the handling of server-side "git push" operations, specifically the X-STAT component, an authenticated user could execute arbitrary commands via crafted input. This command injection flaw, rated CVSS 8.8, was discoverable using AI-augmented tooling like IDA MCP, and impacted GitHub.com and Enterprise Server, granting full server compromise in self-hosted environments. |
| 2026-04-29 NEW 2026 | GitHub vulnerability CVE-2026-3854 allows code execution with a single git push news | Analysis of CVE-2026-3854, a critical GitHub vulnerability allowing remote code execution. This command injection flaw, discovered by Wiz researchers, affects GitHub Enterprise Cloud and Server, enabling attackers with push access to execute arbitrary commands by exploiting unsanitized push option values. The vulnerability, patched by GitHub within two hours, could lead to system compromise and exposure of repositories on GitHub.com, with many instances remaining vulnerable. → scworld.com |
| 2026-04-29 NEW 2026 | Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining news | Library for securing the Qinglong open-source task scheduler, addressing CVE-2026-3965 and CVE-2026-4047. These vulnerabilities, stemming from authentication bypass and path traversal flaws in versions 2.20.1 and older, allow for remote code execution. Attackers have been exploiting these issues to deploy cryptominers, disguised by the process name '.fullgc,' on developer servers by injecting shell commands into `config.sh` and downloading binaries from `file.551911.xyz`. → bleepingcomputer.com |
| 2026-04-29 NEW 2026 | AI Finds 38 Security Flaws in OpenEMR news AI | An AI security tool, DeepScribe, has identified 38 vulnerabilities in OpenEMR, a popular open-source electronic health record system. These flaws range in severity, with DeepScribe flagging 10 as critical. The company plans to disclose these findings responsibly to OpenEMR's development team. This discovery highlights the potential of AI in uncovering security weaknesses in complex software. The specific bounty payout amount for this discovery is not mentioned. → darkreading.com |
| 2026-04-29 NEW 2026 | Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks news | A critical vulnerability in Hugging Face's LeRobot library allows unauthenticated remote code execution (RCE) attacks. Attackers can exploit this flaw to compromise systems without needing any prior authentication. This could lead to significant security breaches. The report does not mention a specific bug bounty payout amount. → cybersecuritynews.com |
| 2026-04-29 NEW 2026 | Critical Cursor Vulnerability Exposes Developer Workstations To Remote Code Execution news | A critical vulnerability has been discovered that allows remote code execution on developer workstations. The flaw, related to cursor handling, poses a significant security risk, enabling attackers to compromise sensitive developer environments. This could lead to widespread data breaches and the theft of proprietary code. Further details are available via the provided link. → cyberpress.org |
| 2026-04-29 NEW 2026 | Critical Chrome Vulnerabilities Enables Remote Code Execution Attacks news | Critical vulnerabilities in Google Chrome have been discovered, posing a significant security risk. These flaws allow for remote code execution (RCE) attacks, meaning malicious actors could potentially run unauthorized code on a user's system without their direct interaction. This could lead to data theft, system compromise, or other harmful actions. Users are strongly advised to ensure their Chrome browsers are updated to the latest version to patch these critical security holes and protect themselves from potential exploitation. No specific bounty payout amount was mentioned in the provided content. → cybersecuritynews.com |
| 2026-04-29 NEW 2026 | LeRobot Vulnerability Enables Unauthenticated Remote Code Execution news Python | A critical vulnerability in LeRobot has been discovered, allowing unauthenticated remote code execution (RCE). This means an attacker can compromise systems without needing any login credentials. The exploit leverages flaws in the robot's software to gain unauthorized control, posing a significant security risk. Further details on the specific exploit can be found via the provided link. The potential impact includes data breaches, system manipulation, and denial-of-service attacks. → letsdatascience.com |
| 2026-04-29 NEW 2026 | GitHub fixes RCE flaw that gave access to millions of private repos news Supply Chain | Writeup of CVE-2026-3854, a critical RCE vulnerability affecting GitHub.com and GitHub Enterprise Server, allowing attackers with push access to gain read/write access to millions of private repositories. The flaw stems from unsanitized user-supplied options during 'git push' operations, enabling arbitrary code execution and potential server compromise. Administrators of GitHub Enterprise Server instances are urged to upgrade immediately, as a significant percentage remain vulnerable. → bleepingcomputer.com |
| 2026-04-29 NEW 2026 | Cursor AI Vulnerability Enables Remote Code Execution news AI | A security researcher discovered a critical vulnerability in Cursor AI that allows for remote code execution. This exploit could enable attackers to gain unauthorized access and control over affected systems. The vulnerability's nature suggests a significant security risk, potentially impacting users of the AI platform. Further details regarding the specific exploit mechanism and potential mitigations were not provided in the initial announcement. → letsdatascience.com |
| 2026-04-29 NEW 2026 | Critical GitHub RCE bug exposed millions of repositories news Supply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub's Git push processing, specifically within the X-STAT component. This flaw, found by Wiz researchers using AI-augmented tooling, allowed authenticated users to execute arbitrary commands server-side, leading to potential remote code execution and full compromise of GitHub Enterprise Server instances, exposing millions of repositories. Patches were released for GitHub.com and Enterprise Server. → csoonline.com |
| 2026-04-29 NEW 2026 | Cursor AI IDE vulnerability allows code execution via hidden Git hooks news Supply Chain | Tool for arbitrary code execution in Cursor AI IDE. CVE-2026-26268, a high-severity vulnerability (CVSS 8.1), leverages hidden Git hooks within nested bare repositories. The Cursor AI agent, when performing tasks like `git checkout`, inadvertently triggers these malicious pre-commit hooks, allowing attackers to execute arbitrary code without user interaction. This exploit targets the autonomous nature of AI agents operating on untrusted code, posing a significant risk to developer machines holding sensitive data. → hackread.com |
| 2026-04-29 NEW 2026 | Critical GitHub Vulnerability Exposed Millions of Repositories news Supply Chain | Writeup of CVE-2026-3854, a critical remote code execution flaw in GitHub's internal Git infrastructure. This injection vulnerability allowed authenticated users to execute arbitrary commands on backend servers via a simple `git push` command, potentially compromising millions of repositories on GitHub Enterprise Server and GitHub.com. Wiz researchers discovered the issue, which affected various GitHub Enterprise offerings, and a patch was subsequently released. → securityweek.com |
| 2026-04-29 NEW 2026 | GitHub.com and Enterprise Server Vulnerability Allows Remote Code Execution news Supply Chain | A critical vulnerability affecting GitHub.com and GitHub Enterprise Server allows for remote code execution (RCE). This means attackers could potentially run arbitrary code on vulnerable systems without needing prior authentication. The severity of this flaw necessitates prompt patching by affected users. Specific details about exploitation or the impact of the vulnerability are limited, but RCE flaws are generally considered high-risk due to their potential for complete system compromise. → gbhackers.com |
| 2026-04-29 NEW 2026 | Critical Google Chrome Flaws Allow Remote Code Execution Exploits news | Google Chrome is facing critical vulnerabilities that could allow for remote code execution. These security flaws, if exploited, could enable attackers to compromise user systems without any interaction required from the user. The severity of these issues highlights the ongoing need for prompt patching and vigilant security practices for web browsers. No specific bounty payout amounts were mentioned in the provided content. → cyberpress.org |
| 2026-04-29 NEW 2026 | Mozilla Firefox Multiple Vulnerabilities news | Library of advisories detailing multiple vulnerabilities in Mozilla Firefox. These issues, impacting versions prior to Firefox 150.0.1, Firefox ESR 115.35.1, and Firefox ESR 140.10.1, can lead to remote code execution, security restriction bypass, and information disclosure. Patches are available from the vendor. → hkcert.org |
| 2026-04-29 NEW 2026 | GitHub patches critical 'git push' remote code execution bug news | Writeup on a critical vulnerability in GitHub's `git push` command, allowing authenticated users to achieve remote code execution on backend infrastructure. Discovered by Wiz researchers using IDA's MCP server, the flaw exploited GitHub's internal protocol by adding malicious options to the `git push` command. GitHub patched the issue on GitHub.com and released a fix for GitHub Enterprise Server. |
| 2026-04-28 NEW 2026 | Major Security Flaw In GitHub Enables Remote Code Execution Across Millions of Repositories news | A significant security vulnerability has been discovered in GitHub that could allow for remote code execution across millions of repositories. This flaw, if exploited, could have widespread implications for developers and organizations relying on GitHub for code hosting and collaboration. The exact impact and potential severity are still being assessed, but the discovery highlights the ongoing challenges in securing large-scale software development platforms. Further details on the vulnerability are expected to be released as the situation unfolds and mitigation efforts are implemented. |
| 2026-04-28 NEW 2026 | CVE-2026-3854 GitHub flaw enables remote code execution news | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub Enterprise allowing remote code execution. Exploitable via a crafted git push, attackers can inject malicious metadata, bypass sandbox protections, and run arbitrary commands. Wiz researchers reported the flaw, which GitHub fixed with patches for Enterprise Server versions. The vulnerability underscores risks in inter-service communication and sanitization of user-controlled data in complex systems. → securityaffairs.com |
| 2026-04-28 NEW 2026 | GitHub RCE Vulnerability: CVE-2026-3854 Breakdown news | Tool for analyzing CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git infrastructure. This flaw, exploitable via a single git push from an authenticated user, allowed arbitrary command execution on GitHub.com's backend servers, potentially exposing millions of repositories. On GitHub Enterprise Server, it granted full server compromise. The analysis details the X-Stat header injection flaw and the exploitation chain involving `rails_env`, `custom_hooks_dir`, and `repo_pre_receive_hooks` fields to bypass sandboxing and achieve remote code execution. → wiz.io |
| 2026-04-28 NEW 2026 | Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push news Supply Chain | Writeup of CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server. Exploitable via a single "git push" command, this flaw allows authenticated users with push access to achieve remote code execution by injecting malicious metadata into internal service headers. Researchers from Wiz demonstrated a technique chaining three injections to bypass sandboxing, redirect hooks, and execute arbitrary commands as the git user, potentially leading to cross-tenant repository exposure on GitHub.com. → thehackernews.com |
| 2026-04-28 NEW 2026 | Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise news Supply Chain | A critical Remote Code Execution (RCE) vulnerability has been discovered in GitHub.com and GitHub Enterprise Server. This flaw allows attackers to achieve full server compromise. The vulnerability's details have been shared via a link, but no specific payout amount for reporting it has been mentioned. This discovery highlights a significant security risk for users and organizations relying on GitHub's platforms. → cybersecuritynews.com |
| 2026-04-28 NEW 2026 | Securing the git push pipeline: Responding to a critical remote code execution vulnerability intermediate Supply Chain | Writeup of CVE-2026-3854, a critical remote code execution vulnerability in GitHub's `git push` pipeline. The vulnerability allowed arbitrary command execution on the server by crafting a `git push` command with unsanitized push options that manipulated internal metadata, bypassing sandboxing. GitHub deployed a fix within hours to github.com and released patches for GitHub Enterprise Server, recommending immediate upgrades. The investigation found no evidence of exploitation. → github.blog |
| 2026-04-28 NEW 2026 | Hugging Face LeRobot Vulnerability Enables Unauthenticated Remote Code Execution Attacks news Supply Chain | A critical vulnerability, CVE-2024-31586, has been discovered in Hugging Face's LeRobot library. This flaw allows unauthenticated attackers to execute arbitrary code remotely on vulnerable systems. The vulnerability stems from LeRobot's insecure handling of certain files, specifically when unpacking archives. Exploitation is possible without prior authentication. → cyberpress.org |
| 2026-04-28 NEW 2026 | Hugging Face LeRobot Flaw Opens Door to Remote Code Execution Attacks news Supply Chain | A critical vulnerability has been discovered in Hugging Face's LeRobot library, potentially allowing remote code execution. The flaw, detailed in a security advisory, enables attackers to exploit the library to gain unauthorized control over systems. This discovery highlights significant security risks for users and developers relying on LeRobot. No specific bounty payout amount was mentioned in the provided content. → gbhackers.com |
| 2026-04-28 NEW 2026 | Critical Cursor bug could turn routine Git into RCE news Supply Chain | Library for securing AI-augmented IDEs against RCE vulnerabilities, exemplified by CVE-2026-26268 in Cursor IDE. This flaw, which allowed arbitrary code execution via malicious Git repositories and AI agent interaction with Git hooks and bare repositories, is patched in Cursor version 2.5. The exploit leverages Git's documented features, making detection challenging due to its integration into normal development workflows. → csoonline.com |
| 2026-04-28 NEW 2026 | Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE news | Writeup on CVE-2026-25874, a critical unauthenticated RCE vulnerability in Hugging Face's LeRobot platform. The flaw, found in version 0.4.3, stems from unsafe data deserialization using Python's pickle format within the async inference pipeline, allowing attackers to execute arbitrary code via gRPC calls. This impacts the PolicyServer and robot client components, potentially leading to network compromise, data theft, and safety risks. A fix is planned for version 0.6.0. → thehackernews.com |
| 2026-04-28 NEW 2026 | Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 news | Writeup on CVE-2026-32202, a Windows Shell spoofing vulnerability actively exploited in the wild. This zero-click flaw, with a CVSS score of 4.3, stems from an incomplete patch for CVE-2026-21510 and allows attackers to steal Net-NTLMv2 hashes via SMB connections. Russian nation-state group APT28 reportedly used it in conjunction with CVE-2026-21513, leveraging malicious LNK files to bypass Microsoft Defender SmartScreen and achieve credential theft. → thehackernews.com |
| 2026-04-27 NEW 2026 | Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability in the Gemini Command Line Interface (CLI) has been discovered, posing a significant security risk. This flaw allows for Remote Code Execution (RCE) attacks, meaning attackers could potentially run arbitrary code on a user's system without their knowledge or consent. This could lead to data breaches, system compromise, and other malicious activities. Users are strongly advised to update their Gemini CLI to the latest version to patch this vulnerability. → cybersecuritynews.com |
| 2026-04-27 NEW 2026 | Nessus Agent Vulnerability on Windows Allows Arbitrary Code Execution as SYSTEM news | A critical vulnerability has been discovered in the Nessus Agent on Windows, allowing for arbitrary code execution with SYSTEM privileges. This means an attacker could potentially gain full control of a vulnerable system. The vulnerability, detailed in the provided link, is significant due to the high level of access it grants. Details regarding specific affected versions or mitigation steps are not provided in this summary. → cyberpress.org |
| 2026-04-27 NEW 2026 | Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks news | A critical vulnerability has been discovered in the Gemini Command Line Interface (CLI) that allows for remote code execution (RCE) attacks. This means attackers could potentially run malicious code on a user's system without their knowledge or consent by exploiting this flaw in the Gemini CLI. Further details about the exploit and its potential impact are available at the provided link. → cyberpress.org |
| 2026-04-27 NEW 2026 | PoC Exploit Released for Critical Metabase Enterprise RCE Vulnerability news | A Proof-of-Concept (PoC) exploit has been released for a critical Remote Code Execution (RCE) vulnerability affecting Metabase Enterprise. This vulnerability allows unauthenticated attackers to gain control of affected servers. The release of the PoC significantly increases the risk of exploitation, as it provides a direct method for malicious actors to test and execute attacks. Users of Metabase Enterprise are strongly advised to update their systems immediately to patch this severe security flaw and mitigate potential damage. → cyberpress.org |
| 2026-04-27 NEW 2026 | Critical Gemini CLI Flaw Raises Supply Chain Security Concerns news Supply Chain | A critical flaw in the Gemini Command Line Interface (CLI) has been discovered, posing significant supply chain security risks. This vulnerability could allow attackers to compromise systems that use the Gemini CLI. The exact payout amount for the bug bounty is not stated in the provided content. This discovery highlights the ongoing importance of robust security practices within software development pipelines. → gbhackers.com |
| 2026-04-27 NEW 2026 | Metabase Enterprise RCE Flaw Now Has Public Proof-of-Concept Exploit news | A critical Remote Code Execution (RCE) vulnerability has been discovered in Metabase Enterprise. A public proof-of-concept (PoC) exploit is now available, meaning attackers can leverage this flaw to compromise Metabase instances. This poses a significant security risk for organizations using the affected enterprise version. Users are strongly advised to update to the latest version to patch this vulnerability. No specific bounty payout amount was mentioned. → gbhackers.com |
| 2026-04-27 NEW 2026 | Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges news | A critical vulnerability has been discovered in Nessus Agents on Windows, allowing for arbitrary code execution with SYSTEM privileges. This means an attacker could potentially gain complete control over a vulnerable system. The vulnerability, detailed in a linked report, highlights a significant security risk for organizations using Nessus Agents. No specific bounty payout amount is mentioned in the provided content. → cybersecuritynews.com |
| 2026-04-26 NEW 2026 | Anthropic's model context protocol includes a critical remote code execution vulnerability news AI | A critical remote code execution (RCE) vulnerability has been discovered in Anthropic's model context protocol. This flaw allows attackers to execute arbitrary code on a system through the protocol. The specifics of the vulnerability and its potential impact are detailed in the linked article, but no bug bounty payout amount is mentioned. → msn.com |
| 2026-04-24 2026 | Microsofts April Security Update of High-Risk Vulnerability Notice for Multiple Products news | Microsoft's April Security Update addresses high-risk vulnerabilities across multiple products. The notice, detailed in a linked article, highlights critical security flaws requiring immediate attention for users of affected Microsoft software. While the article itself does not specify a bug bounty payout, the update aims to patch these significant security risks to protect users from potential exploitation. → securityboulevard.com |
| 2026-04-24 2026 | Hackers exploit file upload bug in Breeze Cache WordPress plugin news | Library for detecting and preventing arbitrary file uploads, specifically addressing CVE-2026-3844 in the Breeze Cache WordPress plugin. This critical vulnerability, with a severity score of 9.8, allows unauthenticated attackers to achieve remote code execution (RCE) by exploiting a missing file-type validation in the ‘fetch_gravatar_from_remote’ function when the “Host Files Locally - Gravatars” add-on is enabled. Versions up to 2.4.4 are affected. → bleepingcomputer.com |
| 2026-04-24 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution news Supply Chain | Analysis of a critical Remote Code Execution vulnerability (CVSSv4 9.3) in a Microsoft GitHub repository, specifically within its CI/CD workflow using GitHub Actions. Attackers could inject malicious Python code into issue descriptions, triggering automatic execution on the GitHub runner and exfiltrating sensitive secrets like GITHUB_TOKEN, thereby compromising the software supply chain and potentially allowing unauthorized code execution. → cxodigitalpulse.com |
| 2026-04-24 2026 | 20th April Threat Intelligence Report news | Library of threat intelligence covering the week of April 20th, detailing data breaches at Booking.com and McGraw-Hill, supply chain compromise of EssentialPlugin, and Basic-Fit. AI threats include weaponized Claude Code and GPT-4 for government breaches, phishing campaigns impersonating Claude AI, and prompt injection on GitHub agents. Vulnerabilities addressed include Apache ActiveMQ CVE-2026-34197, Splunk CVE-2026-20204, Microsoft Defender CVE-2026-33825, and Windows Task Host CVE-2025-60710. Other intelligence covers brand impersonation phishing, ZionSiphon malware targeting industrial control, Russian C2 infrastructure, and a fake Ledger Live app. |
| 2026-04-23 2026 | Anthropic's model context protocol includes a critical remote code execution vulnerability news | Anthropic's model context protocol includes a critical remote code execution vulnerability https://ift.tt/uJoCxjU → msn.com |
| 2026-04-22 2026 | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities news | Mozilla Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/6dEs8aC → gbhackers.com |
| 2026-04-22 2026 | Terrarium Sandbox: Critical Vulnerability Allows Root Code news | Terrarium Sandbox: Critical Vulnerability Allows Root Code https://ift.tt/xt7SA8a → secnews.gr |
| 2026-04-22 2026 | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities news | Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities https://ift.tt/oKqHTf5 → cyberpress.org |
| 2026-04-22 2026 | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI Models news | Writeup of CVE-2026-5760 in SGLang, a critical flaw enabling remote code execution via malicious AI models. Attackers can craft a GGUF model with a malicious tokenizer.chat_template to exploit an unsandboxed Jinja2 environment, triggering server-side template injection and executing arbitrary Python code. This high-severity vulnerability, requiring no authentication, impacts SGLang deployments serving LLMs. → cxodigitalpulse.com |
| 2026-04-22 2026 | CVE-2025-68454: Craft CMS Twig SSTI RCE Vulnerability news | Writeup detailing CVE-2025-68454, an authenticated Remote Code Execution vulnerability in Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Exploitation occurs via Server-Side Template Injection (SSTI) using the Twig map filter in text fields within Settings or the System Messages utility. Attackers with administrative privileges or access to System Messages can achieve arbitrary code execution by crafting malicious Twig payloads. Mitigation involves updating to patched versions 5.8.21 or 4.16.17, disabling allowAdminChanges, and restricting access to sensitive utilities. → sentinelone.com |
| 2026-04-22 2026 | 15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652) news | Analysis of CVE-2025-53652, a critical command injection flaw in the Jenkins Git Parameter plugin, reveals its potential for remote code execution (RCE) on unauthenticated servers. VulnCheck's report details how this vulnerability, present in approximately 15,000 internet-facing Jenkins instances, allows attackers to inject malicious commands. While a patch exists, it can be manually disabled, necessitating detection rules to identify exploitation attempts. → hackread.com |
| 2026-04-22 2026 | React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution news | Writeup of CVE-2025-55182, a critical RCE in React Server Components (RSC) that affects frameworks like Next.js. Attackers exploit a flaw in the flight protocol decoding, where improperly handled prototype chain lookups allow arbitrary code execution on the server. The vulnerability stems from not checking for own properties during object deserialization. Mitigation involves upgrading React packages, restricting exposure of RSC routes, and deploying IPS/WAF rules to detect malicious multipart payloads. |
| 2026-04-22 2026 | Ivanti EPMM: Another Pre-Auth RCE (CVE-2026-1281 and CVE-2026-1340) news | Writeup on CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM details pre-authentication remote code execution vulnerabilities. Attackers can exploit these by sending crafted requests to run arbitrary code on unpatched instances, as researchers at WatchTowr discovered. Ivanti has released an RPM patch, but it is removed upon version upgrades, requiring reapplication. These vulnerabilities were actively exploited in the wild before disclosure, and public PoC code increases immediate risk. |
| 2026-04-22 2026 | CVE-2025-57738: Apache Syncope Groovy Injection RCE news | Writeup of CVE-2025-57738, an Apache Syncope Groovy injection vulnerability allowing RCE. Vulnerable versions compile administrator-uploaded Groovy implementations using a bare `GroovyClassLoader`, enabling static initializer blocks to execute arbitrary JVM API commands like `Runtime.exec()` or `ProcessBuilder` with full process privileges. The PoC script `CVE-2025-57738.py` demonstrates this by uploading a malicious class that executes a command and writes output to `/tmp/pwned`. Patched versions implement sandboxing using Jenkins’ Script Security infrastructure to block dangerous API calls. |
| 2026-04-22 2026 | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain news | Analysis of the Model Context Protocol (MCP) reveals a fundamental design flaw enabling Arbitrary Command Execution (RCE) across its SDK implementations in Python, TypeScript, Java, and Rust. This systemic vulnerability, affecting over 7,000 projects including LiteLLM, LangChain, and Flowise, stems from unsafe defaults in STDIO transport, leading to identified CVEs like CVE-2026-30623 and CVE-2025-49596. The flaw allows attackers to inject commands through various means, including prompt injection and network requests, potentially compromising sensitive data and impacting the AI supply chain, despite Anthropic classifying the behavior as "expected." → thehackernews.com |
| 2026-04-22 2026 | Critical RCE Vulnerability in Anthropic MCP Inspector (CVE-2025-49596) news | Writeup of CVE-2025-49596, a critical RCE in Anthropic's MCP Inspector, details how attackers can exploit default insecure configurations and the 0.0.0.0-day browser vulnerability to execute arbitrary code on a developer's machine. This allows for data theft and network lateral movement, posing a significant risk to AI teams and enterprise adopters. The vulnerability stems from the MCP Inspector's lack of default authorization and its interaction with browser handling of the 0.0.0.0 IP address. |
| 2026-04-22 2026 | CVE-2025-24893: XWiki SSTI Unauthenticated RCE Exploit news | Tool for exploiting CVE-2025-24893 in XWiki, enabling unauthenticated RCE via Server-Side Template Injection. The vulnerability lies in the SolrSearch endpoint, which processes user input through the Groovy template engine without proper sanitization. Attackers can inject malicious Groovy expressions via the `text` query parameter to execute arbitrary commands on the server, with output reflected in the RSS response. The provided Python script facilitates single command execution or interactive shell access. |
| 2026-04-22 2026 | CVE-2026-34197: ActiveMQ RCE via Jolokia API news | Writeup detailing CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ Classic. Exploitation leverages the Jolokia API to invoke `addNetworkConnector` with a crafted `vm://` URI, forcing the broker to fetch and execute a remote Spring XML configuration file. This technique, similar to CVE-2023-46604, allows arbitrary OS command execution. The vulnerability is unauthenticated on ActiveMQ versions 6.0.0–6.1.1 due to CVE-2024-32114. |
| 2026-04-22 2026 | Google Antigravity in Crosshairs of Security Researchers Cybercriminals news | Writeup on Google Antigravity vulnerabilities, detailing a sandbox escape flaw allowing arbitrary code execution through insufficient input sanitization during file search operations, which bypasses Secure Mode and can be triggered via indirect prompt injection. Additionally, researchers discovered a fake website distributing a trojanized installer that deploys stealer malware, targeting browser data, cryptocurrency wallets, and employing techniques like clipboard hijacking, keystroke logging, and hidden desktop tradecraft. → securityweek.com |
| 2026-04-22 2026 | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution Container Escape news | Writeup of CVE-2026-5752, a critical sandbox escape vulnerability in Cohere AI's Terrarium, allowing root code execution via JavaScript prototype chain traversal within the Pyodide WebAssembly environment. This flaw enables attackers with local access to execute arbitrary system commands, access sensitive files like "/etc/passwd," reach other network services, and potentially escape containers. Since the open-source project is unmaintained, mitigations focus on disabling code submission, network segmentation, Web Application Firewall deployment, and rigorous container monitoring. → thehackernews.com |
| 2026-04-22 2026 | Fake SVG puts 750000 websites at risk: hackers can seize the web server news | Fake SVG puts 750,000 websites at risk: hackers can seize the web server https://ift.tt/BwtOzhU → cybernews.com |
| 2026-04-22 2026 | Adobe Acrobat Reader: Prototype pollution vulnerability enables remote code execution news | Writeup of CVE‑2026‑34621, a prototype pollution vulnerability in Adobe Acrobat Reader's JavaScript engine, enabling remote code execution through malicious PDFs. Exploitation involves manipulating object prototypes to inject arbitrary properties, overriding security-critical internal functions. This flaw, affecting Acrobat DC and Reader DC, has been observed in spear-phishing campaigns by financially motivated actors. Adobe has released patches, and interim mitigations include disabling JavaScript and strengthening email security controls. |
| 2026-04-21 2026 | 22 BRIDGE:BREAK Flaws Expose 20000 Lantronix and Silex Serial-to-IP Converters news | Writeup of BRIDGE:BREAK vulnerabilities affecting Lantronix and Silex serial-to-IP converters. Forescout Research Vedere Labs identified 22 flaws, including remote code execution (CVE-2026-32955, CVE-2025-67041), DoS (CVE-2015-5621), authentication bypass (CVE-2026-32960), and device takeover (FSCT-2025-0021), in devices like Lantronix EDS3000PS Series and Silex SD330-AC, potentially allowing attackers to hijack devices and tamper with data. → thehackernews.com |
| 2026-04-21 2026 | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool news | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool https://ift.tt/1QOIZsB → darkreading.com |
| 2026-04-21 2026 | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release news | Apache Syncope RCE Vulnerability Detailed After Public Exploit Code Release https://ift.tt/hT4dgwi → gbhackers.com |
| 2026-04-21 2026 | Actively exploited Apache ActiveMQ flaw impacts 6400 servers news | Writeup on CVE-2026-34197, a code injection vulnerability in Apache ActiveMQ Classic, impacting over 6,400 exposed servers. Discovered by Horizon3 researcher Naveen Sunkavally, the flaw allows authenticated actors to execute arbitrary code due to improper input validation. Patched in versions 6.2.3 and 5.19.4, this actively exploited vulnerability has been a repeated target, with CISA urging federal agencies to secure their systems. Exploitation indicators include suspicious broker connections with VM transport and the brokerConfig=xbean:http:// parameter. Previous exploited ActiveMQ flaws include CVE-2016-3088 and CVE-2023-46604. → bleepingcomputer.com |
| 2026-04-21 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository news | Writeup of a critical RCE vulnerability in a Microsoft GitHub repository, discovered by Tenable Research. The flaw, exploitable via Python string injection in issue creation, allows attackers to exfiltrate GITHUB_TOKEN secrets, potentially enabling unauthorized modification of repository content and compromising the software supply chain. This highlights the attack surface presented by CI/CD infrastructure and emphasizes the need for strict security controls, permission reviews, and pipeline monitoring. |
| 2026-04-21 2026 | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers news | Hackers Could Weaponize GGUF Models to Achieve RCE on SGLang Inference Servers https://ift.tt/UTpIVmw → cyberpress.org |
| 2026-04-21 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code Execution news | Writeup detailing a Remote Code Execution (RCE) vulnerability in a Microsoft GitHub repository affecting CI/CD pipelines. The flaw, a Python string injection within GitHub Actions workflows, allowed attackers to exfiltrate GITHUB_TOKEN secrets by creating a malicious GitHub issue, leading to potential unauthorized code execution and supply chain compromises. Recommendations include implementing strict security controls, reviewing token permissions, and monitoring automated workflows. |
| 2026-04-21 2026 | Critical Anthropics MCP Vulnerability Enables Remote Code Execution Attacks news | Critical Anthropic’s MCP Vulnerability Enables Remote Code Execution Attacks https://ift.tt/NgPh5a6 → cybersecuritynews.com |
| 2026-04-21 2026 | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers news | Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers https://ift.tt/tE3rbwk → gbhackers.com |
| 2026-04-21 2026 | SGLang Enables Remote Code Execution via Malicious GGUF Models news | SGLang Enables Remote Code Execution via Malicious GGUF Models https://ift.tt/IRetcHV → letsdatascience.com |
| 2026-04-20 2026 | Critical RCE vulnerability in protobuf.js; Exploit code published news | Library for securing JavaScript applications, detailing GHSA-xq3m-2v4x-88gg, a critical RCE in protobuf.js versions 8.0.0 and 7.5.4. Exploitation involves malicious schemas enabling arbitrary code injection via unsafe dynamic code generation. Endor Labs recommends upgrading protobuf.js to patched versions (8.0.1, 7.5.5), auditing dependencies, treating schema loading as untrusted input, and considering precompiled schemas to mitigate risks. → scworld.com |
| 2026-04-20 2026 | Google Chrome Multiple Vulnerabilities news | Writeup detailing multiple vulnerabilities in Google Chrome, including CVE-2026-6296 through CVE-2026-6364. Exploitation of these weaknesses can lead to remote code execution, denial of service, information disclosure, and security restriction bypass. Affected versions are prior to 147.0.7727.101 on Linux, and prior to 147.0.7727.101/102 on Mac and Windows. Mitigation involves updating to the latest vendor-released versions. → hkcert.org |
| 2026-04-20 2026 | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution news | iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution https://ift.tt/l13PHeM → cyberpress.org |
| 2026-04-20 2026 | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files news Python | Vulnerability CVE-2026-5760, a critical RCE flaw in SGLang with a CVSS score of 9.8, stems from Jinja2 server-side template injection in GGUF model files loaded via the "/v1/rerank" endpoint. Attackers craft malicious GGUF files with SSTI payloads in the tokenizer.chat_template parameter, leading to arbitrary Python code execution on the SGLang server when the endpoint is accessed. This vulnerability is similar to CVE-2024-34359 and CVE-2025-61620, and mitigation involves using ImmutableSandboxedEnvironment for template rendering. → thehackernews.com |
| 2026-04-20 2026 | Vulnerability exploitation surges often precede disclosure offering possible early warnings news | Vulnerability exploitation surges often precede disclosure, offering possible early warnings https://ift.tt/UAnQyhJ → cybersecuritydive.com |
| 2026-04-20 2026 | 52M-Download protobuf.js Library Hit by RCE in Schema Handling news | Library RCE in protobuf.js, a widely used JavaScript package for Google Cloud and Firebase, allows attackers to execute arbitrary code by manipulating schema file names. The vulnerability, GHSA-xq3m-2v4x-88gg, exploits the `Type.generateConstructor` function's dynamic JavaScript generation, treating type names as executable commands. Versions 8.0.0 and earlier, and 7.5.4 and earlier, are affected. A simple regex replacement in type names mitigates the issue, and users should update to protobuf.js 8.0.1 or 7.5.5 immediately. → hackread.com |
| 2026-04-20 2026 | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters news | Critical Vulnerability In Flowise Allows Remote Command Execution Via MCP Adapters https://ift.tt/NBwdZU2 → cybersecuritynews.com |
| 2026-04-20 2026 | Cisco ISE Vulnerabilities Enable Remote Code Execution news | Vulnerabilities in Cisco Identity Services Engine (ISE) and Webex Services enable remote code execution and user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 affect Cisco ISE, allowing authenticated attackers to execute arbitrary commands and escalate privileges. CVE-2026-20184 impacts Webex Services SSO integration, enabling user impersonation. Patching is essential as no workarounds exist for these critical flaws impacting authentication, collaboration, and network access control systems. → thecyberexpress.com |
| 2026-04-19 2026 | CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack news | Reference for CVE-2026-34197, a critical remote code execution vulnerability in Apache ActiveMQ Classic. This 13-year-old flaw, now on CISA's Known Exploited Vulnerabilities catalog, allows authenticated attackers to run arbitrary OS commands via the Jolokia management API. The vulnerability is exacerbated by common default credentials and can be chained with CVE-2024-32114 on certain versions to enable unauthenticated exploitation. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3. → theregister.com |
| 2026-04-19 2026 | CVE-2025-22457: Ivanti Connect Secure VPN Zero-Day RCE news | Writeup of CVE-2025-22457, a zero-day stack-based buffer overflow in Ivanti Connect Secure VPN exploited by UNC5221. This vulnerability allows unauthenticated remote code execution and has been used for data exfiltration and backdoor installation. Urgent patching to the latest fixed version is recommended to mitigate exploitation. → arcticwolf.com |
| 2026-04-19 2026 | Advisory: Actively Exploited Unauthenticated RCE in Ivanti Connect Secure (CVE-2025-0282) news | Advisory for CVE-2025-0282, an unauthenticated RCE vulnerability in Ivanti Connect Secure and other Ivanti products, disclosed January 8, 2025, and actively exploited since mid-December 2024. This stack overflow allows arbitrary code execution. Exploitation tactics include lateral movement and SPAWN malware deployment, with links to previous Ivanti vulnerability campaigns. Ivanti's Integrity Checker Tool and Mandiant IoCs can identify compromise. |
| 2026-04-19 2026 | Command Injection in Jenkins via Git Parameter (CVE-2025-53652) intermediate | Writeup of CVE-2025-53652 in Jenkins, detailing command injection via the Git Parameter plugin. Attackers can exploit unvalidated Git parameters to achieve remote code execution, leveraging Git's GTFObin capabilities to execute arbitrary commands like `sleep` or establish reverse shells. The vulnerability requires a valid session cookie, build name, and Jenkins crumb for exploitation, even in unauthenticated instances. Detection is possible through Suricata rules and analysis of Jenkins job logs. |
| 2026-04-19 2026 | 0xMarcio/cve: Latest CVEs with PoC Exploits intermediate | 0xMarcio/cve: Latest CVEs with PoC Exploits |
| 2026-04-19 2026 | Microsoft WSUS RCE (CVE-2025-59287) Actively Exploited news | Analysis of CVE-2025-59287, a critical unauthenticated RCE in Microsoft WSUS, details its exploitation via unsafe deserialization through the GetCookie() or ReportingWebService endpoints. Observed attack chains involve PowerShell execution, network reconnaissance, and exfiltration to attacker-controlled webhooks. Affected systems include various Windows Server versions with the WSUS role enabled. Temporary mitigations include disabling the WSUS role or blocking ports 8530 and 8531. → unit42.paloaltonetworks.com |
| 2026-04-18 2026 | ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers news | Writeup detailing CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc, allowing remote code execution. Exploitable via uploading PHP web shells to servers lacking patches from October 2020 (version 2.8.7), this N-day vulnerability poses a significant risk for systems that remain unupdated, with over 2,000 exposed instances observed globally, primarily in China. → hackread.com |
| 2026-04-18 2026 | Critical flaw in Protobuf library enables JavaScript code execution news | Library vulnerability GHSA-xq3m-2v4x-88gg, a critical RCE flaw in protobuf.js, arises from unsafe dynamic code generation. Attackers can inject arbitrary JavaScript code by supplying malicious schemas, leading to code execution on servers or developer machines. Endor Labs identified the issue, impacting versions 8.0.0/7.5.4 and lower, with patches available in 8.0.1 and 7.5.5. Mitigation involves upgrading, auditing dependencies, and treating schema loading as untrusted input. → bleepingcomputer.com |
| 2026-04-18 2026 | ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers news | Library detailing CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc, allowing remote code execution. Patched in ShowDoc 2.8.7 in October 2020, this N-day vulnerability is actively exploited by threat actors targeting global servers, especially those running outdated versions. Defense requires updating to ShowDoc 3.8.1 to prevent compromised infrastructure and further attacks. → hackread.com |
| 2026-04-18 2026 | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code news | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code https://ift.tt/w79ePIr → cybersecuritynews.com |
| 2026-04-17 2026 | Multiple attacks weaponizing critical Marimo RCE identified news | Library of techniques weaponizing Marimo RCE (CVE-2026-39987) against deployed applications. Threat actors exploit this critical vulnerability to deploy NKAbuse malware via Hugging Face, execute reverse shells, steal database and .env credentials, and achieve PostgreSQL and Redis server compromise for data enumeration and exfiltration. → scworld.com |
| 2026-04-17 2026 | Apache ActiveMQ RCE bug to CISA list of exploited vulnerabilities news | Writeup detailing CVE-2026-34197, a 13-year-old Apache ActiveMQ RCE vulnerability added to CISA's KEV catalog. Discovered using the Claude AI assistant, this high-severity bug highlights how AI accelerates vulnerability research and weaponization of legacy code. The ActiveMQ flaw, exploitable with default or no credentials in some versions, requires disabling the Jolokia interface or immediate patching to mitigate risks posed by adversaries leveraging AI for rapid code auditing. → scworld.com |
| 2026-04-17 2026 | Marimo Exploits Enable Blockchain Backdoor Spread news | Marimo Exploits Enable Blockchain Backdoor Spread https://ift.tt/vhVgxEe → letsdatascience.com |
| 2026-04-17 2026 | CVE-2026-34197: Apache ActiveMQ Jolokia RCE Vulnerability news | CVE-2026-34197 is an authenticated RCE vulnerability in Apache ActiveMQ Classic stemming from how the Jolokia JMX-HTTP bridge handles management operations. Exploitation involves an attacker invoking operations like `addNetworkConnector` with a crafted `brokerConfig` parameter, forcing the broker to load and execute a remote Spring XML configuration file, leading to code execution within the broker JVM. This long-standing behavior, present for nearly 13 years, can be exacerbated by CVE-2024-32114, making it unauthenticated RCE. → securityboulevard.com |
| 2026-04-17 2026 | PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands news | PoC Exploit Released for FortiSandbox Vulnerability that Allows attacker to execute commands https://ift.tt/Cld3i9q → cyberpress.org |
| 2026-04-17 2026 | Hugging Face Abused To Spread Blockchain-Based Backdoor In CVE-2026-39987 Attacks news | Hugging Face Abused To Spread Blockchain-Based Backdoor In CVE-2026-39987 Attacks https://ift.tt/QZjdzEJ → cyberpress.org |
| 2026-04-17 2026 | U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog news | Writeup of CVE-2026-34197, a critical flaw in Apache ActiveMQ Classic impacting versions prior to 5.19.4 and 6.2.3. This vulnerability, caused by improper input validation and unsafe code execution, allows authenticated attackers to achieve remote code execution by exploiting the Jolokia JMX-HTTP bridge. The flaw leverages a crafted discovery URI to force the broker to load a malicious remote Spring XML configuration, enabling arbitrary code execution through bean factory methods like `Runtime.exec()`. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. → securityaffairs.com |
| 2026-04-17 2026 | Microsoft and Adobe Patch Tuesday April 2026 Security Update Review news | Analysis of April 2026 Patch Tuesday updates from Microsoft and Adobe reveals 163 vulnerabilities addressed by Microsoft, including eight critical-severity issues and two zero-days: an access-control flaw in Windows Defender and an input validation flaw in Microsoft Office SharePoint, both actively exploited. Adobe patched 56 vulnerabilities across various products, with 38 critical. Notable Microsoft issues include use-after-free flaws in Remote Desktop Client and Microsoft Office, and race conditions in Windows Active Directory and TCP/IP, enabling remote code execution or privilege escalation. |
| 2026-04-17 2026 | Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation news | Writeup detailing CVE-2026-34197, a critical Apache ActiveMQ Classic vulnerability allowing code injection via the Jolokia API. This flaw, actively exploited and added to CISA's KEV catalog, has been present for 13 years and is exacerbated by CVE-2024-32114 on certain versions, enabling unauthenticated RCE. Horizon3.ai and SAFE Security highlight its exploitation targeting exposed management endpoints, with Fortinet noting dozens of attempts. Upgrading to versions 5.19.4 or 6.2.3 is recommended. → thehackernews.com |
| 2026-04-16 2026 | Empirical Study on RCE in ML Model Hosting Ecosystems advanced | Survey of Remote Code Execution risks in ML model hosting ecosystems, analyzing custom code execution on platforms like Hugging Face and ModelScope. The study employs static analysis tools Bandit, CodeQL, and Semgrep, alongside YARA for pattern detection, to identify vulnerabilities. It also examines platform security mechanisms and developer discussions to understand perceptions, revealing widespread unsafe defaults and developer confusion about executing remote code. → arxiv.org |
| 2026-04-16 2026 | Method Confusion in Go SSTIs Lead to File Read and RCE advanced | Library for researching Go Server-Side Template Injection (SSTI) vulnerabilities, focusing on method confusion within the `html/template` module. This library demonstrates how to achieve arbitrary file reads and Remote Code Execution (RCE) by leveraging exported methods of rendered objects, such as the `Secret` method for command execution or the `File` method from the `echo` framework for local file disclosure. → onsecurity.io |
| 2026-04-16 2026 | SmarterTools SmarterMail Pre-Auth RCE (CVE-2025-52691) news | Writeup of CVE-2025-52691, a pre-authentication remote code execution vulnerability in SmarterTools SmarterMail. This analysis details how an unauthenticated file upload endpoint, which accepts a JSON-deserializable `contextData` parameter, allows an attacker to control a `guid` property. The patched build 9413 introduces GUID validation, suggesting its exploitation was previously possible by manipulating this field during upload processing, as detailed by Mr Chua Meng Han from CSIT. |
| 2026-04-16 2026 | Dissecting and Exploiting CVE-2025-62507: RCE in Redis intermediate | Writeup of CVE-2025-62507, a stack buffer overflow in Redis's XACKDEL command, details how an attacker can trigger this vulnerability by providing an excessive number of stream IDs. This overflow allows for overwriting the return address on the stack, potentially leading to remote code execution, especially in unauthenticated Redis instances. The analysis demonstrates exploiting this flaw by crashing the server with carefully crafted commands, revealing the path to weaponized exploits. |
| 2026-04-16 2026 | Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) intermediate | Writeup detailing CVE-2025-23120, a domain-level RCE in Veeam Backup & Replication. This vulnerability arises from a flawed blacklist-based deserialization mechanism, allowing domain users to achieve SYSTEM privileges on the Veeam server. The attack leverages the .NET Remoting Channel and a specific class, `Veeam.Backup.Model.CDbCryptoKeyInfo`, which ultimately leads to inner deserialization with a blacklist. This writeup follows previous research on CVE-2024-40711, also in Veeam, highlighting the persistent issues with blacklist-based security. |
| 2026-04-16 2026 | Exploitation Walkthrough - Ivanti Connect Secure RCE (CVE-2025-0282) intermediate | Walkthrough of CVE-2025-0282 in Ivanti Connect Secure, detailing a stack-based buffer overflow in the `ift_handle_1` function. Exploitation involves crafting a malicious `clientCapabilities` block exceeding 256 bytes to trigger an out-of-bounds write. While direct return address overwriting is complicated by a preceding `free()` call on `object_to_be_freed`, an alternative exploitation path leverages a virtual function call at offset 0x48 within `a1`. |
| 2026-04-16 2026 | React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics advanced | Library detailing CVE-2025-55182, dubbed "React2Shell," a critical RCE vulnerability in React Server Components. This library breaks down the exploit mechanics, including improper input deserialization and gadget chains, and analyzes in-the-wild attacks observed by Wiz. These attacks range from opportunistic cryptomining and credential harvesting to sophisticated cloud backdoors leveraging Node.js for fileless persistence and Sliver implants for long-term access. The vulnerability has broader implications beyond Next.js, affecting frameworks like Waku and Vite with RSC plugins. → wiz.io |
| 2026-04-16 2026 | Remote Code Execution in Ghost CMS (CVE-2026-29053) intermediate | Writeup on CVE-2026-29053, a remote code execution vulnerability in Ghost CMS versions 0.7.2 through 6.19.0. The flaw arises from unsafe expression evaluation within the theming system, where specially crafted themes can exploit a dependency chain involving the `jsonpath` and `static-eval` libraries. Exploitation requires an administrator to upload and activate a malicious theme, leading to arbitrary JavaScript execution on the server during page rendering, potentially impacting supply-chain trust and admin-targeted deception. |
| 2026-04-16 2026 | Ni8mare: Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) intermediate | Writeup of CVE-2026-21858, an unauthenticated remote code execution vulnerability in n8n discovered due to a Content-Type confusion bug. Attackers can exploit this flaw by crafting a malicious request that manipulates the `req.body.files` object, allowing them to read arbitrary local files and achieve full takeover of n8n instances. This issue impacts over 100,000 servers globally and has a CVSS score of 10.0. Users should upgrade to n8n version 1.121.0 or later for remediation. |
| 2026-04-16 2026 | Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face news | Writeup detailing the exploitation of Marimo CVE-2026-39987, which allows remote code execution and deployment of NKAbuse malware. Attackers leverage Hugging Face Spaces, posing as legitimate AI tools, to host dropper scripts and malware binaries. The payload, a variant of NKAbuse, functions as a remote access trojan with capabilities for shell command execution and data exfiltration, including credential theft from environment variables and Redis servers. Exploitation has increased in volume and tactics, with affected users urged to upgrade Marimo to version 0.23.0 or later, or block external access to the `/terminal/ws` endpoint. → bleepingcomputer.com |
| 2026-04-16 2026 | Windows Active Directory Vulnerability Allow Attackers to Execute Malicious Code news | Windows Active Directory Vulnerability Allow Attackers to Execute Malicious Code https://ift.tt/MaeJ2jN → cybersecuritynews.com |
| 2026-04-16 2026 | Windows IKE Service Extensions Vulnerability Enables Remote Code Execution (CVE-2026-33824) news | Writeup of CVE-2026-33824, a critical remote code execution vulnerability in Windows IKE Service Extensions. This memory management error, a double free condition, allows unauthenticated network-based exploitation via UDP ports 500 and 4500. Affecting multiple Windows versions, it enables attackers to gain system control, particularly impacting VPN infrastructure and exposing internal networks. Microsoft released updates in April 2026 to address this issue. → securityboulevard.com |
| 2026-04-16 2026 | ThreatsDay Bulletin: 17-Year-Old Excel RCEDefender 0-DaySonicWall Brute-Force and 15 More Stories news | Library of recent application security vulnerabilities, including a 17-year-old Microsoft Office Excel RCE (CVE-2009-0238), a new Microsoft Defender privilege escalation zero-day (RedSun) and DoS exploit (UnDefend), a targeted cryptocurrency wallet breach via AI social engineering against Zerion, and a fake Ledger app on the Apple App Store that stole $9.5 million. It also covers a new ransomware strain (JanaWare) targeting Turkey, the uncovering of stealthy C2 frameworks (ObsidianStrike, ArchangelC2), and updates to Raspberry Pi OS disabling passwordless sudo by default. → thehackernews.com |
| 2026-04-16 2026 | Splunk Enterprise Update Patches Code Execution Vulnerability news | Update for Splunk Enterprise addresses CVE-2026-20204, a high-severity flaw allowing low-privileged users to achieve remote code execution via temporary file handling issues. It also patches medium-severity vulnerabilities in Splunk Enterprise and Cloud Platform related to username formatting and Data Model Acceleration control. Additionally, CVE-2026-20205 in MCP Server, a high-severity vulnerability allowing authenticated attackers to view clear-text user sessions and tokens, is fixed in MCP Server app version 1.0.3. Patches for third-party packages across various Splunk products are also included. → securityweek.com |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Vulnerability Enables Remote Code Execution Attacks news | Splunk Enterprise and Cloud Platform Vulnerability Enables Remote Code Execution Attacks https://ift.tt/CABqpw7 → cybersecuritynews.com |
| 2026-04-16 2026 | Weekly Vulnerability Report: Azure AI Spring AI Fortinet Bugs news | Report detailing 1,431 vulnerabilities this week, including 270+ with public PoCs and 3 on underground forums. Highlights include CVE-2026-32213 in Azure AI Foundry, CVE-2026-35022 in Claude Code CLI, CVE-2026-22738 in Spring AI, CVE-2026-4631 in Cockpit, and CVE-2026-35616 in Fortinet FortiClient EMS. Also covers ICS vulnerabilities from Siemens, Hitachi Energy, and Yokogawa. |
| 2026-04-16 2026 | Cisco Patches Four Critical Identity Services Webex Flaws Enabling Code Execution news | Writeup detailing Cisco's patching of four critical vulnerabilities in Identity Services and Webex Services. CVE-2026-20184, a critical improper certificate validation flaw in Webex SSO, allows unauthenticated user impersonation. CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 are insufficient input validation flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), enabling authenticated remote code execution and arbitrary command execution with administrative or read-only credentials respectively. → thehackernews.com |
| 2026-04-16 2026 | Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE Vulnerability news | Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE Vulnerability https://ift.tt/0zW71Ld → gbhackers.com |
| 2026-04-16 2026 | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code news | Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code https://ift.tt/m7TKb1e → cyberpress.org |
| 2026-04-16 2026 | Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code news | Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code https://ift.tt/BcJYMZS → cyberpress.org |
| 2026-04-15 2026 | Windows Active Directory Flaw Opens Door to Malicious Code Execution news | Windows Active Directory Flaw Opens Door to Malicious Code Execution https://ift.tt/6sieTME → gbhackers.com |
| 2026-04-15 2026 | Adobe Acrobat Reader vulnerability trapped PDFs and prepress workflow security news | Writeup of CVE-2026-34621, a vulnerability in Adobe Acrobat Reader exploiting internal APIs like `util.readFileIntoStream` and `RSS.addFeed` to achieve remote code execution and sandbox bypass. This flaw allowed attackers to exfiltrate local files and gain elevated privileges on prepress workstations, posing a significant risk to production data and connected systems. The vulnerability remained unpatched for months, highlighting workflow security challenges in the graphic arts industry. |
| 2026-04-15 2026 | Microsoft fixes 167 security flaws in April second biggest Patch Tuesday ever news | Analysis of Microsoft's April Patch Tuesday, the second-largest security update ever, reveals fixes for 167 vulnerabilities across Windows, Office, and cloud services. Eight critical flaws include actively exploited zero-days in SharePoint Server (CVE-2026-32201) and Office, with some Office RCE vulnerabilities (e.g., CVE-2026-33114) exploitable via preview panes. Other critical issues affect the TCP/IP stack (CVE-2026-33827), Internet Key Exchange (CVE-2026-33824), Remote Desktop Client (CVE-2026-32157), Active Directory (CVE-2026-33826), and .NET Framework DoS (CVE-2026-23666). Additionally, an Elevation of Privilege vulnerability in Defender (CVE-2026-33825) was known pre-patch. |
| 2026-04-15 2026 | Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day news | Writeup of Microsoft's April 2026 Patch Tuesday, which fixed 165 vulnerabilities, including an actively exploited SharePoint zero-day, CVE-2026-32201. This critical spoofing vulnerability, likely an XSS flaw, allowed attackers to view or modify sensitive information. Security experts urge rapid patching, noting the release's large size and potential impact on organizations with internet-facing SharePoint servers. → securityaffairs.com |
| 2026-04-15 2026 | April Patch Tuesday Fixes Critical Flaws Across SAP Adobe Microsoft Fortinet and More news | Reference detailing critical vulnerabilities patched in April's Patch Tuesday, including an SQL injection in SAP Business Planning and Consolidation (CVE-2026-27681), a remotely exploitable code execution in Adobe Acrobat Reader (CVE-2026-34621), and path traversal flaws in FortiSandbox (CVE-2026-39813, CVE-2026-39808). It also mentions a spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201) and numerous other patches from vendors like ABB, AWS, Apple, Cisco, and Linux distributions. → thehackernews.com |
| 2026-04-15 2026 | Critical nginx-ui Vulnerability CVE-2026-33032 Allows Unauthenticated Nginx Takeover news | Writeup of CVE-2026-33032, an authentication bypass vulnerability in nginx-ui. This flaw, codenamed MCPwn, allows unauthenticated attackers to seize control of Nginx services by exploiting the /mcp_message endpoint, which bypasses authentication while only enforcing IP whitelisting. Attackers can gain session IDs by leveraging a separate vulnerability (CVE-2026-27944) to decrypt backups and extract sensitive data, including "node_secret" credentials. Exploitation can lead to restarting Nginx, modifying configuration files, and intercepting traffic. The vulnerability is patched in nginx-ui version 2.3.4. → thehackernews.com |
| 2026-04-15 2026 | Microsoft Patch Tuesday: April 2026 news | Microsoft Patch Tuesday: April 2026 https://ift.tt/qU7sl6p → arcticwolf.com |
| 2026-04-15 2026 | Zero Day Initiative The April 2026 Security Update Review news | Reference detailing April 2026 security updates from Adobe and Microsoft, covering 61 CVEs in Adobe products like Acrobat Reader and ColdFusion, and 163 CVEs in Microsoft products including Windows, Office, and Azure. Highlights actively exploited vulnerabilities such as CVE-2026-32201 (SharePoint Server Spoofing), CVE-2026-33825 (Microsoft Defender Elevation of Privilege), CVE-2026-33827 (Windows TCP/IP RCE), and CVE-2026-33824 (Windows IKE Service RCE). Also notes critical vulnerabilities in Office, .NET, SQL Server, and Hyper-V, alongside numerous Elevation of Privilege and sandbox escape bugs. |
| 2026-04-15 2026 | Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code news | Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code https://ift.tt/wBTSFR1 → cyberpress.org |
| 2026-04-15 2026 | Microsoft April 2026 Patch Tuesday Fixes 167 Flaws 2 Zero-Days news | Library of Microsoft's April 2026 Patch Tuesday fixes details 167 vulnerabilities, including an actively exploited SharePoint zero-day (CVE-2026-32201) and a Defender privilege escalation zero-day (CVE-2026-33825) found using the Diffract fuzzing tool. This release also addresses remote code execution bugs in Office, particularly those exploitable via document preview, and high-severity flaws in products like Remote Desktop Client. |
| 2026-04-15 2026 | Fortinet Patches Critical FortiSandbox Vulnerabilities news | Library advisories detail critical vulnerabilities patched by Fortinet, including CVE-2026-39813 for FortiSandbox JRPC API authentication bypass and CVE-2026-39808 for FortiSandbox OS command injection, both exploitable via HTTP requests without authentication. Additionally, CVE-2026-22828, a high-severity buffer overflow in FortiAnalyzer Cloud, was patched, alongside SQL injection bugs in FortiDDoS-F and FortiClientEMS, and various medium- and low-severity issues across other Fortinet products. → securityweek.com |
| 2026-04-15 2026 | Microsoft Issues Patches for SharePoint Zero-Day and 168 Other Vulnerabilities news | Library of Microsoft patches addressing 169 vulnerabilities, including zero-day CVE-2026-32201 impacting SharePoint Server, a privilege escalation flaw in Microsoft Defender (CVE-2026-33825) known as BlueHammer, and a critical remote code execution vulnerability in Windows Internet Key Exchange (CVE-2026-33824). The release also included CVEs impacting AMD, Node.js, Windows Secure Boot, and Git for Windows. → thehackernews.com |
| 2026-04-15 2026 | Microsoft Patch Tuesday April 2026 Fixes 167 Bugs news | Updates detail Microsoft's April 2026 Patch Tuesday, addressing 167 vulnerabilities. This includes two zero-days: an actively exploited SharePoint Server spoofing flaw and CVE-2026-33825 in Microsoft Defender, allowing SYSTEM-level privilege escalation. Critical fixes address RCE and DoS issues in .NET Framework (CVE-2026-23666), Remote Desktop Client (CVE-2026-32157), Microsoft Office (e.g., CVE-2026-32190), Windows IKE extension (CVE-2026-33824), Active Directory (CVE-2026-33826), and Windows TCP/IP (CVE-2026-33827). → thecyberexpress.com |
| 2026-04-15 2026 | Adobe Acrobat flaw enables remote execution via malicious PDFs news | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Acrobat and Acrobat Reader that enabled remote code execution through malicious PDFs. Actively exploited for months, the flaw allowed attackers to compromise systems, steal data, and prepare further attacks. Discovered by Haifei Li, the vulnerability affected the handling of internal program objects. Adobe released an emergency update, and users are urged to patch immediately and exercise caution with untrusted PDFs. |
| 2026-04-15 2026 | Adobe Acrobat Remote Code Execution Vulnerability news | Writeup detailing CVE-2026-34621, a high-risk Adobe Acrobat remote code execution vulnerability. Exploitation requires user interaction, typically by opening a malicious file, and leads to arbitrary code execution via Prototype Pollution. Affected versions include Acrobat DC, Acrobat Reader DC, and Acrobat 2024, with patches available for update. → hkcert.org |
| 2026-04-15 2026 | Critical ShowDoc RCE Vulnerability Active Exploited in the Wild news | Critical ShowDoc RCE Vulnerability Active Exploited in the Wild https://ift.tt/16vB7tb → cybersecuritynews.com |
| 2026-04-14 2026 | ShowDoc vulnerability actively exploited news | Library for detecting CVE-2025-0520, an unrestricted file upload vulnerability in ShowDoc versions prior to 2.8.7. This critical flaw, with a CVSS score of 9.4, allows attackers to achieve remote code execution by uploading web shells due to improper file extension validation. Active exploitation in the wild, targeting a U.S.-based honeypot, highlights the ongoing risk posed by this N-day vulnerability. → scworld.com |
| 2026-04-14 2026 | Microsoft Patch Tuesday April 2026 168 Vulnerabilities Fixed Including Actively Exploited 0-day news | Microsoft Patch Tuesday April 2026 – 168 Vulnerabilities Fixed, Including Actively Exploited 0-day https://ift.tt/TbdJPtY → cybersecuritynews.com |
| 2026-04-14 2026 | Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities news | Snort rules detect exploitation attempts for Microsoft's April 2026 Patch Tuesday, which includes 165 vulnerabilities. Critical issues addressed by the rules include CVE-2026-23666 (.NET DoS), CVE-2026-33824 (Windows IKE RCE), CVE-2026-33826 (Active Directory RCE), and CVE-2026-33827 (Windows TCP/IP RCE). The update also covers several "more likely" to be exploited important vulnerabilities, such as CVE-2026-0390 (UEFI Secure Boot bypass) and CVE-2026-32201 (SharePoint spoofing). |
| 2026-04-14 2026 | Microsofts April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) news | Reference of Microsoft's April 2026 Patch Tuesday, addressing 163 CVEs including critical vulnerabilities like CVE-2026-33824 in Windows IKE Service Extensions and CVE-2026-33826 in Windows Active Directory. This release also features patches for zero-day exploits, such as CVE-2026-32201 affecting Microsoft SharePoint Server and the publicly disclosed BlueHammer exploit targeting Microsoft Defender (CVE-2026-33825). Elevation of privilege vulnerabilities constitute the largest portion of this update, followed by information disclosure and remote code execution flaws. → securityboulevard.com |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday Fixes 160 Vulnerabilities Including 2 Zero-Day Flaws news | Microsoft April 2026 Patch Tuesday Fixes 160+ Vulnerabilities, Including 2 Zero-Day Flaws https://ift.tt/YKfCdMi |
| 2026-04-14 2026 | Microsoft April 2026 Patch Tuesday fixes 167 flaws 2 zero-days news | Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days https://ift.tt/nLAl5mZ → bleepingcomputer.com |
| 2026-04-14 2026 | Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands news | Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands https://ift.tt/36oOGsb → cybersecuritynews.com |
| 2026-04-14 2026 | Adobe patched zero day in Acrobat that allowed remote code execution news | Writeup detailing CVE-2026-34621, an Adobe Acrobat zero-day vulnerability patched by Adobe. This flaw allowed for remote code execution, enabling malware installation on Windows and macOS through maliciously crafted PDF files. The vulnerability, exploited in the wild for at least four months, could grant attackers full control over a victim's system and facilitate data theft across Acrobat DC, Reader DC, and Acrobat 2024. |
| 2026-04-14 2026 | Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild news | Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild https://ift.tt/ug84a6E → cyberpress.org |
| 2026-04-14 2026 | Hackers Exploit Critical ShowDoc RCE Flaw in Ongoing Attacks news | Hackers Exploit Critical ShowDoc RCE Flaw in Ongoing Attacks https://ift.tt/ZcO3Y8e → gbhackers.com |
| 2026-04-14 2026 | Kali Forms Vulnerability Enables Remote Code Execution RCE news | Writeup of Kali Forms RCE vulnerability in a popular WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP code via manipulated form submission data. Exploiting a flaw in the `prepare_post_data()` and `_save_data()` functions, attackers can overwrite internal placeholders used in `call_user_func()` to achieve remote code execution, with observed attacks including authentication bypass using `wp_set_auth_cookie`. The vulnerability, fixed in version 2.4.10, saw immediate exploitation following public disclosure. → thecyberexpress.com |
| 2026-04-14 2026 | ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers news | Writeup of CVE-2025-0520, a critical ShowDoc RCE flaw with CVSS 9.4, actively exploited due to unrestricted file upload via improper extension validation. Attackers can upload PHP web shells to execute arbitrary code on unpatched servers running versions before 2.8.7, demonstrating the exploitation of N-day vulnerabilities. → thehackernews.com |
| 2026-04-14 2026 | CISA Adds 6 Known Exploited Flaws in Fortinet Microsoft and Adobe Software news | Survey of CISA's Known Exploited Vulnerabilities (KEV) catalog, detailing six critical flaws actively exploited in the wild. This includes an SQL injection in Fortinet FortiClient EMS (CVE-2026-21643), use-after-free in Adobe Acrobat Reader (CVE-2020-9715), privilege escalation via Windows CLFS driver (CVE-2023-36424), deserialization vulnerability in Microsoft Exchange Server (CVE-2023-21529), local privilege elevation in Host Process for Windows Tasks (CVE-2025-60710), and insecure library loading in Microsoft VBA (CVE-2012-1854). → thehackernews.com |
| 2026-04-14 2026 | Cisco warns of critical IMC vulnerabilities ironically the server manager itself has become a point of entry news | Advisories detail critical Cisco IMC vulnerabilities including CVE-2026-20093, an authentication bypass allowing remote admin access, and CVE-2026-20094 through CVE-2026-20097, enabling command injection and RCE with root privileges, even for read-only users. These issues highlight the risk of neglecting "internal" management interfaces like IMC, BMC, iLO, and iDRAC, which can serve as prime entry points into data center environments. |
| 2026-04-13 2026 | Seven IBM WebSphere Liberty flaws can be chained into full takeover news | Writeup on seven IBM WebSphere Liberty flaws, including CVE-2026-1561 for pre-authentication RCE via SAML Web SSO, CVE-2025-14915 for privilege escalation via AdminCenter, and others related to hardcoded keys and insecure archive extraction, that can be chained for full server compromise and remote code execution. → csoonline.com |
| 2026-04-13 2026 | Marimo vulnerability exploited within hours of disclosure news | Library CVE-2026-39987, a critical RCE in Marimo versions prior to 0.23.0, was exploited within hours of its disclosure. Attackers gained a PTY shell and executed arbitrary commands by exploiting missing authentication on the terminal WebSocket endpoint, demonstrating rapid weaponization of internet-facing vulnerabilities. → scworld.com |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure news | Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure https://ift.tt/LEjUohx → cybersecuritynews.com |
| 2026-04-13 2026 | Critical Axios Vulnerability Allows Remote Code Execution news | Critical Axios Vulnerability Allows Remote Code Execution https://ift.tt/W2I8efr → cybersecuritynews.com |
| 2026-04-13 2026 | Critical Axios Vulnerability Enables Remote Code Execution PoC Released news | Critical Axios Vulnerability Enables Remote Code Execution, PoC Released https://ift.tt/JolDXhx → gbhackers.com |
| 2026-04-13 2026 | Juniper Junos OS Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities in Juniper Junos OS and Junos OS Evolved. These issues, including CVE-2022-24805, CVE-2025-13914, CVE-2025-30650, and numerous others listed in the 2026-04 Security Bulletin, can lead to spoofing, data manipulation, remote code execution, denial of service, information disclosure, privilege elevation, and security restriction bypass. Remediation requires consulting Juniper's vendor website. → hkcert.org |
| 2026-04-13 2026 | Critical Axios Vulnerability Allows Remote Code Execution news | Critical Axios Vulnerability Allows Remote Code Execution https://ift.tt/bDWH6Pi → cyberpress.org |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure news | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure https://ift.tt/fU4AYhF → cyberpress.org |
| 2026-04-13 2026 | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure news | Marimo RCE Vulnerability Exploited Within 10 Hours of Public Disclosure https://ift.tt/Gw2u758 → gbhackers.com |
| 2026-04-13 2026 | Marimo RCE Flaw Exploited Within Hours of Disclosure news | Tool for detecting and mitigating the Marimo RCE vulnerability (CVE-2026-39987), which allows pre-authentication remote code execution via an unauthenticated WebSocket endpoint. Exploitation observed within 10 hours of disclosure, targeting sensitive credentials and infrastructure. Mitigation strategies include patching, access control, credential rotation, least privilege, and enhanced monitoring. → esecurityplanet.com |
| 2026-04-13 2026 | Microsoft Edge Multiple Vulnerabilities news | Bulletin detailing multiple vulnerabilities in Microsoft Edge, including CVE-2026-5281 which is actively exploited. Exploitation can lead to remote code execution, denial of service, security restriction bypass, data manipulation, sensitive information disclosure, and spoofing. Affected versions are prior to 147.0.3912.60. Updating to version 147.0.3912.60 or later is recommended. → hkcert.org |
| 2026-04-12 2026 | Google Chrome 147 Security Update: Patches 60 Vulnerabilities Including Critical WebML Remote Code Execution F news | Analysis of Google Chrome 147, which patched 60 vulnerabilities including critical heap buffer overflow (CVE-2026-5858) and integer overflow (CVE-2026-5859) flaws in the WebML component. These vulnerabilities, awarded $86,000 in bug bounties, enable remote code execution via crafted web pages. The advisory details technical aspects, exploitation potential, affected versions, and mitigation strategies such as immediate patching. While no in-the-wild exploitation is reported, the significant risk necessitates vigilance, especially concerning APT groups. → rescana.com |
| 2026-04-12 2026 | Critical Marimo pre-auth RCE flaw now under active exploitation news | Writeup detailing CVE-2026-39987, a critical pre-authentication RCE vulnerability in Marimo versions 0.20.4 and earlier. Exploitable via the unauthenticated WebSocket endpoint '/terminal/ws', attackers can gain an interactive shell with the Marimo process's privileges. Active exploitation observed within hours of disclosure, with attackers exfiltrating credentials and SSH keys. Sysdig researchers noted a methodical operator targeting high-value information. Mitigation includes upgrading to version 0.23.0, restricting external access, or disabling the '/terminal/ws' endpoint. → bleepingcomputer.com |
| 2026-04-12 2026 | Critical Marimo Python Notebook RCE Vulnerability (CVE-2026-39987) Exploited Within 10 Hours of Disclosure news | Analysis of CVE-2026-39987 details a critical RCE vulnerability in Marimo, an open-source Python notebook platform, allowing unauthenticated attackers shell access via a misconfigured WebSocket endpoint. Exploitation occurred within 10 hours of disclosure, focusing on credential harvesting and reconnaissance using T1190, T1552, and T1083 MITRE ATT&CK techniques. Mitigation involves upgrading to Marimo 0.23.0+, auditing logs, and rotating compromised credentials. → rescana.com |
| 2026-04-12 2026 | Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 news | Writeup of CVE-2026-34621, an actively exploited Adobe Acrobat Reader flaw. This prototype pollution vulnerability, with a CVSS score of 8.6, allows arbitrary code execution when users open malicious PDF documents. Adobe has released emergency updates for Acrobat DC, Acrobat Reader DC, and Acrobat 2024. Security researcher Haifei Li disclosed the zero-day exploitation, and CISA has added it to their Known Exploited Vulnerabilities catalog. → thehackernews.com |
| 2026-04-11 2026 | Critical n8n RCE Vulnerability (CVSS 10.0) Discovered: Urgent Upgrade Advised news | Critical n8n RCE Vulnerability (CVSS 10.0) Discovered: Urgent Upgrade Advised https://ift.tt/KGm4hdq |
| 2026-04-11 2026 | Google Chrome Multiple Vulnerabilities news | Vulnerability summary detailing multiple issues within Google Chrome versions prior to 147.0.7727.55 on Linux, and 147.0.7727.55/56 on Mac and Windows. Exploitation can lead to information disclosure, denial of service, remote code execution, security restriction bypass, and data manipulation. This bulletin lists CVE-2026-5858 through CVE-2026-5919 as affected vulnerabilities. → hkcert.org |
| 2026-04-11 2026 | CVE-2026-39987: Marimo RCE exploited in hours after disclosure news | Writeup of CVE-2026-39987 in Marimo, a Python notebook tool, detailing its pre-authenticated RCE flaw. The vulnerability, actively exploited within 10 hours of disclosure by Sysdig Threat Research Team, allowed attackers to gain a full PTY shell by targeting the unauthenticated `/terminal/ws` WebSocket endpoint. This exploit highlights the rapid threat actor response to disclosures, even for niche software like Marimo, with credential theft occurring in under three minutes. → securityaffairs.com |
| 2026-04-10 2026 | AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive Data news | AI Router Vulnerabilities Allow Attackers to Inject Malicious Code and Steal Sensitive Data https://ift.tt/RunsJvx → cybersecuritynews.com |
| 2026-04-10 2026 | GitLab Addresses Multiple Vulnerabilities Linked to DoS and Code Injection news | GitLab Addresses Multiple Vulnerabilities Linked to DoS and Code Injection https://ift.tt/7xtgdP5 → gbhackers.com |
| 2026-04-10 2026 | Orthanc DICOM Vulnerabilities Lead to Crashes RCE news | Library of nine vulnerabilities, CVE-2026-5437 to CVE-2026-5445, impacting the Orthanc DICOM server, allowing for server crashes, data leaks, and remote code execution. These defects stem from insufficient metadata validation, missing checks, and unsafe arithmetic, manifesting as out-of-bounds reads, GZIP and ZIP decompression bombs, HTTP server memory exhaustion, and heap buffer overflows in image parsing and decoding logic. Versions 1.12.10 and earlier are affected; update to 1.12.11 for remediation. → securityweek.com |
| 2026-04-10 2026 | Claude uncovers a 13yearold ActiveMQ RCE bug within minutes news | Writeup detailing CVE-2026-34197, a 13-year-old RCE vulnerability in Apache ActiveMQ Classic, uncovered by Anthropic's Claude. The flaw, exploitable via the Jolokia API and a malicious Spring XML file, allows arbitrary system command execution. Researchers used AI to build an exploit chain in minutes, highlighting the potential for AI in vulnerability discovery. This critical flaw affects ActiveMQ Classic versions prior to 5.19.4 and several 6.x releases, with an unauthenticated variant possible in some 6.x versions due to CVE-2024-32114. → csoonline.com |
| 2026-04-10 2026 | Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure news Python | Writeup of CVE-2026-39987, a critical pre-authenticated RCE vulnerability in Marimo exploited within 10 hours of disclosure. The flaw, impacting versions prior to 0.20.4, allows unauthenticated attackers to gain a full PTY shell via the terminal WebSocket endpoint. Exploitation observed included credential theft and deployment of NKAbuse, a multi-platform threat leveraging NKN for C2. CISA added CVE-2026-39987 to its KEV catalog, mandating remediation for FCEB agencies. → thehackernews.com |
| 2026-04-10 2026 | Critical Marimo Flaw Exploited Hours After Public Disclosure news | Writeup detailing the rapid exploitation of CVE-2026-39987, a critical unauthenticated RCE vulnerability in the Marimo reactive notebook. The flaw, discovered in the terminal WebSocket endpoint due to a lack of authentication validation, allowed attackers to gain an interactive shell and execute arbitrary commands. Exploitation began within nine hours of public disclosure, with attackers quickly moving to exfiltrate credentials and search for sensitive files like SSH keys. Releases up to Marimo 0.20.4 are affected, and users are urged to update to version 0.23.0 or newer. → securityweek.com |
| 2026-04-10 2026 | CISA Warns of Actively Exploited Ivanti EPMM Vulnerability news | Reference for CVE-2026-1340, a critical code-injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). This flaw allows unauthenticated remote code execution, granting attackers control over the mobile management server and connected devices. CISA has issued an urgent directive for federal agencies to remediate this actively exploited vulnerability, and private-sector organizations are strongly encouraged to apply patches immediately due to the significant risks it poses. |
| 2026-04-10 2026 | Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code news | Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code https://ift.tt/okJfyG0 → cybersecuritynews.com |
| 2026-04-10 2026 | Critical Vulnerability in Ninja Forms Exposes WordPress Sites news | Library detailing an arbitrary file upload vulnerability (CVSS 9.8) in Ninja Forms – File Upload Plugin versions up to 3.3.26. This flaw allows unauthenticated attackers to upload malicious files, including PHP scripts, through insufficient file validation and filename manipulation, potentially leading to remote code execution and full website compromise. The vulnerability was discovered by Sélim Lanouar and patched in version 3.3.27. → infosecurity-magazine.com |
| 2026-04-10 2026 | U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422) news Deser | Writeup of CVE-2026-3422 details an unauthenticated remote code execution vulnerability in U-Office Force, a product of e-Excellence. This critical flaw, rated CVSS 9.8, stems from insecure deserialization, where the application processes maliciously crafted serialized content without proper validation. Attackers can exploit this by crafting specific serialized payloads containing gadget chains, leading to arbitrary code execution on the server. Successful exploitation requires identifying input channels that deserialize data, such as API endpoints or file uploads. → thehackerwire.com |
| 2026-04-10 2026 | IBM Langflow Desktop RCE via Insecure Deserialization news Deser | Writeup of CVE-2026-3357, detailing an RCE vulnerability in IBM Langflow Desktop (versions 1.6.0-1.8.2) with a CVSS score of 8.8. Exploitation requires authentication and leverages insecure deserialization within the FAISS component, allowing an attacker to execute arbitrary code by providing malicious serialized data. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2026-21858: Ni8mare Enables Unauthenticated RCE in n8n Webhooks news | Writeup detailing CVE-2026-21858 (Ni8mare), an unauthenticated RCE vulnerability in n8n workflow automation software. The flaw arises from content-type confusion, enabling attackers to read arbitrary files, forge admin sessions, and execute commands. This affects n8n versions prior to 1.121.0 and carries a CVSS score of 10.0. The writeup also briefly mentions CVE-2026-21877, N8scape (CVE-2025-68668), and CVE-2025-68613, which allow authenticated RCE. |
| 2026-04-10 2026 | Potentially Critical RCE in OpenSSL (CVE-2025-15467) news | Writeup of CVE-2025-15467, a critical RCE vulnerability in OpenSSL affecting versions 3.0 through 3.6. An attacker can exploit this stack overflow by sending a crafted CMS AuthEnvelopedData message with an oversized IV, triggering a buffer overflow before authentication. This vulnerability impacts applications calling specific CMS decryption APIs or using tools like `openssl cms` and `openssl smime`, and can be leveraged for remote code execution. Users should upgrade to patched versions immediately. |
| 2026-04-10 2026 | Wazuh RCE via Deserialization of Untrusted Data (CVE-2026-25769) news | Writeup of CVE-2026-25769, a critical RCE vulnerability in Wazuh versions 4.0.0 through 4.14.2. This Deserialization of Untrusted Data flaw, rated 9.1 CVSS, requires initial compromise of a worker node to enable an attacker to execute code with root privileges on the Wazuh master node. The fix is available in Wazuh version 4.14.3. → thehackerwire.com |
| 2026-04-10 2026 | CVE-2025-55182: React and Next.js Deserialization RCE Deep Dive intermediate | CVE-2025-55182: React and Next.js Deserialization RCE Deep Dive → akamai.com |
| 2026-04-10 2026 | Active Exploitation of 7-Zip RCE Vulnerability news | Analysis of active exploitation of 7-Zip RCE vulnerability CVE-2025-11001, stemming from improper symbolic link handling in crafted ZIP files. Exploitation allows attackers to overwrite system files or execute arbitrary code. NHS England Digital confirmed active exploitation, urging updates to version 25.0.0 or later, which also addresses CVE-2025-11002. Unpatched systems face risks including ransomware and data theft. |
| 2026-04-10 2026 | Update on React Server Components RCE (CVE-2025-55182 / CVE-2025-66478) news | Writeup detailing the evolving exploitation of React Server Components RCE (CVE-2025-55182, CVE-2025-66478), discussing the invalid early PoC, the emergence of scanning utilities from Assetnote, and the eventual discovery of real RCE exploit chains that leverage unsafe export resolution and prototype chain manipulation for arbitrary code execution via mechanisms like `process.mainModule.require('https')` and runtime memory shells, with observed data exfiltration via response body output, OAST/DNSLog callbacks, and Next.js redirect headers. → securityboulevard.com |
| 2026-04-10 2026 | CVE-2025-34291 Exploited in the Wild: LangFlow AI Under Fire news | Writeup of CVE-2025-34291, a remote code execution vulnerability in LangFlow, reveals active exploitation in the wild. This cross-site request forgery flaw, stemming from improper CORS and SameSite cookie configurations, allows attackers to impersonate logged-in users and gain full control of AI infrastructure by exploiting Python code execution capabilities. Protection involves hardening LangFlow configurations by disabling authenticated cross-site requests or restricting allowed origins, upgrading to LangFlow 1.7, or utilizing a WAF like CrowdSec to block malicious IPs. |
| 2026-04-10 2026 | New runC Vulnerabilities Expose Docker and Kubernetes to Container Escape news | Writeup on CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 in runC, detailing how these vulnerabilities allow container escape through manipulation of bind mounts and /proc filesystem writes. Exploitation requires the ability to start containers with custom mount configurations, enabling attackers to compromise host systems and bypass LSM relabel protections. Versions prior to runC 1.2.8, 1.3.3, or 1.4.0-rc.3 are affected. |
| 2026-04-10 2026 | CVE-2025-39601: WordPress Custom CSS, JS and PHP Plugin CSRF to RCE news | Writeup of CVE-2025-39601, a Critical CSRF vulnerability in the WPFactory Custom CSS, JS & PHP plugin for WordPress. Versions up to and including 2.4.1 are affected, allowing unauthenticated attackers to achieve Remote Code Execution (RCE) by injecting malicious PHP code via unauthorized POST requests. Exploitation involves hosting a crafted HTML file that an authenticated administrator visits, triggering the injection of PHP code executed on page load. |
| 2026-04-10 2026 | CVE-2025-7384: Critical WordPress Plugin Unauthenticated RCE news | Writeup of CVE-2025-7384, a critical PHP Object Injection vulnerability in the "Database for Contact Form 7, WPforms, Elementor Forms" WordPress plugin. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to inject arbitrary PHP objects, leading to denial of service and potential remote code execution through malicious deserialization. The exploit can result in the deletion of critical files like `wp-config.php`, affecting over 70,000 installations. While version 1.4.4 patches new exploits, old malicious data in the database remains a risk requiring database sanitization. |
| 2026-04-10 2026 | Sneeit WordPress RCE Exploited in the Wild news | Writeup detailing active exploitation of CVE-2025-6389, a critical RCE vulnerability in the Sneeit Framework WordPress plugin, allowing unauthenticated attackers to execute arbitrary PHP functions like `wp_insert_user()` to create administrative backdoors. Exploitation involves crafting HTTP requests to `/wp-admin/admin-ajax.php` and uploading malicious PHP files such as "xL.php" and "up_sf.php." The report also notes concurrent attacks on ICTBroadcast, exploiting CVE-2025-2611 to deliver the "Frost" DDoS botnet, which employs spreader logic and targets specific response indicators before launching attacks. → thehackernews.com |
| 2026-04-10 2026 | Critical Pre-Auth RCE in ChurchCRM Setup Wizard news | Writeup of CVE-2026-39337, a critical pre-authentication RCE in ChurchCRM versions prior to 7.1.0. Attackers can inject arbitrary PHP code into the `$dbPassword` variable during the setup wizard's installation process, leading to complete server compromise. This vulnerability is an incomplete fix for CVE-2025-62521, highlighting ongoing input validation issues. → thehackerwire.com |
| 2026-04-10 2026 | Critical Unauthenticated RCE in n8n (CVE-2026-21858, CVSS 10.0) news | Writeup on CVE-2026-21858, a critical unauthenticated RCE in n8n versions prior to 1.121.0. Exploitation involves Content-Type confusion in webhook and file-handling logic, allowing attackers to override internal parsing, access sensitive files, forge sessions, and achieve arbitrary code execution. This leads to server takeover, credential theft, and lateral movement. Orca Security aids in identifying and prioritizing remediation for vulnerable n8n instances. |
| 2026-04-10 2026 | TryHackMe Spring AI: CVE-2026-22738 RCE Writeup news | TryHackMe Spring AI: CVE-2026-22738 RCE Writeup |
| 2026-04-10 2026 | Dangerous runC Flaws Allow Hackers to Escape Docker Containers news | Vulnerabilities in runC, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, allow attackers with custom mount configurations to escape Docker and Kubernetes containers by exploiting bind-mounts and symlink race conditions to gain root privileges on the host system. Fixes are available in later runC versions, and mitigations include user namespaces and rootless containers. → bleepingcomputer.com |
| 2026-04-10 2026 | runC Container Escape Vulnerabilities: A Technical Overview intermediate | Writeup of runc container escape vulnerabilities, including CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, which allow arbitrary writes to procfs files. Exploitation involves custom mount configurations, potentially leading to host compromise in environments like Kubernetes. Mitigations include updating runc to v1.4.0-rc.3, v1.3.3, or v1.2.8, and employing user namespaces, non-root users, and security modules. |
| 2026-04-10 2026 | New runC Vulnerabilities Allow Container Escape in Docker and Kubernetes news | Analysis of three runc vulnerabilities, CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, details how attackers can achieve container escape in Docker and Kubernetes. These exploits leverage race conditions and mount manipulations, specifically involving maskedPaths abuse and /dev/console mount races, to gain root access to host systems by writing to critical procfs files. Mitigation strategies include updating runc, enabling user namespaces, and using rootless containers. |
| 2026-04-10 2026 | Attackers Exploit Critical Langflow RCE as CISA Sounds Alarm news | Library for detecting and mitigating remote code execution in Langflow, particularly CVE-2026-33017. This vulnerability allows unauthenticated attackers to execute arbitrary Python code by submitting malicious workflow data via the `build_public_tmp` endpoint. Attackers have weaponized this flaw within hours of disclosure, leading to credential exfiltration and potential software supply chain compromise. Runtime detection is crucial, focusing on exploit behavior like shell command execution and data exfiltration over HTTP, rather than specific CVE signatures. → csoonline.com |
| 2026-04-10 2026 | CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines in 20 Hours intermediate | Writeup detailing CVE-2026-33017, an unauthenticated RCE in Langflow, exploited within 20 hours of its advisory. Attackers leveraged the vulnerability's public flow build endpoint to execute arbitrary Python code, exfiltrating credentials and potentially compromising supply chains. Exploitation attempts observed included automated scanning via nuclei templates and custom Python scripts for deeper reconnaissance and data harvesting, highlighting the rapid weaponization trend of newly disclosed vulnerabilities. |
| 2026-04-10 2026 | CVE-2025-3248: RCE Vulnerability in Langflow news | Writeup detailing CVE-2025-3248, a critical remote code execution (RCE) vulnerability in Langflow. Exploitation of the `/api/v1/validate/code` endpoint allows unauthenticated arbitrary command execution by embedding malicious Python code within decorators or default function arguments, which are evaluated during AST processing prior to version 1.3.0. Recommendations include immediate upgrades, access restriction via ZTNA, input sandboxing, and monitoring. |
| 2026-04-10 2026 | React2Shell Explained: From Vulnerability Discovery to Exploitation intermediate | React2Shell Explained: From Vulnerability Discovery to Exploitation → resecurity.com |
| 2026-04-10 2026 | Protecting Against the Critical React2Shell RCE Exposure intermediate | Library for identifying and mitigating the critical 'React2Shell' RCE vulnerability (CVE-2025-55182) affecting React Server Components and Next.js. This vulnerability allows unauthenticated attackers to perform server-side code execution via insecure deserialization in the RSC 'Flight' protocol. The library helps secure environments by detailing immediate actions, providing detection rules, and showcasing how SentinelOne's Offensive Security Engine can verify exploitability of affected workloads. → sentinelone.com |
| 2026-04-10 2026 | React2Shell: Node.js RCE Against a Production Next.js App advanced | Analysis of CVE-2025-55182, "React2Shell," details a Node.js Remote Code Execution vulnerability in Next.js applications utilizing React Server Components. The exploit leverages the Flight protocol's unsafe deserialization to trigger `child_process.spawnSync()`, allowing arbitrary shell commands with server process privileges. The report reconstructs a six-stage attack campaign, including C2 communication across multiple servers and the use of Lachlan Davidson's "02-meow-rce-poc" for RCE confirmation, despite defensive measures like container restrictions limiting further attacker progression. |
| 2026-04-10 2026 | CVE-2025-68613: RCE via Expression Injection in n8n news | Writeup of CVE-2025-68613, a critical RCE vulnerability in n8n's expression evaluation engine. This flaw allows authenticated users to inject malicious JavaScript expressions, escaping the sandbox to execute arbitrary code on the server with n8n process privileges. Exploitation enables attackers to run OS commands, steal secrets, modify files, and gain full server control, impacting over 100,000 instances globally. The vulnerability affects versions from 0.211.0 up to 1.120.3 and early 1.122.x releases, with fixes available in versions 1.120.4, 1.121.1, and 1.122.0+. → resecurity.com |
| 2026-04-10 2026 | Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 news | Writeup of CVE-2026-34621, a zero-day vulnerability in Adobe Reader exploited since December 2025 via malicious PDFs. This sophisticated exploit, first observed in "Invoice540.pdf," uses obfuscated JavaScript to harvest sensitive data and potentially deliver subsequent payloads for remote code execution and sandbox escape. The exploit targets privileged Acrobat APIs and has been confirmed to work on the latest Adobe Reader version, necessitating user vigilance and prompt application of the provided security update. → thehackernews.com |
| 2026-04-10 2026 | WWBN AVideo RCE via Persistent PHP File Upload (CVE-2026-33717) news | Writeup of CVE-2026-33717, a remote code execution vulnerability in WWBN AVideo. This flaw allows unauthenticated attackers to persistently upload and execute arbitrary PHP files by exploiting improper handling of remote content in the `downloadVideoFromDownloadURL()` function and bypassing cleanup via an invalid `resolution` parameter. Affected versions include WWBN AVideo up to 26.0, and a fix is available in commit `6da79b43484099a0b660d1544a63c07b633ed3a2`. → thehackerwire.com |
| 2026-04-10 2026 | Explorance Blue RCE via Unrestricted File Upload intermediate | Writeup of CVE-2025-57794 impacting Explorance Blue, detailing an authenticated unrestricted file upload vulnerability allowing remote code execution. Exploitation requires administrative credentials and is possible on versions prior to 8.14.9 by uploading web shells (e.g., PHP, ASPX, JSP, CFML) to accessible directories. The flaw lies in the application's failure to validate file types, enabling attackers to execute arbitrary code on the server. Explorance has released version 8.14.9 to address this critical issue. → thehackerwire.com |
| 2026-04-10 2026 | From Pre-Auth SSRF to RCE in TruFusion Enterprise intermediate | Writeup detailing pre-authentication SSRF (CVE-2025-32355) and path traversal (CVE-2025-59793) vulnerabilities in TRUfusion Enterprise. The SSRF allows an attacker to abuse a misconfigured reverse proxy to access internal services, including an Axis2 interface. This Axis2 service, vulnerable to path traversal, can be exploited with the default 'trubiquity' password to achieve remote code execution by writing arbitrary files to the filesystem. |
| 2026-04-10 2026 | Serverless Security Risks 2026: Mitigating SSRF and RCE Threats intermediate SSRF | Library for serverless security, detailing risks like SSRF and RCE by focusing on identity, permissions, and configuration. It explains how short-lived cloud credentials for AWS Lambda, Azure Functions, and Google Cloud Functions become primary targets when exposed, enabling privilege escalation and lateral movement. The library emphasizes that interconnected services, shared dependencies, and insufficient visibility into invocation paths and configurations compound these risks, advocating for continuous monitoring and least-privilege enforcement. |
| 2026-04-10 2026 | Intigriti Challenge: SSRF to RCE via File Upload Bypass intermediate | Intigriti Challenge: SSRF to RCE via File Upload Bypass |
| 2026-04-10 2026 | Precurio Intranet Portal: CSRF to RCE via File Upload intermediate | Writeup detailing CVE-2026-32989, a CSRF to RCE vulnerability in Precurio Intranet Portal 4.4. This high-severity flaw (CVSS 8.8) allows an attacker to trick an authenticated user into uploading a malicious file. If the portal stores this file in a web-accessible, executable format, it can lead to arbitrary code execution on the web server. Exploitation requires an authenticated victim and network access to the target portal. → thehackerwire.com |
| 2026-04-10 2026 | Tiandy Easy7 RCE via OS Command Injection (CVE-2026-4585) intermediate | Writeup of CVE-2026-4585, a critical OS command injection vulnerability in Tiandy Easy7 Integrated Management Platform (versions prior to 7.17.0). This remote, unauthenticated flaw allows attackers to execute arbitrary commands via the `ImportSystemConfiguration.jsp` endpoint by manipulating the `File` argument. The exploit is publicly disclosed and requires no user interaction, presenting a severe risk of system compromise. → thehackerwire.com |
| 2026-04-10 2026 | OpenMetadata RCE via SSTI in FreeMarker Email Templates intermediate SSTI | Writeup of GHSA-5f29-2333-h9c7, detailing a critical Remote Code Execution vulnerability in OpenMetadata version 1.11.2. The vulnerability stems from Server-Side Template Injection (SSTI) within FreeMarker email templates, allowing an administrator to inject malicious code that is then executed by the server. Attack vectors include privilege escalation, data exfiltration, and establishing reverse shells, with significant impacts on confidentiality, integrity, and availability. |
| 2026-04-10 2026 | RCE in Airbyte via Server-Side Template Injection (SSTI) intermediate | Library for securing Airbyte connections, preventing Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in the connection builder Docker image. This vulnerability, discovered by Mike Cole of Mantel Group, could allow authenticated attackers to execute arbitrary code and expose sensitive information like credentials if a new connector is tested on a compromised instance. |
| 2026-04-10 2026 | File Upload Vulnerability Testing: Bypassing Filters and Getting RCE intermediate | Guide detailing techniques for bypassing file upload filters to achieve Remote Code Execution (RCE). It covers extension filter bypasses, including alternative extensions like `.php5`, `.phtml`, `.phar`, and double extensions, as well as Content-Type and magic byte manipulation. The guide also explores filename manipulation for path traversal, `.htaccess` uploads to enable PHP execution for any extension, and exploitation of image processing vulnerabilities like ImageMagick's CVE-2016-3714. It provides web shell payloads and discusses chaining file uploads with other vulnerabilities such as LFI, SSRF, XSS, and XXE. |
| 2026-04-10 2026 | Critical LFI to RCE in WP Ghost Plugin Affecting 200k+ Sites intermediate | Writeup of CVE-2025-26909, a critical unauthenticated Local File Inclusion (LFI) to Remote Code Execution (RCE) vulnerability in the WP Ghost WordPress plugin, affecting over 200,000 sites. The vulnerability arises from insufficient sanitization of user input in the `showFile` function, allowing path traversal and arbitrary file inclusion, potentially leading to RCE via techniques like `php://filter` chains or `PHP_SESSION_UPLOAD_PROGRESS`. The issue is fixed in version 5.4.02. |
| 2026-04-10 2026 | AI Workflows Under Fire: Critical RCE Flaws in Langflow news | Writeup on critical RCE and file write vulnerabilities in Langflow, a visual framework for AI agents. CVE-2026-33017, rated "Critical," allows unauthenticated RCE by exploiting a flaw in the build public flow endpoint's `exec()` function. CVE-2026-33309 permits authenticated arbitrary file writes through path traversal in the v2 API's file upload handling. Both affect version 1.8.1 and earlier, with recommendations for manual intervention including removing the data parameter from the public flow route and sanitizing multipart filenames. |
| 2026-04-10 2026 | CVE-2026-22812: RCE on a 71k-Star AI Coding Tool With Zero Auth news | CVE-2026-22812: RCE on a 71k-Star AI Coding Tool With Zero Auth |
| 2026-04-10 2026 | Root in One Request: Marimo's Critical Pre-Auth RCE (CVE-2026-39987) news | Writeup of CVE-2026-39987, a critical pre-authentication remote code execution vulnerability in the Marimo Python reactive notebook framework. This issue, with a CVSS v4.0 score of 9.3, stems from an unauthenticated WebSocket endpoint for the integrated terminal, allowing attackers to gain an interactive shell as the Marimo process user. The vulnerability has been exploited in the wild, and vulnerable instances are believed to be widespread. Marimo versions prior to 0.23.0 are affected. |
| 2026-04-10 2026 | Lessons From 2025: Zero-Day Exploitation Shaping 2026 news | Analysis of 2025 zero-day exploitation reveals critical vulnerabilities in enterprise software like Oracle EBS (CVE-2025-61882), Meta React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), Microsoft SharePoint (CVE-2025-53770), and Citrix NetScaler (CVE-2025-5777). Financially motivated groups and China-aligned actors were prominent exploiters, demonstrating rapid weaponization of public disclosures and the lingering risk even after patches are released. Enterprise software's central role made it a prime target, with exploitation leading to widespread compromise and extortion. |
| 2026-04-10 2026 | Critical Zero-Day RCE in Networking Devices Exposes 70,000+ Hosts news | Critical Zero-Day RCE in Networking Devices Exposes 70,000+ Hosts → gbhackers.com |
| 2026-04-10 2026 | Cisco Patches Zero-Day RCE Exploited by China-Linked APT news | Reference detailing CVE-2025-20393, a critical remote command execution flaw in Cisco AsyncOS Software for Secure Email Gateway and Web Manager. Exploited by China-linked APT UAT-9686, this vulnerability, with a CVSS score of 10.0, allows arbitrary root command execution via insufficient validation of HTTP requests to the Spam Quarantine feature. Attackers deployed tools like ReverseSSH, Chisel, AquaPurge, and AquaShell. Cisco has released patches and recommends hardening guidelines, including firewalling, disabling unnecessary services, and enforcing strong authentication. → thehackernews.com |
| 2026-04-10 2026 | Critical Redis RCE Vulnerability: CVE-2025-49844 news | Writeup on CVE-2025-49844, dubbed #RediShell, detailing a critical Use-After-Free (UAF) vulnerability in Redis. This flaw allows authenticated attackers to execute arbitrary native code on the Redis host by escaping the Lua sandbox with a crafted Lua script. Given Redis's prevalence in cloud environments, this vulnerability poses a significant risk, potentially leading to data exfiltration, lateral movement, and system compromise. The writeup also highlights affected forks like Valkey and managed services such as Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis. → wiz.io |
| 2026-04-10 2026 | CVE-2025-59287: WSUS Unauthenticated RCE Vulnerability news | Writeup detailing CVE-2025-59287, a critical (CVSS 9.8) unauthenticated RCE vulnerability in Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization via .NET BinaryFormatter in WSUS reporting web services, allowing attackers to execute arbitrary code with SYSTEM privileges. Exploitation involves crafted SOAP requests to the GetCookie endpoint containing an encrypted gadget chain payload. Microsoft has released an out-of-band update, and active exploitation has been observed in the wild. → picussecurity.com |
| 2026-04-10 2026 | Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild news | Writeup detailing the exploitation of Ivanti EPMM by CVE-2025-4427 and CVE-2025-4428, a chain enabling unauthenticated RCE. The attack bypasses authentication via misconfigured Spring Security and leverages Java Expression Language injection for code execution. Observed in-the-wild activity includes Sliver beacon C2 communication, MySQL database dumping, deployment of JSP web shells, and direct reverse shells. Affected versions include 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior. → wiz.io |
| 2026-04-10 2026 | CVE-2025-34291: Critical Account Takeover and RCE in Langflow news AuthN | Library detailing CVE-2025-34291, a critical vulnerability in Langflow enabling account takeover and RCE through a chain involving permissive CORS settings, SameSite=None for the refresh token cookie, and the unauthenticated `/api/v1/refresh` endpoint, allowing attackers to steal valid access tokens and subsequently exploit the `/api/v1/validate/code` endpoint for code execution. |
| 2026-04-10 2026 | 50,000+ WordPress Sites at Risk from Critical Ninja Forms RCE news | 50,000+ WordPress Sites at Risk from Critical Ninja Forms RCE → cyberpress.org |
| 2026-04-10 2026 | Critical Langflow RCE Flaw Exploited in the Wild Within Hours news | Writeup of CVE-2026-33017, a critical unauthenticated RCE in Langflow, detailing its exploitation within hours of disclosure. The vulnerability allows attackers to execute arbitrary Python code on exposed instances via the public flow build endpoint. Exploitation attempts involved mass scanning, reconnaissance, and data exfiltration of API keys for OpenAI, Anthropic, and AWS, leading to potential downstream compromises of AI pipelines and connected data stores. |
| 2026-04-10 2026 | CVE-2026-20131: Analysis of Cisco FMC RCE news | Analysis of CVE-2026-20131, a critical RCE vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software, details how unauthenticated attackers can execute arbitrary Java code via a specially crafted serialized Java object. This vulnerability, actively exploited in the wild and added to CISA's KEV catalog, allows root privilege escalation and poses a significant risk to network security by potentially compromising entire infrastructures managed by FMC. Exploitation involves sending malicious HTTP requests triggering insecure deserialization, enabling post-exploitation activities like data exfiltration and backdoor installation. |
| 2026-04-10 2026 | n8n Critical Vulnerability (CVE-2026-21858): Unauthenticated RCE news | Writeup of CVE-2026-21858, an unauthenticated RCE in n8n, allowing full compromise of locally deployed instances through arbitrary file access, authentication bypass, and command execution. Discovered by Cyera Research Labs and nicknamed 'Ni8mare', this vulnerability highlights automation platforms as high-impact attack surfaces. Remediation involves upgrading n8n, restricting exposure of Forms and Webhooks, and reviewing workflow configurations. → aikido.dev |
| 2026-04-10 2026 | Critical Telnetd Flaw (CVE-2026-32746) Enables Root RCE news | Writeup of CVE-2026-32746, a critical out-of-bounds write vulnerability in GNU InetUtils telnetd's LINEMODE Set Local Characters suboption handler. This flaw allows unauthenticated remote attackers to execute arbitrary code as root by sending crafted messages during the initial connection handshake. Discovered by Dream, it affects versions through 2.7 and impacts various systems including FreeBSD, NetBSD, and TrueNAS Core. → thehackernews.com |
| 2026-04-10 2026 | Critical vLLM RCE Allows Server Takeover via Malicious Video URL (CVE-2026-22778) news | Library addressing CVE-2026-22778, a critical remote code execution flaw in vLLM. This vulnerability, triggered by a malicious video URL, chains a PIL error information leak for ASLR bypass with a JPEG2000 heap overflow in OpenCV's FFmpeg dependency. Exploitation leads to arbitrary command execution by overwriting function pointers, allowing server takeover. Organizations running vLLM with multimodal video support must upgrade to version 0.14.1 or later immediately. |
| 2026-04-10 2026 | CVE-2026-27825: Critical Unauthenticated RCE and SSRF in mcp-atlassian news SSRF | Writeup on CVE-2026-27825, detailing critical unauthenticated RCE and SSRF vulnerabilities in mcp-atlassian. The flaws stem from missing directory confinement and inadequate path traversal validation in attachment download tools, allowing arbitrary file writes for persistence or RCE. A related SSRF issue in header-controlled Atlassian base URLs is also covered. Patched versions 0.17.0 introduce `validate_safe_path()` and `validate_url_for_ssrf()` to mitigate these risks. → arcticwolf.com |
| 2026-04-10 2026 | Unrestricted File Upload Leads to SSRF and RCE intermediate | Writeup detailing an unrestricted file upload vulnerability, leveraging ImageMagick and its associated CVEs like CVE-2016-3714 and CVE-2016-3718. This post demonstrates how an attacker can achieve Server-Side Request Forgery (SSRF) and ultimately Remote Code Execution (RCE) through various ImageMagick exploits, including Ghostscript vulnerabilities. The author utilized Burp Suite for initial detection. |
| 2026-04-10 2026 | Complete Defense Against Node.js RCE: Real-World Exploit Analysis advanced | Analysis of Node.js RCE vulnerabilities, including CVE-2022-24329, details how attackers exploit `child_process.exec` misuse and improper input validation to achieve command injection. The article contrasts vulnerable code patterns, such as direct passing of user input to `exec`, with secure alternatives like `spawn` or `execFile` and emphasizes strict input validation and sanitization to prevent shell meta-character interpretation. It also discusses the need for an integrated security approach, combining SAST/DAST, cloud workload security with SeekersLab's FRIIM CNAPP, and real-time threat detection via Seekurity SIEM/SOAR, augmented by KYRA AI Sandbox for analyzing suspicious code. |
| 2026-04-10 2026 | Command Injection and RCE in MetaSpore (GHSL-2025-035 to 037) news | Writeup detailing command injection (GHSL-2025-035) and RCE (GHSL-2025-037) vulnerabilities in MetaSpore's recommendation service. The command injection allows overwriting arbitrary files and leaking AWS tokens via the `aws s3 sync` command. The RCE is achieved by exploiting an unprotected Consul instance and a Spring Expression Language injection in `spring.application.name`, leading to arbitrary code execution. An additional vulnerability (GHSL-2025-036) involves sensitive Spring Boot Actuator endpoints being exposed without authentication. → securitylab.github.com |
| 2026-04-10 2026 | Microsoft Bing Images OS Command Injection RCE intermediate | Writeup of CVE-2026-32191, a critical OS command injection vulnerability in Microsoft Bing Images, allows unauthenticated attackers to achieve remote code execution (RCE) over the network. The flaw stems from improper neutralization of special elements in OS commands, where unsanitized user input is incorporated into system calls, enabling the execution of arbitrary shell commands. Exploitation requires identifying an injection point and crafting payloads to bypass sanitization. → thehackerwire.com |
| 2026-04-10 2026 | AWS RES Root RCE via Crafted Session Name (CVE-2026-5707) intermediate | Writeup of CVE-2026-5707, an OS command injection flaw in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01. A remote authenticated actor can exploit this vulnerability by providing a crafted virtual desktop session name, leading to arbitrary command execution with root privileges on the virtual desktop host. Exploitation requires valid credentials for the RES environment. Users should upgrade to RES version 2026.03 or apply a mitigation patch. → thehackerwire.com |
| 2026-04-10 2026 | Command Injection RCE in Kubernetes Log Query on Windows intermediate | Command Injection RCE in Kubernetes Log Query on Windows → akamai.com |
| 2026-04-10 2026 | Prompt Injection to RCE in AI Agents intermediate | Writeup on prompt injection leading to RCE in AI agents, detailing design antipatterns that enable argument injection attacks against pre-approved commands. The article demonstrates one-shot RCE exploits across three AI agent platforms, bypassing human approval through techniques like `go test -exec` and `git show --format`/`ripgrep --pre`. Recommendations focus on limiting impact via sandboxing and argument separation for developers, users, and security engineers. → blog.trailofbits.com |
| 2026-04-10 2026 | Group-Office Critical RCE via Insecure Deserialization (CVE-2026-34838) intermediate | Writeup of CVE-2026-34838 in Group-Office, detailing an insecure deserialization flaw in the `AbstractSettingsCollection` model. This critical vulnerability, requiring only authenticated low-privilege access, allows attackers to achieve Arbitrary File Write by injecting a serialized `FileCookieJar` object into setting strings. This file write directly enables Remote Code Execution on affected Group-Office versions prior to 6.8.156, 25.0.90, and 26.0.12. → thehackerwire.com |
| 2026-04-10 2026 | NVIDIA APEX Deserialization RCE (CVE-2025-33244) intermediate | Writeup of CVE-2025-33244 in NVIDIA APEX for Linux, detailing a critical deserialization of untrusted data vulnerability. This flaw, impacting PyTorch versions prior to 2.6, allows unauthenticated attackers to achieve arbitrary code execution, denial of service, privilege escalation, data tampering, and information disclosure by crafting malicious serialized data. Exploitation requires identifying the specific deserialization sink within APEX and understanding gadget chains in affected PyTorch versions, with upgrading PyTorch to 2.6 or later recommended as a mitigation. → thehackerwire.com |
| 2026-04-10 2026 | React2Shell and RSC Vulnerabilities: Exploitation Threat Brief intermediate | Library rules protecting against React2Shell (CVE-2025-55182), CVE-2025-55183, and CVE-2025-55184 offer protection for React Server Components. Exploitation attempts, including those by Asian-nexus threat groups, were observed shortly after public disclosure, utilizing vulnerability scanners like Nuclei and Burp Suite. Threat actors employed Internet-wide scanning, asset discovery platforms, and metadata analysis, including SSL certificate details, to identify vulnerable deployments, with targeted efforts observed against geopolitical intelligence priorities, government entities, and critical infrastructure. |
| 2026-04-10 2026 | CVE-2025-55182: React Server Components RCE via Flight Payload Deserialization intermediate | Writeup of CVE-2025-55182, a critical RCE in React Server Components. This vulnerability allows unauthenticated attackers to achieve arbitrary JavaScript execution on the server by crafting malicious Flight payloads that exploit unsafe deserialization of Chunks. The attack leverages Promise resolution and nested deserialization to control server-side functions, enabling actions like file reading or command execution. Public exploit code exists, and affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0. |
| 2026-04-10 2026 | n8n CVE-2025-68613 RCE Exploitation: A Detailed Guide intermediate | Guide to CVE-2025-68613, a critical remote code execution vulnerability in n8n. This flaw, with a CVSS score of 9.9, allows authenticated users to compromise the entire system by injecting JavaScript expressions. Exploitation can lead to arbitrary command execution, file access, secret theft, and lateral movement within connected systems. The guide details the vulnerability's technical underpinnings, impact, and provides exploitation and testing examples across various n8n interfaces and API endpoints. |
| 2026-04-10 2026 | 2025 Zero-Days in Review: Lessons Learned news | Survey of 2025 zero-day exploits reveals a continued shift towards enterprise targets, with 48% of tracked vulnerabilities impacting enterprise software and edge devices. State-sponsored espionage groups, particularly those linked to the People's Republic of China (PRC) such as UNC5221 and UNC3886, heavily favored these technologies for initial network access, while commercial surveillance vendors also expanded their exploit chain development. Malware campaigns like BRICKSTORM highlighted a new paradigm of using stolen IP for long-term zero-day development. → cloud.google.com |
| 2026-04-10 2026 | Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) news | Writeup detailing exploitation of CVE-2025-55182 ("React2Shell"), a critical RCE in React Server Components, by multiple threat actors including China-nexus espionage groups. Observed payloads include MINOCAT, SNOWLIGHT, HISONIC, COMPOOD backdoors, and XMRIG miners. The writeup highlights exploitation chains and post-compromise behaviors, with specific mention of UNC6600, UNC6586, UNC6588, and UNC6603 actors, and their deployment of these tools. It also addresses misinformation surrounding initial exploit disclosures, noting a GitHub repository that initially contained non-functional AI-generated exploit code before updating with legitimate, obfuscated samples. → cloud.google.com |
| 2026-04-10 2026 | React2Shell: Critical Unauthenticated RCE in React Server Components intermediate | Writeup of CVE-2025-55182, a critical unauthenticated RCE vulnerability affecting React Server Components and frameworks like Next.js, dubbed React2Shell. Exploitation in-the-wild has begun, with a working proof-of-concept and Metasploit module available. The vulnerability, with a CVSS of 10.0, allows attackers to execute arbitrary code via malicious HTTP requests. Remediation involves updating affected React packages to versions 19.0.1, 19.1.2, or 19.2.1. Rapid7 customers have detection capabilities via Exposure Command, InsightVM, and Nexpose. → rapid7.com |
| 2026-04-10 2026 | Defending Against React2Shell in React Server Components intermediate | Reference detailing CVE-2025-55182 (React2Shell), a critical pre-authentication RCE vulnerability in React Server Components, affecting frameworks like Next.js. The vulnerability, stemming from insecure payload validation and prototype pollution, allows attackers to execute arbitrary code via a single HTTP request. Observed exploits target Windows and Linux environments, deploying coin miners and RATs, and attempting to steal cloud credentials using tools like TruffleHog and Gitleaks. Mitigation includes immediate patching to updated React and Next.js versions, prioritizing internet-facing assets, and potentially using WAF protections. → microsoft.com |
| 2026-04-10 2026 | Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited news | Writeup detailing CVE-2025-8110, an actively exploited RCE in Gogs, a self-hosted Git service. This vulnerability is a symlink bypass of a previous RCE (CVE-2024-55947), allowing authenticated users to overwrite files outside the repository via the PutContents API. The exploit chain involves committing a symlink and then using the API to overwrite sensitive files like `.git/config`. Wiz Research discovered this zero-day during an investigation, finding over 700 compromised instances public-facing. A fix is available in Gogs version v0.13.4. → wiz.io |
| 2026-04-10 2026 | SharePoint RCE: Exploitation, Detection, and Mitigation intermediate | SharePoint RCE: Exploitation, Detection, and Mitigation → akamai.com |
| 2026-04-10 2026 | Apache ActiveMQ RCE via Jolokia API (CVE-2026-34197) intermediate | Writeup of CVE-2026-34197, an Apache ActiveMQ Classic RCE vulnerability leveraging the Jolokia JMX-HTTP bridge to trigger Remote Code Execution via a crafted discovery URI. Attackers can exploit this by invoking operations like BrokerService.addNetworkConnector, loading a remote Spring XML application context that leads to arbitrary code execution through Runtime.exec(). This flaw, with a CVSS score of 8.8, is particularly critical on versions 6.0.0-6.1.1 due to CVE-2024-32114, which makes exploitation unauthenticated. Patches are available in ActiveMQ Classic 5.19.4 and 6.2.3. |
| 2026-04-10 2026 | CVE-2026-34841: Bruno IDE RCE via Supply Chain Attack news | Analysis of CVE-2026-34841 reveals a critical supply chain attack impacting Bruno IDE versions prior to 3.2.1. This vulnerability stems from a compromised axios npm package dependency, which allowed attackers to deploy a cross-platform Remote Access Trojan. Exploitation necessitates users running `npm install` during the attack window, leading to full system compromise and unauthorized remote control. The recommended mitigation is to upgrade to Bruno version 3.2.1 or later. |
| 2026-04-10 2026 | Telnet Vulnerability Opens Door to Remote Code Execution as Root intermediate | Writeup on CVE-2026-32746, a critical vulnerability in GNU inetutils telnetd allowing pre-authentication remote code execution as root. Triggered by a buffer overflow in the LINEMODE Set Local Characters (SLC) handler, exploitation can lead to full system compromise on affected legacy infrastructure, networking equipment, and embedded systems. The flaw enables arbitrary memory writes via a corrupted pointer after exceeding a fixed buffer. Migrating to SSH, disabling telnetd, or blocking port 23 are recommended workarounds. → csoonline.com |
| 2026-04-10 2026 | CVE-2026-23744: Remote Code Execution in MCPJam Inspector PoC news | CVE-2026-23744: Remote Code Execution in MCPJam Inspector PoC |
| 2026-04-10 2026 | Remote Code Execution (RCE) 101 beginner | Remote Code Execution (RCE) 101 → bugcrowd.com |
| 2026-04-10 2026 | How I Got RCE in One of Bugcrowd's Public Programs intermediate | How I Got RCE in One of Bugcrowd's Public Programs |
| 2026-04-10 2026 | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) intermediate | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) → infosecwriteups.com |
| 2026-04-10 2026 | RCE via Unclaimed Node Package: $2,500 Bug Bounty Writeup intermediate | RCE via Unclaimed Node Package: $2,500 Bug Bounty Writeup |
| 2026-04-10 2026 | Max Severity Flowise RCE Vulnerability Now Exploited in Attacks news | Library for securing Flowise, an open-source platform for LLM apps. It addresses CVE-2025-59528, a critical RCE vulnerability allowing arbitrary JavaScript code injection via the CustomMCP node. Developers should upgrade to version 3.0.6 or later to mitigate this threat, which has already been observed in active exploitation. Other Flowise vulnerabilities, CVE-2025-8943 and CVE-2025-26319, have also seen in-the-wild exploitation. → bleepingcomputer.com |
| 2026-04-10 2026 | CVE-2026-35056: XenForo RCE Vulnerability for Admin Accounts news | Writeup of CVE-2026-35056, a High severity (CVSS 4.0: 8.6) Code Injection vulnerability in XenForo versions prior to 2.3.9 and 2.2.18. This RCE vulnerability allows authenticated admin users to execute arbitrary code remotely. While no public proof-of-concept or active exploitation has been confirmed, users should promptly apply vendor patches and review the official advisory for affected systems. |
| 2026-04-10 2026 | CVE-2026-1731: Critical Unauthenticated RCE in BeyondTrust Remote Support news | Writeup of CVE-2026-1731, a critical unauthenticated RCE in BeyondTrust Remote Support and Privileged Remote Access products, which allows attackers to execute arbitrary OS commands. This vulnerability, with a CVSSv4 score of 9.9, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. While SaaS instances were patched, self-hosted deployments require manual updates. Discovered by Hacktron AI, the flaw was added to CISA's KEV list on February 13, 2026. Rapid7 customers using Exposure Command, InsightVM, and Nexpose can assess their exposure with authenticated checks released February 9, 2026. → rapid7.com |
| 2026-04-10 2026 | PraisonAI Critical RCE via Malicious YAML Parsing (CVE-2026-39890) news | Writeup of CVE-2026-39890, a critical RCE vulnerability in PraisonAI, allowing arbitrary JavaScript execution via insecure YAML parsing. The flaw exists in `AgentService.loadAgentFromFile`, which improperly handles dangerous `js-yaml` tags like `!!js/function` and `!!js/undefined` when processing agent definition files. Exploitation involves crafting a malicious YAML file with embedded JavaScript and uploading it to the server, leading to server-side code execution. The vulnerability affects versions prior to 4.5.115 and is mitigated by upgrading. → thehackerwire.com |
| 2026-04-10 2026 | Critical n8n Flaws Allow Remote Code Execution and Credential Exposure news | Writeup detailing critical n8n vulnerabilities including CVE-2026-27577 (expression sandbox escape for RCE) and CVE-2026-27493 (unauthenticated expression evaluation via Form nodes). These flaws, along with CVE-2026-27495 (JavaScript Task Runner code injection) and CVE-2026-27497 (Merge node SQL query mode RCE), allow for arbitrary code execution and credential exposure. Patched versions are 2.10.1, 2.9.3, and 1.123.22. → thehackernews.com |
| 2026-04-09 2026 | CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog news | CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog https://ift.tt/vfeE3wl → cybersecuritydive.com |
| 2026-04-09 2026 | 13-year-old Apache ActiveMQ RCE vulnerability discovered AI assisted in finding exploit news | Library for Apache ActiveMQ Classic RCE vulnerability CVE-2026-34197, allowing arbitrary command execution. This 13-year-old flaw, exacerbated by CVE-2024-32114's unauthenticated API access in versions 6.0.0-6.1.1, leverages the Jolokia management API to load external Spring XML configurations. AI assistance, including Claude, aided in identifying the exploit path. Prompt patching to 5.19.4 or 6.2.3+ is critical due to widespread enterprise use and prior attack history. → scworld.com |
| 2026-04-09 2026 | CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks news | CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks https://ift.tt/2MVIqDl → cybersecuritynews.com |
| 2026-04-09 2026 | Claude helps researcher dig up decade-old Apache ActiveMQ RCE vulnerability (CVE-2026-34197) news | Writeup detailing CVE-2026-34197, a decade-old RCE vulnerability in Apache ActiveMQ Classic stemming from improper input validation and code injection. This vulnerability, exploitable with default credentials or unauthenticated in certain versions due to CVE-2024-32114, was discovered with AI assistance. Mitigation involves upgrading to ActiveMQ versions 6.2.3 or 5.19.4 and monitoring logs for specific indicators of compromise. CISA has since added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog. → helpnetsecurity.com |
| 2026-04-09 2026 | ThreatsDay Bulletin: Hybrid P2P Botnet 13-Year Apache RCE ClickFix Node.js RAT & 18 More Stories news | Library for securing applications, featuring protections against hybrid Phorpiex botnet variants, chained Apache ActiveMQ Classic RCE vulnerabilities (CVE-2026-34197, CVE-2024-32114, CVE-2022-41678), AI-driven DDoS tactics amplified by IoT botnets like TurboMirai, Magecart skimmers hidden in SVG elements affecting Magento stores, and malicious MSI installers delivering Node.js RATs. → thehackernews.com |
| 2026-04-08 2026 | 13-year-old bug in ActiveMQ lets hackers remotely execute commands news | Writeup detailing CVE-2026-34197, a 13-year-old remote code execution vulnerability in Apache ActiveMQ Classic affecting versions before 5.19.4 and 6.2.3. Discovered using Claude AI, the flaw allows attackers to execute arbitrary commands by exploiting the Jolokia management API to load external configurations, often chaining with CVE-2024-32114 for unauthenticated access. This issue underscores ActiveMQ's history as a target for attackers, with previous RCEs like CVE-2016-3088 and CVE-2023-46604 appearing on CISA's KEV list. → bleepingcomputer.com |
| 2026-04-08 2026 | Critical Ninja Forms vulnerability allows remote code execution news | Writeup of CVE-2026-0740, a critical vulnerability in Ninja Forms File Uploads affecting WordPress. This flaw allows unauthenticated arbitrary file uploads due to missing file type and extension validation, enabling path traversal to execute code via web shells. Over 3,600 exploitation attempts were blocked by Wordfence recently. Versions up to 3.3.26 are impacted, with a patch available in 3.3.27. → scworld.com |
| 2026-04-08 2026 | RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years news | Writeup of CVE-2026-34197, a critical RCE vulnerability in Apache ActiveMQ Classic discovered by Horizon3.ai. This flaw, present for 13 years, can be chained with CVE-2022-41678, allowing attackers to exploit the Jolokia API and VM transport to execute OS commands. In some deployments, it can be combined with CVE-2024-32114 for unauthenticated RCE. Updates to ActiveMQ Classic 5.19.4 and 6.2.3 are recommended. → securityweek.com |
| 2026-04-08 2026 | Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes news | Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes https://ift.tt/6HFLTCo → cyberpress.org |
| 2026-04-08 2026 | Fortinet FortiClientEMS Remote Code Execution Vulnerability news | Writeup of CVE-2026-35616 in FortiClientEMS, an Improper Access Control vulnerability allowing unauthenticated attackers to execute unauthorized code or commands via crafted requests. Exploited in the wild, this vulnerability can lead to remote code execution and elevation of privilege on affected systems. Users should update to FortiClientEMS 7.4.7 or later. → hkcert.org |
| 2026-04-08 2026 | Hackers Targeting Ninja Forms Bug That Exposes WordPress Sites to Takeover news | Writeup on CVE-2026-0740, a critical unauthenticated arbitrary file upload vulnerability in Ninja Forms' File Uploads addon. This flaw, with a CVSS score of 9.8, allows attackers to bypass file type validation and use path traversal to upload malicious PHP code to the webroot, enabling remote code execution and complete site takeover. Defiant reports thousands of exploitation attempts against the ~50,000 affected websites. Users should update to version 3.3.27. → securityweek.com |
| 2026-04-08 2026 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations news | Library detailing Storm-1175's high-tempo Medusa ransomware operations, exploiting N-days like CVE-2023-21529 (Microsoft Exchange), CVE-2023-27351 (Papercut), and CVE-2024-21887 (Ivanti), alongside zero-days. The actor rapidly chains exploits, establishes persistence via new users, uses tools like PsExec and RMMs (Atera, N-able), PDQ Deployer, and Impacket for lateral movement and credential theft before deploying ransomware. → microsoft.com |
| 2026-04-08 2026 | Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 Minutes news | Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 Minutes https://ift.tt/JFu4DIs → cybersecuritynews.com |
| 2026-04-08 2026 | CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User news | CUPS Vulnerability Chain Enables Remote Attacker to Execute Malicious Code as Root User https://ift.tt/fhiH3dM → cybersecuritynews.com |
| 2026-04-08 2026 | Claude Identifies Critical 13-Year-Old RCE Vulnerability in Apache ActiveMQ news | Claude Identifies Critical 13-Year-Old RCE Vulnerability in Apache ActiveMQ https://ift.tt/dEBfCoy → gbhackers.com |
| 2026-04-07 2026 | Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution news | Writeup of CVE-2025-59528 in Flowise, detailing how attackers exploit improper JavaScript validation in the CustomMCP node for remote code execution and file system access. The vulnerability, fixed in version 3.0.6, allows arbitrary JavaScript execution with full Node.js privileges, enabling command execution and data theft, and has seen active exploitation in the wild, targeting thousands of exposed instances. → securityaffairs.com |
| 2026-04-07 2026 | Hackers exploit critical flaw in Ninja Forms WordPress plugin news | Writeup detailing CVE-2026-0740, a critical 9.8 severity vulnerability in Ninja Forms File Uploads for WordPress versions up to 3.3.26. The flaw allows unauthenticated arbitrary file uploads, including PHP scripts, through a lack of destination filename validation and supports path traversal, enabling remote code execution. The vulnerability was discovered by Sélim Lanouar and reported to Wordfence, who provided temporary firewall mitigations before the vendor released a full fix in version 3.3.27. → bleepingcomputer.com |
| 2026-04-07 2026 | Active exploitation of max severity Flowise bug threatens broad compromise news | Library for identifying and mitigating CVE-2025-59528, a critical code injection vulnerability in Flowise. Exploitation of this flaw allows for remote code execution, compromise of sensitive modules like `child_process` and `fs`, system compromise, file system infiltration, and data theft. → scworld.com |
| 2026-04-07 2026 | New CUPS vulnerabilities threaten RCE network breaches news | Analysis of CVE-2026-34980 and CVE-2026-34990, two critical vulnerabilities in the Common Unix Printing System (CUPS), reveals their potential to enable unauthenticated remote code execution and root file overwrite on Linux and Unix-like systems. Exploitation involves chaining a print job submission to a PostScript queue with an authorization flaw, allowing low-privileged accounts to gain root access. These findings, discovered by SpaceX security engineer Asim Viladi Oglu Manizada, highlight the increasing role of AI in vulnerability detection. → scworld.com |
| 2026-04-07 2026 | Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root news | Critical CUPS Vulnerability Chain Allows Remote Code Execution as Root https://ift.tt/LX3eCBW → cyberpress.org |
| 2026-04-07 2026 | Critical Flaw in Windmill Developer Platform Allows Remote Code Execution news | Critical Flaw in Windmill Developer Platform Allows Remote Code Execution https://ift.tt/dyo0Wb8 → cyberpress.org |
| 2026-04-07 2026 | Critical Flowise Vulnerability in Attacker Crosshairs news | Library updates address CVE-2025-59528, a critical remote code execution vulnerability in Flowise affecting versions up to 3.0.5. This flaw allows attackers to exploit unvalidated user-supplied JavaScript in MCP server configuration, granting full Node.js runtime privileges and access to the file system. Threat actors are actively exploiting this bug, posing an extreme risk to business continuity and sensitive data for thousands of exposed Flowise instances. Version 3.0.6 includes the patch. → securityweek.com |
| 2026-04-07 2026 | CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code Execution news | CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code Execution https://ift.tt/wYjmefB → gbhackers.com |
| 2026-04-07 2026 | Windmill Developer Platform Flaws Expose Users to RCE Attacks Proof-of-Concept Published news | Windmill Developer Platform Flaws Expose Users to RCE Attacks, Proof-of-Concept Published https://ift.tt/TP7IyrR → gbhackers.com |
| 2026-04-07 2026 | 50000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability news | 50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability https://ift.tt/E9Pb0B5 → cybersecuritynews.com |
| 2026-04-07 2026 | Over 1000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign news | Tooling identified in a campaign targeting over 1000 exposed ComfyUI instances allows attackers to exploit custom node vulnerabilities for remote code execution. This enables enrollment into a cryptomining botnet for Monero and Conflux using XMRig and lolMiner, and deployment into a Hysteria V2 proxy botnet. The attack leverages tools that scan for vulnerable ComfyUI instances, install malicious nodes like "ComfyUI-Shell-Executor," and establish persistence via shell scripts that disable history, kill competing miners, and use `LD_PRELOAD` hooks and `chattr +i` for resilience. → thehackernews.com |
| 2026-04-07 2026 | Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited news | Writeup of CVE-2026-35616, a critical improper access control vulnerability affecting FortiClient EMS, which has been exploited in the wild, allowing unauthenticated attackers to execute unauthorized code via crafted requests. This follows the discovery and exploitation of another critical flaw, CVE-2026-21643, an SQL injection vulnerability in the same platform, highlighting the significant risks associated with compromised endpoint management infrastructure. → infosecurity-magazine.com |
| 2026-04-07 2026 | Attackers Exploit Flowise Injection Vulnerability as 15000 Instances Remain Exposed news | Attackers Exploit Flowise Injection Vulnerability as 15,000+ Instances Remain Exposed https://ift.tt/FSIN53K → gbhackers.com |
| 2026-04-07 2026 | 50000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE news | 50,000 WordPress Sites Running Ninja Forms Vulnerable to Critical File Upload RCE https://ift.tt/lyKOd6c → gbhackers.com |
| 2026-04-07 2026 | Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12000 Instances Exposed news | Writeup on CVE-2025-59528, a CVSS 10.0 code injection vulnerability in Flowise AI Agent Builder, allowing remote code execution via JavaScript code injection, similar to prior Flowise flaws like CVE-2025-8943 and CVE-2025-26319. Exploitation can grant access to Node.js modules like `child_process` and `fs`, enabling system compromise, file access, and data exfiltration. Over 12,000 instances remain exposed, facing active exploitation. → thehackernews.com |
| 2026-04-07 2026 | AI agents found vulns in this popular Linux and Unix print server news | Writeup of CVE-2026-34980 and CVE-2026-34990 in CUPS, a popular Linux and Unix print server, detailing how two chained vulnerabilities allow unauthenticated remote attackers to execute code and achieve root file overwrite. The flaws, discovered by AI agents and a security researcher, exploit CUPS' handling of anonymous print-job requests and option parsing to enable code injection. CVE-2026-34980 provides remote code execution as the `lp` user, which can then be chained with CVE-2026-34990, an authorization flaw, to gain root privileges. → theregister.com |
| 2026-04-06 2026 | CVE-2026-2699-and-CVE-2026-2701 news | Writeup detailing CVE-2026-2699 and CVE-2026-2701, two critical severity vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x. CVE-2026-2699, an authentication bypass via improper redirect/session handling, allows unauthenticated access to administrative functions. When combined with CVE-2026-2701, an arbitrary file upload to the webroot flaw, these vulnerabilities enable pre-authentication remote code execution. Affected versions include SZC 5.x up to 5.12.3, with fixes available in 5.12.4. → arcticwolf.com |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild news | 2,000+ FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild https://ift.tt/Xwvjd0z → cybersecuritynews.com |
| 2026-04-06 2026 | Attackers Exploit RCE Flaw as 14000 F5 BIG-IP APM Instances Remain Exposed news | Writeup detailing CVE-2025-53521, a critical RCE vulnerability affecting F5 BIG-IP APM instances. Attackers are actively exploiting this flaw, which allows specially crafted traffic to trigger remote code execution when access policies are enabled. Shadowserver reports over 14,000 exposed instances, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by March 30, 2026. → securityaffairs.com |
| 2026-04-06 2026 | Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992) news | Patch for CVE-2026-21992, a critical pre-authentication RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager, is available. This unauthenticated flaw, affecting versions 12.2.1.4.0 and 14.1.2.1.0, mirrors the exploited CVE-2025-61757, also a missing authentication issue in Identity Manager reported by Assetnote / Searchlight Cyber. Urgent application of this emergency fix is recommended to prevent system takeover. → helpnetsecurity.com |
| 2026-04-06 2026 | Critical Flaws Identified in Progress Software ShareFile Service news | Critical Flaws Identified in Progress Software ShareFile Service https://ift.tt/ERZfLV6 |
| 2026-04-06 2026 | 2000 FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE Flaw news | 2,000+ FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE Flaw https://ift.tt/e3stSz8 → gbhackers.com |
| 2026-04-06 2026 | Metasploit Wrap-Up 04/03/2026 news | Library updates for Metasploit Framework introduce new HTTP/HTTPS CMD payloads for Windows, enabling RCE against FreeScout (CVE-2026-27636, CVE-2026-28289) and Grav CMS (CVE-2025-50286). It also adds a generic HTTP command execution exploit, a Windows persistence technique via `UserInitMprLogonScript`, and various enhancements, bug fixes, and documentation updates. → rapid7.com |
| 2026-04-06 2026 | Multiple Vulnerabilities in Progress ShareFile Could Allow for Remote Code Execution news | Advisory detailing multiple vulnerabilities in Progress ShareFile versions prior to 5.12.4. Chained exploitation of an authentication bypass (CVE-2026-2699) and a remote code execution flaw (CVE-2026-2701) allows attackers to upload malicious ASPX webshells via abuse of file upload and extraction functionality. Public proof-of-concept code is available for the mentioned CVEs. |
| 2026-04-06 2026 | Critical RCE Vulnerability in F5 BIG-IP Under Exploitation news | Critical RCE Vulnerability in F5 BIG-IP Under Exploitation |
| 2026-04-06 2026 | CVE-2026-20131 Cisco FMC RCE Vulnerability news | Writeup of CVE-2026-20131, a critical RCE vulnerability in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control Firewall Management. This insecure deserialization flaw in the web interface allows unauthenticated remote attackers to execute arbitrary code as root, and has been observed in ransomware campaigns. The vulnerability affects specific Cisco FMC and Security Cloud Control Firewall Management versions, with Cisco issuing software updates as the sole remediation. |
| 2026-04-06 2026 | Emerging Threat: CVE-2026-27876 Grafana Remote Code Execution via SQL Expressions news | Writeup of CVE-2026-27876, a critical RCE vulnerability in Grafana's sqlExpressions feature, allowing arbitrary file writes to achieve remote code execution. Exploitable with viewer access, it affects specific versions of Grafana 11 and 12 when the feature is enabled, particularly impacting Information Technology and Communication Services sectors. Patches are available, with workarounds including disabling the feature toggle and network restriction. |
| 2026-04-05 2026 | Critical Remote Code Execution Vulnerability in Cisco Secure Firewall Management Center (CVE-2026-20131) news | Writeup on CVE-2026-20131, a critical RCE vulnerability in Cisco Secure Firewall Management Center, exploitable via insecure deserialization of Java objects. This unauthenticated attack allows arbitrary code execution and privilege escalation to root. Active exploitation was observed, leading to inclusion in CISA's KEV catalog and a mandate for remediation in federal agencies. Exploitation leverages YSoSerial, with techniques including command-and-control communication. → securityboulevard.com |
| 2026-04-05 2026 | New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation news | Writeup on CVE-2026-5281, a critical use-after-free vulnerability in Chrome's Dawn component. This zero-day flaw, actively exploited in the wild, allows remote attackers to execute arbitrary code via crafted HTML pages. The advisory highlights recent exploitation trends, including CVE-2026-3909, CVE-2026-3910, and CVE-2026-2441, urging users to update to the latest Chrome versions. → thehackernews.com |
| 2026-04-04 2026 | Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks news | Writeup of critical Grafana vulnerabilities, CVE-2026-27876 and CVE-2026-27880, enabling remote code execution and denial-of-service attacks. CVE-2026-27876, a CVSS 9.1 flaw in SQL expressions, allows arbitrary file writes leading to RCE and SSH access. CVE-2026-27880 affects OpenFeature validation endpoints, permitting instance crashes via large requests. Recommendations include immediate upgrades, disabling SQL expressions, and edge-level DoS mitigation using reverse proxies like Nginx or Cloudflare. → securityboulevard.com |
| 2026-04-04 2026 | 14000 F5 BIG-IP APM Devices Exposed Online Amid Active RCE Vulnerability Exploits news | 14,000+ F5 BIG-IP APM Devices Exposed Online Amid Active RCE Vulnerability Exploits https://ift.tt/WvUC40h → cybersecuritynews.com |
| 2026-04-03 2026 | CISA Warns of Craft CMS Code Injection Flaw Exploited in Active Attacks news | CISA Warns of Craft CMS Code Injection Flaw Exploited in Active Attacks https://ift.tt/VpJB7hM → gbhackers.com |
| 2026-04-03 2026 | New Progress ShareFile Flaws Expose Servers to Unauthorized Remote Takeover news | New Progress ShareFile Flaws Expose Servers to Unauthorized Remote Takeover https://ift.tt/ZupJCrH → gbhackers.com |
| 2026-04-03 2026 | Researchers warn of critical flaws in Progress ShareFile news | Researchers warn of critical flaws in Progress ShareFile https://ift.tt/OIsV6B0 → cybersecuritydive.com |
| 2026-04-03 2026 | SSTI (Server-Side Template Injection) to RCE Walkthrough intermediate | SSTI (Server-Side Template Injection) to RCE Walkthrough |
| 2026-04-03 2026 | SSTI Leading to Remote Code Execution (RCE) intermediate | SSTI Leading to Remote Code Execution (RCE) |
| 2026-04-03 2026 | OpenOlat Velocity Template Injection Leads to RCE intermediate | Writeup of CVE-2026-28228 in OpenOlat details a high-severity server-side template injection vulnerability. Exploitable by authenticated users with the Author role, it allows Velocity directives to be injected into reminder email templates, leading to remote code execution (RCE) via Java reflection and `ProcessBuilder`. Affected versions include those prior to OpenOlat 19.1.31, 20.1.18, and 20.2.5. → thehackerwire.com |
| 2026-04-03 2026 | A Pentester's Guide to SSTI | Cobalt beginner SSTI | Guide to Server-Side Template Injection (SSTI) detailing how attackers exploit template engines like Smarty, Twig, Velocity, Jinja, and Liquid to achieve remote code execution (RCE). It describes using polyglot payloads to detect vulnerabilities, identify template engines through error messages, and leverage available objects like `settings.SECRET_KEY` for exploitation. The guide also mentions Tplmap as an automated tool for SSTI exploitation and suggests input sanitization and sandboxing as remediation techniques. → cobalt.io |
| 2026-04-03 2026 | RCE with Server-Side Template Injection intermediate | RCE with Server-Side Template Injection |
| 2026-04-03 2026 | Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) | Invicti news | Writeup of CVE-2024-23692, a Server-Side Template Injection (SSTI) vulnerability in Rejetto HTTP File Server (HFS) versions 2.3m and earlier. This flaw allows unauthenticated remote code execution via a malicious HTTP request. Remediation involves migrating to HFS 3.x, as version 2.x is end-of-life and unsupported. Compensating controls include network access restrictions, reverse proxy filtering, or temporary service shutdown. → invicti.com |
| 2026-04-03 2026 | WPML Plugin RCE via Twig SSTI (CVE-2024-6386) news | Writeup detailing CVE-2024-6386, an authenticated Remote Code Execution vulnerability in the WPML Multilingual CMS Plugin for WordPress. The vulnerability stems from a Twig Server-Side Template Injection (SSTI) flaw due to inadequate input sanitization within shortcode processing. Exploitation involves constructing payloads using the `dump()` function to dynamically gather necessary characters, bypassing quote restrictions and enabling arbitrary command execution. Affected versions are `<= 4.6.11`. |
| 2026-04-03 2026 | PayloadsAllTheThings - Server Side Template Injection beginner SSTI | Library of Server-Side Template Injection (SSTI) techniques and tools, including scanners like Hackmanit/TInjA and epinna/tplmap, along with research on Rendered, Error-Based, Boolean-Based, and Time-Based exploitation. It details methods for identifying template engines such as Jinja2, Twig, and FreeMarker, and provides example payloads and research papers like James Kettle's "Server-Side Template Injection: RCE For The Modern Web App." |
| 2026-04-03 2026 | SSTI: Advanced Exploitation Guide | Intigriti advanced SSTI | Library that details advanced exploitation techniques for Server-Side Template Injection (SSTI) vulnerabilities. It covers identification methods for template engines like Jinja2, Twig, and ERB, and demonstrates how to escalate basic injections to remote code execution by exploiting sandboxed environments and chained objects, offering practical examples for Python, PHP, Ruby, JavaScript, Java, and C# template engines. → intigriti.com |
| 2026-04-03 2026 | SSTI Exploitation with RCE Everywhere | YesWeHack intermediate SSTI | Writeup detailing advanced Server-Side Template Injection (SSTI) exploitation techniques for achieving Remote Code Execution (RCE) without quotes or external plugins. It covers payloads for Jinja2, Mako, Twig, Smarty, Blade, Groovy, and FreeMarker, demonstrating how to bypass auto-escaping and exploit built-in functions like `chr`, `popen`, `passthru`, and `execute` across various languages and frameworks. → yeswehack.com |
| 2026-04-03 2026 | Progress ShareFile vulnerabilities allow unauthenticated file exfiltration news | Writeup detailing Progress ShareFile vulnerabilities CVE-2026-2699 and CVE-2026-2701, which allow unauthenticated file exfiltration. Exploitation involves chaining an authentication bypass with remote code execution within the Storage Zones Controller (SZC). Researchers at watchTowr discovered these flaws, affecting Progress ShareFile versions 5.x. Progress has released version 5.12.4 to patch these critical issues. → scworld.com |
| 2026-04-03 2026 | Critical ShareFile Flaws Lead to Unauthenticated RCE news | Writeup detailing chained vulnerabilities CVE-2026-2699 (Execution After Redirect) and CVE-2026-2701 (arbitrary file upload) in Citrix ShareFile. WatchTowr discovered these flaws allowed unauthenticated attackers to gain administrative access, exfiltrate sensitive files to attacker-controlled S3 buckets, and achieve remote code execution by uploading a web shell. The vulnerabilities were patched in ShareFile version 5.12.4. → securityweek.com |
| 2026-04-03 2026 | Under Fire: Attackers Target Flaws in F5 and Citrix Gear news | Library: Actively exploited vulnerabilities in F5 BIG-IP APM (CVE-2025-53521, a critical remote code execution flaw) and NetScaler ADC/Gateway (CVE-2026-3055, a critical memory overread, and CVE-2026-4368, a session mix-up) are detailed. Attackers, including nation-state actors, are targeting these application delivery and security platforms, with F5 revising its BIG-IP APM flaw severity from denial-of-service to remote code execution, and CISA mandating patching for federal agencies. Memory leak vulnerabilities in Citrix products, like the previously disclosed CitrixBleed, continue to be a significant concern. |
| 2026-04-03 2026 | AI discovers RCE vulnerabilities in Vim and Emacs text editors news | Library for identifying remote code execution (RCE) vulnerabilities in text editors. Leverages AI assistance to find flaws, such as a modeline-related RCE in Vim (versions 9.2.0271 and earlier) and a Git integration vulnerability in GNU Emacs that allows arbitrary command execution via a core.fsmonitor program. The AI also aids in exploit development and suggests fixes. → scworld.com |
| 2026-04-02 2026 | Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution news | Writeup of CVE-2026-21643, a critical SQL Injection vulnerability in Fortinet FortiClient EMS, now actively exploited. Threat actors smuggle SQL statements via the "Site"-header in HTTP requests to achieve remote code execution, potentially gaining an initial network foothold for lateral movement or malware deployment. Nearly 1000 instances of FortiClient EMS are publicly exposed. This follows the earlier CVE-2023-48788, also an SQL Injection flaw, added to CISA's KEV catalog. → securityaffairs.com |
| 2026-04-02 2026 | Critical Cisco Smart Software Manager Vulnerability Enables Arbitrary Command Execution news | Critical Cisco Smart Software Manager Vulnerability Enables Arbitrary Command Execution https://ift.tt/mqhIRau → cyberpress.org |
| 2026-04-02 2026 | ImageMagick vulnerability allows remote code execution news | Library for ImageMagick vulnerability analysis, detailing a critical flaw allowing remote code execution via crafted image files. Researchers identified a "magic byte shift" that bypasses restrictive policies, enabling attackers to leverage secondary tools like GhostScript and Magick Scripting Language (MSL) for RCE, data theft, and backdoor installation. Affecting major Linux distributions and WordPress sites, the vulnerability remains a pervasive threat due to the lack of automated patches and the unlabelled nature of early fixes. → scworld.com |
| 2026-04-02 2026 | GIGABYTE Control Center vulnerability allows remote code execution news | Analysis of CVE-2026-4415, a critical arbitrary file-write vulnerability in GIGABYTE Control Center (GCC) versions 25.07.21.01 and earlier. Unauthenticated remote attackers can exploit the "pairing" feature to write arbitrary files, leading to remote code execution, privilege escalation, or denial-of-service. GIGABYTE has released version 25.12.10.01 to patch this flaw, with immediate upgrades recommended. → scworld.com |
| 2026-04-02 2026 | Fortinet hit by another exploited cybersecurity flaw news | Analysis of CVE-2026-21643, a critical SQL injection vulnerability in FortiClient EMS, detailing its exploitation for remote code execution and data exfiltration. This flaw, present in version 7.4.4 with multi-tenant mode enabled, allows unauthenticated attackers to craft HTTP requests to access admin credentials, endpoint data, and certificates. The vulnerability remains a top application security risk, underscoring the need for organizations to patch immediately and consider zero-trust architectures to mitigate such threats. → csoonline.com |
| 2026-04-02 2026 | Critical Grafana Vulnerabilities Let Attackers Achieve Remote Code Execution news | Critical Grafana Vulnerabilities Let Attackers Achieve Remote Code Execution https://ift.tt/bQpTgzY → cybersecuritynews.com |
| 2026-04-02 2026 | Hackers exploiting critical F5 BIG-IP flaw in attacks patch now news | Advisory regarding CVE-2025-53521, a critical remote code execution flaw in F5 BIG-IP APM systems that attackers are actively exploiting to deploy webshells. This vulnerability, previously classified as denial-of-service, allows unprivileged attackers to achieve RCE when access policies are configured on a virtual server. F5 strongly recommends patching and reviewing systems for signs of compromise. CISA has added it to its list of actively exploited flaws, urging federal agencies to secure their BIG-IP APM deployments. → bleepingcomputer.com |
| 2026-02-02 2026 | depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys advanced AI Secrets | Library analysis by depthfirst identified a critical vulnerability (CVE-2026-25253) in OpenClaw, an AI assistant. This flaw allows for a one-click RCE exploit by chaining a logic gap in gateway URL ingestion with Cross-Site WebSocket Hijacking. The exploit bypasses Same Origin Policy and allows disabling security features like user confirmation and sandboxing via API calls, leading to arbitrary command execution and access to sensitive data like iMessage and Stripe API keys. |
| 2025-12-07 2025 | 🚨 New article: SSRF exploitation advanced SSRF | What's inside: → 20+ bypass techniques → Cloud metadata attacks (AWS/Azure/GCP) → Gopher protocol exploitation → Docker & Redis RCE chains → Blind SSRF detection → Real automation scripts From ping t... |
| 2025-11-12 2025 | payloadbox/command-injection-payload-list: 🎯 Command Injection Payload List beginner | 🎯 Command Injection Payload List |
| 2025-08-14 2025 | https://weekly.infosecwriteups.com/iw-weekly-39-10-000-bounty-zero-click-account-takeover-stored-xss-open-redirection-vulnerability-sql-injection-rce-reconnaissance-techniques-and-much-more/ intermediate SQLi XSS | Collection of Infosec writeups featuring a $10,000 bounty for a Facebook Reels vulnerability, Zoom stored XSS, Facebook zero-click account takeover, io_uring UAF (CVE-2022-2602), Apple subdomain open redirection, GraphQL pentesting, social engineering guides, insecure CORS, bug bounty automation, smart contract vulnerabilities, mental health tips for hackers, HTTP Basic Auth, SQL Injection to RCE (CVE-2022-44015), RFC analysis for bounties, MMORPG CTF challenges, CodeQL for GraphQL, reconnaissance techniques, SSRF deep dives, Foundry EVM chain tests, and online security learning resources. |
| 2025-08-14 2025 | Chaining an Blind SSRF bug to Get an RCE | by Santosh Kumar Sha (@killmonga intermediate SSRF | The content discusses chaining a Blind Server-Side Request Forgery (SSRF) bug to achieve Remote Code Execution (RCE), presented by Santosh Kumar Sha. This technique involves exploiting a vulnerability in which an attacker can make a server perform unauthorized requests, leading to gaining control over the server and executing malicious code remotely. The focus is on demonstrating how an SSRF bug can be leveraged to escalate to a more severe RCE attack, highlighting the importance of understanding and securing against such vulnerabilities in web applications. |
| 2025-08-14 2025 | Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo Mail | by S intermediate SSRF | The content discusses escalating a blind Server-Side Request Forgery (SSRF) vulnerability to Remote Code Execution (RCE) in Yahoo Mail, earning a reward of $15,000. The process involves utilizing the Gopher protocol to exploit the SSRF vulnerability and achieve RCE. The article likely details the steps taken to identify, exploit, and report the vulnerability to Yahoo Mail's security team, resulting in a significant bounty payout. |
| 2025-08-14 2025 | https://github.com/smgorelik/Windows-RCE-exploits/tree/master/Web/VBScript advanced | The provided link leads to a GitHub repository containing Windows Remote Code Execution (RCE) exploits written in VBScript. The repository offers a collection of scripts that can be used to exploit vulnerabilities in Windows systems. It focuses on utilizing VBScript for web-based attacks. The content provides a resource for security researchers and professionals interested in studying or testing RCE vulnerabilities in Windows environments using VBScript. |
| 2025-08-14 2025 | https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-bypass-firewall-to-get-rce-and-then-went-from-server-shell-to-get-783f71131b94?source=userActivityShare-90814179aa21-1525127127 intermediate | The content discusses a bug bounty experience where the author bypassed a firewall to achieve Remote Code Execution (RCE) and gained access to a server shell. The author describes the steps taken to exploit vulnerabilities, including identifying the firewall, exploiting it to gain RCE, and escalating privileges to access the server shell. The article provides insights into the process of identifying and exploiting security weaknesses, showcasing the author's skills in penetration testing and bug hunting. |
| 2025-08-14 2025 | https://medium.com/@kedrisec/how-i-found-2-9-rce-at-yahoo-bug-bounty-program-20ab50dbfac7 intermediate | The content discusses a security researcher's experience finding a critical Remote Code Execution (RCE) vulnerability in Yahoo's Bug Bounty Program. The researcher details the steps taken to discover and exploit the vulnerability, which allowed unauthorized code execution on Yahoo's servers. The post highlights the importance of responsible disclosure and the collaboration between security researchers and companies to address such vulnerabilities. The discovery earned the researcher a significant bounty reward. |
| 2025-08-14 2025 | https://medium.com/@p4c3n0g3/lfi-to-rce-via-access-log-injection-88684351e7c0?source=userActivityShare-90814179aa21-1524411790 intermediate | The content discusses a security vulnerability called Local File Inclusion (LFI) that can be exploited to achieve Remote Code Execution (RCE) through access log injection. By manipulating log files, an attacker can inject malicious code that gets executed on the server, leading to potential compromise. The article provides a detailed explanation of how this attack works and offers insights into the impact and mitigation strategies. It emphasizes the importance of understanding and securing against such vulnerabilities to protect systems from unauthorized access and data breaches. |
| 2025-08-14 2025 | https://engineering.salesforce.com/meraki-rce-when-red-team-and-vulnerability-research-fell-in-love-3a119ce2cf56?source=userActivityShare-90814179aa21-1515163858 intermediate | The content discusses a case study where a red team and vulnerability researchers collaborated to discover a critical Remote Code Execution (RCE) vulnerability in Meraki devices. The article highlights the importance of teamwork, communication, and collaboration between different security roles to identify and address security flaws effectively. The process involved reverse engineering, code analysis, and exploitation techniques to uncover the vulnerability. The findings were responsibly disclosed to the vendor for remediation. This case emphasizes the significance of cross-functional cooperation in cybersecurity to enhance overall security posture and protect against potential threats. |
| 2025-08-14 2025 | Leading the Blind to Light! - A Chain to RCE intermediate | Writeup detailing a Remote Code Execution (RCE) chain achieved by exploiting an Oracle E-Business Suite instance. The chain begins with an authentication bypass leading to blind XXE, which then facilitates information disclosure. This information is combined with an SQL injection vulnerability on an internal database host, enabling the re-enabling of `xp_cmdshell`. Successful execution of `xp_cmdshell` ultimately grants command execution with Administrator privileges. → blog.zsec.uk |
| 2025-08-14 2025 | opsxcq/exploit-CVE-2016-10033: PHPMailer 5.2.18 Remote Code Execution intermediate | Tool for exploiting CVE-2016-10033 in PHPMailer versions prior to 5.2.18, enabling remote code execution. This vulnerability allows attackers to inject arbitrary code by crafting a `From` address that bypasses filters, leading to the execution of commands via the `mail()` function's `additional_parameters`. The provided exploit leverages this by writing a backdoor file to a web-accessible directory, allowing for shell access and further exploitation. |
| 2025-08-14 2025 | Artificial truth · From LFI to RCE in php intermediate | Technique for achieving RCE via LFI in PHP, improving on earlier /proc/self/environ and /var/log methods. This technique leverages PHP's temporary file handling during uploads. By repeatedly triggering an infinite recursive inclusion with a SIGSEGV, the temporary file is prevented from deletion, allowing an attacker to bruteforce its randomly generated name and achieve remote code execution, as demonstrated with a Python script and a shell.php payload. |
| 2025-08-14 2025 | The Tale Of SSRF To RCE on .GOV Domain | by Tobydavenn | Sep, 2022 | Medium intermediate SSRF | The content titled "The Tale Of SSRF To RCE on .GOV Domain" by Tobydavenn on Medium discusses a scenario involving Server-Side Request Forgery (SSRF) leading to Remote Code Execution (RCE) on a .GOV domain. The article likely delves into the technical details of how this vulnerability was exploited, highlighting the significance of such security flaws on government domains. It may provide insights into the exploitation process, potential impacts, and the importance of addressing SSRF vulnerabilities promptly to prevent RCE attacks. |
| 2025-08-14 2025 | https://www.reddit.com/r/Hacking_Tutorials/comments/gtpkug/remote_code_execution_explained_with_real_life/?utm_source=share&utm_medium=ios_app&utm_name=iossmf beginner Bug Bounty | The content discusses remote code execution, explaining how it works with real-life examples. It delves into the concept of exploiting vulnerabilities to execute code on a remote system, potentially leading to unauthorized access. The post likely provides insights into the dangers of remote code execution and how hackers can leverage it for malicious purposes. It serves as a tutorial or informational resource for individuals interested in understanding cybersecurity threats and how to protect against them. |
| 2025-08-14 2025 | https://medium.com/@smilehackerofficial/how-i-found-rce-but-got-duplicated-ea7b8b010990 intermediate | The content discusses a security researcher's experience finding a Remote Code Execution (RCE) vulnerability in a web application. The researcher details the steps taken to identify and exploit the vulnerability, leading to a successful demonstration of the RCE. However, the researcher later discovered that the same vulnerability had been previously reported by another researcher, resulting in a duplicate submission. The article highlights the importance of thorough research before reporting vulnerabilities to avoid duplication and emphasizes the need for collaboration within the security research community. |
| 2025-08-14 2025 | https://omespino.com/write-up-private-bug-bounty-usd-rce-as-root-on-marathon-instance/ intermediate | Writeup detailing RCE as root on Marathon instances, found by exploiting unauthenticated Marathon UIs discovered via Shodan. The technique involves using `curl` to create a Marathon application with a command like `wget` to exfiltrate host data to an attacker-controlled listener, leveraging the `cmd` parameter for arbitrary command execution. This vulnerability allows for root-level command execution on vulnerable Marathon deployments. |
| 2025-08-14 2025 | Zoom Zero Day: 4 Million Webcams & maybe an RCE? Just get them to visit yo intermediate | The content mentions a Zoom zero-day vulnerability affecting 4 million webcams that could potentially lead to remote code execution (RCE). The vulnerability can be exploited by tricking users into visiting a malicious website. This poses a significant security risk as attackers could gain unauthorized access to users' webcams and potentially execute malicious code on their devices. It highlights the importance of staying vigilant and updating software to protect against such vulnerabilities. |
| 2025-08-14 2025 | elttam - Ruby 2.x Universal RCE Deserialization Gadget Chain advanced | Library releasing a universal Ruby 2.x RCE deserialization gadget chain, bypassing prerequisites of earlier techniques like the ActiveSupport gem. This chain leverages code reuse attacks by chaining "gadgets" from the Ruby standard library, including techniques to indirectly load further libraries via `require` calls, ultimately enabling arbitrary command execution. |
| 2025-08-14 2025 | http://blog.orange.tw/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.html advanced | The content discusses how a security researcher chained together four bugs and features to achieve Remote Code Execution (RCE) on Amazon. The researcher details the vulnerabilities found in Amazon's services and how they were exploited to gain unauthorized access and execute code remotely. The blog post provides a technical breakdown of the process, highlighting the importance of identifying and addressing security flaws to prevent such exploits. |
| 2025-08-14 2025 | RCE by uploading a web.config ↳... intermediate | The content discusses a Remote Code Execution (RCE) vulnerability that can be exploited by uploading a malicious web.config file. This type of vulnerability allows attackers to execute arbitrary code on a target system, potentially leading to unauthorized access or data breaches. It highlights the importance of securing file upload functionality and ensuring that user inputs are properly validated to prevent such security risks. |
| 2025-07-29 2025 | GitHub - jeanlucdupont/EXEfromCER: PoC that downloads an executable from a public SSL certificate intermediate Supply Chain | Proof-of-concept that demonstrates downloading and executing a Windows executable embedded within a public SSL certificate. This technique leverages custom X.509 certificate extensions and HTTPS to deliver the payload. The process involves generating a certificate with the executable in a custom OID extension using OpenSSL, serving it via TLS, and a Python client that connects, extracts the binary from the certificate, saves it, and then runs it. |
| 2025-05-17 2025 | New Process Injection Class: The CONTEXT-Only Attack Surface advanced | Library for exploring the "context-only" attack surface in process injection. This research demonstrates techniques to inject code by focusing solely on execution primitives, bypassing traditional detection methods that rely on memory allocation and writing. Methods include using `CreateRemoteThread` with `LoadLibraryA` on existing in-process strings, calling arbitrary WinAPI functions via `SetThreadContext`, and leveraging `NtCreateThread` for remote shellcode execution, expanding to APC functions like `QueueUserAPC`. The accompanying `RedirectThread` tool aids in these investigations. |
| 2025-03-30 2025 | Stored XSS in My Flow To RCE in Opera Browser #2 - Renwa - Medium intermediate Bug Bounty XSS | Hey Opera team, after your great response and bounties with previous reports motivated me to look more into the program and find more bugs, luckily I found a critical bug in My Flow that allow an… |
| 2024-12-22 2024 | 0x03 - Approaching the Modern Windows Kernel Heap advanced | Writeup detailing exploitation of a Use-After-Free (UaF) vulnerability on Windows 11 (x64) using techniques derived from Alex Ionescu's "Kernel Heap Fengshui." The process involves reverse engineering with Ghidra to identify object sizes and IOCTL codes, and then employing Named Pipes (NPFS.SYS) to trigger nonpaged pool allocations for kernel heap manipulation, overcoming initial challenges with object sizing and allocation control. |
| 2024-12-19 2024 | GitHub - WafflesExploits/hide-payload-in-images: A project that demonstrates embedding shellcode payloads into image files (like PNGs) using Python and extracting them using C/C++. Payloads can be retrieved directly from the file on disk or from the image stored in a binary's resources section (.rsrc) intermediate Python | Library demonstrating shellcode payload embedding into PNG images using Python, with C/C++ extractors. The project includes `payload-extractor-from-file.cpp` for disk-based extraction, `payload-extractor-from-resource.cpp` utilizing WinAPI functions like `FindResource` and `LockResource`, and `payload-extractor-from-resource-via-peb.cpp` for stealthier extraction via manual PEB and PE header parsing, avoiding WinAPI calls and improving reliability with direct PEB access. |
| 2024-11-20 2024 | Win32 shellcode beginner | Win32 shellcode |
| 2024-11-10 2024 | GitHub - AnonKryptiQuz/Xploitra: Xploitra is a powerful reverse shell payload generator for educational and security testing. It offers customizable payloads with advanced obfuscation and session management, making it ideal for simulating real-world attack scenarios and assessing system security. intermediate | Tool for generating customizable reverse shell payloads for Windows, Xploitra offers advanced obfuscation and session management for simulating attack scenarios. It supports payload customization of IP, port, and execution commands, with randomized encoding and string manipulation to bypass basic detection. The tool can generate payloads on any OS and handle multiple sessions concurrently, encoding them in Base64 for secure delivery and saving them as `.bat` files. |
| 2024-11-10 2024 | GitHub - AnonKryptiQuz/I-Espresso: I-Espresso is a tool that enables users to generate Portable Executable (PE) files from batch scripts. Leveraging IExpress, it demonstrates how file extension spoofing can be used to evade detection. intermediate | Tool for generating Portable Executable (PE) files from batch scripts using IExpress. I-Espresso demonstrates file extension spoofing techniques to evade detection, offering a user-friendly, fast, and efficient method for creating disguised payloads without external dependencies on Windows. It guides users through prompts to specify batch scripts, executable names, and custom extensions for generated PE files, intended purely for educational and security testing purposes. |
| 2024-11-04 2024 | Microsoft SharePoint RCE bug exploited to breach corporate network news | Writeup detailing the exploitation of CVE-2024-38094, a Microsoft SharePoint RCE vulnerability, for initial network access. Attackers deployed a webshell, leveraged Horoung Antivirus to disable defenses, and used tools like Impacket, Mimikatz, FRP, everything.exe, Certify.exe, and kerbrute for lateral movement, credential harvesting, persistence, and network scanning. The exploit involved a batch script for antivirus installation and manipulation of system logging. → bleepingcomputer.com |
| 2024-10-17 2024 | Vimeo SSRF with code execution potential. intermediate SSRF | The content discusses the discovery of a semi-responded SSRF vulnerability on Vimeo that potentially allows for code execution. The author shares their process of finding and exploiting this vulnerability in a blog post. → infosecwriteups.com |
| 2024-10-17 2024 | How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! advanced Bug Bounty SSRF | Writeup detailing a four-vulnerability exploit chain leading to Remote Code Execution (RCE) on GitHub Enterprise. The chain begins with a Server-Side Request Forgery (SSRF) discovered in the WebHook feature, which is then chained with a second SSRF in the Graphite service. This execution chain enables CR-LF injection, allowing protocol smuggling. Finally, a malicious Ruby Object is smuggled as a Memcached protocol, exploiting unsafe `Marshal` deserialization to achieve RCE. The article also mentions potential bypasses for Faraday IP restrictions and the use of Linux Glibc features. |
| 2024-10-01 2024 | GitHub - Offensive-Panda/ProcessInjectionTechniques: This comprehensive process injection series is crafted for cybersecurity enthusiasts, researchers, and professionals who aim to stay at the forefront of the field. It serves as a central repository of knowledge, offering in-depth exploration of various process injection techniques used by adversaries. advanced | Library detailing numerous process injection techniques, including Classic Code Injection, Reflective DLL Injection, Process Hollowing, and PE Injection. It offers step-by-step explanations, implementation code, and demonstration videos, utilizing custom shellcode for illustrative purposes. References to MITRE ATT&CK T1055, Dirty Vanity, and resources from ired.team and RedTeamOperations are included. |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub intermediate Burp SQLi XSS | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2023-11-06 2023 | The toddlers introduction to Heap exploitation (Part 1) beginner | The toddler’s introduction to Heap exploitation (Part 1) https://ift.tt/OhuPqgT |
| 2023-11-05 2023 | Offensive C# beginner Bug Bounty | Course on Offensive C# covering malware development, C2 creation, Active Directory enumeration and attacks, .NET loaders, persistence, WinAPI interaction, token enumeration, shellcode and DLL injection, PE backdooring, PE parsing, PE64 loading, process hollowing, and API hooking and hashing. |
| 2023-10-27 2023 | Perfect DLL Hijacking intermediate | Library that details a novel technique for DLL hijacking that circumvents the limitations of Windows' Loader Lock by reverse-engineering the Windows library loader. This research builds upon prior work like Nick Landers' "Adaptive DLL Hijacking" and presents a data-only approach that avoids problematic actions such as changing memory protection with VirtualProtect or modifying pointers, which are often flagged by anti-malware or incompatible with exploit mitigations like Intel CET. The library also offers stable mitigation and detection mechanisms for defenders. |
| 2023-10-18 2023 | Empire beginner | Empire https://ift.tt/Qmfzot3 |
| 2023-10-13 2023 | Understanding File Upload Vulnerabilities in Web App Penetration Testing | 2023 beginner | Understanding File Upload Vulnerabilities in Web App Penetration Testing | 2023 https://ift.tt/8aVoHYJ → cyberw1ng.medium.com |
| 2023-09-22 2023 | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports intermediate Bug Bounty SQLi Talks | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports https://www.youtube.com/watch?v=ClnVdYf4PK0 |
| 2023-08-21 2023 | Journey into Windows Kernel Exploitation: The Basics beginner | Journey into Windows Kernel Exploitation: The Basics https://ift.tt/IyEYMN5 |
| 2023-08-05 2023 | Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution advanced | Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution https://ift.tt/p9kZeQu |
| 2023-07-22 2023 | Attacking MS Exchange Web Interfaces intermediate | Attacking MS Exchange Web Interfaces https://ift.tt/Hxci19I |
| 2023-07-22 2023 | ProcessInjection intermediate | Tool implementing five process injection techniques: Vanilla, DLL, Process Hollowing, APC Queue, and KernelCallbackTable. It accepts shellcode in base64, hex, C, or raw formats, and supports P/Invoke, D/Invoke, Direct Syscalls, and Indirect Syscalls for injection. The tool also includes detection evasion through XOR or AES encryption, and Parent PID Spoofing, with the option to load via reflection from disk or a remote server. |
| 2023-04-03 2023 | Basic and Low-level Python Network Attacks beginner Python | https://ift.tt/SxGhvBQ |
| 2023-04-02 2023 | $10.000 bounty for exposed .git to RCE intermediate Bug Bounty | $10.000 bounty for exposed .git to RCE https://ift.tt/1AxW3QH |
| 2022-04-06 2022 | Favorite tweet by @hakluke beginner Bug Bounty | Favorite tweet: I see people confuse these terms all the time, so I wrote a reference-style blog about it! The difference between code injection, command injection, RCE, remote code execution and rem... |
| 2022-02-28 2022 | Favorite tweet by @NandanLohitaksh intermediate Bug Bounty | Favorite tweet: Top 25 Remote Code Execution (RCE) Parameters 1. ?cmd={payload} 2. ?exec={payload} 3. ?command={payload} 4. ?execute={payload} 5. ?ping={payload} 6. ?query={payload} 7. ?jump={payload... |
| 2022-01-18 2022 | Making Sense of the Constantly Changing Log4Shell Landscape beginner Supply Chain | Tool for streaming live football matches; provides HD quality, stable connections, and expert commentary across global leagues like the Premier League, Champions League, and La Liga, with no advertisements or viruses. |
| 2022-01-17 2022 | Log4Pot beginner | Honeypot for Log4Shell (CVE-2021-44228) that listens for exploitation attempts on various ports, detects malicious requests in lines and headers, and recursively downloads exploit payloads. It supports logging to files and Azure blob storage, with an included analyzer script to extract and decode payloads, and build timelines. Installation involves fetching the repository and using Poetry for dependency management. |
| 2022-01-03 2022 | Malicious PDF Generator intermediate | Tool for generating ten distinct malicious PDF files, each with phone-home functionality, designed for penetration testing and red-teaming. This application facilitates testing web pages and services that accept PDF uploads, security products, PDF readers, and PDF converters by creating sample files with embedded links that can be configured to point to a Burp Collaborator URL. |
| 2022-01-02 2022 | a c program containing vulnerable code for common types of vulnerabilities can be used to show fuzzing concepts. beginner Fuzzing | Program containing vulnerable C code to demonstrate fuzzing concepts. This resource includes code for common vulnerabilities such as integer overflow/underflow, out-of-bounds read/write, double free, use-after-free, memory leaks, and stack/heap exhaustion. It is designed to be fuzzed using tools like AFL, libafl, libfuzzer, and honggfuzz, with instructions and video tutorials provided for setup and execution. |
| 2021-12-31 2021 | InfosecMindmaps/Log4shell at main DickReverse/InfosecMindmaps beginner | InfosecMindmaps/Log4shell at main DickReverse/InfosecMindmaps |
| 2021-12-31 2021 | Log4Shell Visualization beginner | Log4Shell Visualization |
| 2021-12-30 2021 | Golang Offensive Tools with C-Sto and capnspacehook intermediate Python | Library of offensive security tools built with Golang, showcasing work from developers like C-Sto (goWMIexec, BananaPhone, gosecretsdump) and capnspacehook (pandorasbox, garble). The resource covers challenges and future directions of Go malware, listing numerous tools for command and control, obfuscation, reverse engineering, and more, including notable projects like sliver and DeimosC2. |
| 2021-12-16 2021 | Mitigate Log4j2 / Log4Shell in Elasticsearch intermediate Supply Chain | Analysis of Log4Shell (CVE-2021-44228) vulnerabilities in Elasticsearch versions 5.0 to 7.16.0. Discusses mitigation strategies including updating Log4j to 2.17.1, setting `log4j2.formatMsgNoLookups=true`, removing the `JndiLookup` class, and leveraging the Java Security Manager's protections. Explains why subsequent Log4j issues (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) have limited impact on Elasticsearch due to its configuration and security measures. Recommends upgrading Elasticsearch to versions ≥ 7.16.3 or ≥ 6.8.23 for full patching. |
| 2021-12-13 2021 | Semgrep beginner Supply Chain | Semgrep |
| 2021-12-13 2021 | Log4Shell The Worst Java Vulnerability in Years beginner | Log4Shell The Worst Java Vulnerability in Years |
| 2021-12-13 2021 | Java log4j security: Added Lookup injection rule. #1650 intermediate | Library of Semgrep rules designed to detect and prevent Log4j Lookup injection vulnerabilities in Java applications. This includes a specific rule (ID 1650) to address added lookup injections, enhancing static analysis for securing Java codebases against common Log4j exploits. |
| 2021-12-12 2021 | Log4j: Its worse than you think beginner | Library of vulnerability scanner rules for detecting CVE-2021-4428 (Log4j), a critical Java package vulnerability. This tool leverages a partial trigger of the exploit to identify vulnerable instances, with a focus on providing remote scanning services to customers. Mitigation advice includes upgrading Log4j, disabling lookups, removing dangerous class files, and blocking JNDI lookup prefixes at the WAF. |
| 2021-12-12 2021 | Digging deeper into Log4Shell - 0Day RCE exploit found in Log4j intermediate Supply Chain | Writeup detailing CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. This widespread flaw enables attackers to execute arbitrary code by controlling log messages, leveraging JNDI lookups that can trigger LDAP or DNS calls to load malicious Java classes. The writeup describes the attack mechanism, observed exploitation tactics including targeting User-Agent headers, and mitigation strategies such as patching or disabling lookups. |
| 2021-12-12 2021 | PSA: Log4Shell and the current state of JNDI injection beginner Supply Chain | Analysis of CVE-2021-44228 (Log4Shell), detailing how JNDI injection vulnerabilities in Log4j allow remote code execution. It highlights that even recent Java runtimes are susceptible, particularly through RMI and LDAP lookups. The analysis covers historical Java patches like CVE-2009-1094 and CVE-2018-3149, and discusses exploitation vectors using Apache XBean BeanFactory and Java deserialization, affecting environments like Apache Tomcat and WebSphere. |
| 2021-12-06 2021 | How to Brute-Force SSH Servers in Python intermediate Python | Library for brute-forcing SSH servers in Python using the `paramiko` library. The tutorial details how to create a script that attempts password combinations from a provided wordlist against a target SSH host. It covers handling connection timeouts, authentication failures, and rate limiting, and includes argument parsing for host, username, and password list input. |
| 2021-11-26 2021 | Phantom - A multi-platform HTTP(S) Reverse Shell Server and Client intermediate API Sec | Library for building multi-platform HTTP(S) reverse shells. Phantom allows creation of standalone Linux and Windows binaries using PyInstaller, supporting both auto-generated and user-supplied certificates for encrypted HTTPS communication. It includes a helper script for certificate generation and a straightforward build process via `build.py`, which can use Poetry or Virtualenv for dependency management. Client binaries can connect to specified server URLs, facilitating stealthy connections. |
| 2021-11-11 2021 | Game Hacking with Python and cheat engine intermediate Python | Game Hacking with Python and cheat engine |
| 2021-10-04 2021 | unescape() room beginner | unescape() room |
| 2021-09-24 2021 | Buffer Overflow using ShellCraft - TryHackMe Intro to Pwntools beginner | Buffer Overflow using ShellCraft - TryHackMe Intro to Pwntools |
| 2021-09-14 2021 | Shellshock In-Depth: Why This Old Vulnerability Wont Go Away intermediate | Analysis of modern security technologies, including IBM Guardium for data protection, IBM watsonx.governance for AI lifecycle management, IBM Verify for identity and access, IBM HashiCorp for infrastructure automation, and IBM MaaS360 for unified endpoint management. It details how these tools address challenges like data visibility, AI governance, authentication, secrets management, and device security, offering practical insights into real-world application security and threat mitigation strategies. |
| 2021-09-05 2021 | Writing an iOS Kernel Exploit from Scratch advanced Mobile | Library for creating an iOS kernel exploit from scratch, specifically focusing on chain #3 against a double-free vulnerability present in iOS 11 and mitigated in 11.4.1. This resource details setting up a test environment, analyzing the IOKit driver vulnerability and its trigger, and developing a full exploit using common techniques, including a sandbox escape method revealed by Siguza. It serves as a reference for beginners by filling potential gaps in exploit development knowledge. |
| 2021-08-18 2021 | remote-method-guesser: A Java RMI Vulnerability Scanner intermediate | remote-method-guesser: A Java RMI Vulnerability Scanner |
| 2021-05-31 2021 | Finding writable folders and hijackable DLLs intermediate | This content discusses security vulnerabilities related to identifying writable folders and DLL hijacking opportunities on a system. These vulnerabilities can be exploited by attackers to gain elevated privileges or execute malicious code. The process likely involves scanning file systems for improperly configured permissions and analyzing the search paths for dynamic-link libraries (DLLs) to find instances where an attacker could substitute a malicious DLL for a legitimate one. No specific bug bounty payout amount is mentioned. |
| 2021-01-20 2021 | Learn About Command Injection Attacks beginner | The content discusses command injection attacks where attackers can run their code on a victim's machine. This type of attack allows malicious actors to execute arbitrary commands on a system, potentially leading to unauthorized access, data theft, or system compromise. It is crucial to understand and protect against command injection vulnerabilities to prevent security breaches and safeguard sensitive information. |
| 2020-05-31 2020 | r/Hacking_Tutorials - Remote Code Execution explained with real life bug bounty reports beginner Bug Bounty | The Reddit post titled "r/Hacking_Tutorials - Remote Code Execution explained with real life bug bounty reports" has received 36 votes but no comments yet. The post likely discusses remote code execution vulnerabilities using real-life bug bounty reports. It aims to provide tutorials and insights into how these vulnerabilities can be exploited, potentially offering valuable information for those interested in hacking and cybersecurity. |
| 2019-10-05 2019 | SQL injection to RCE intermediate SQLi | The content discusses a case of SQL injection leading to Remote Code Execution (RCE) discovered during a recent customer penetration testing. It hints at the potential security vulnerability and the impact it had on the system. |
| 2019-08-28 2019 | WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance” – @omespino intermediate | Writeup detailing a private bug bounty win of $30,000 USD for a Remote Code Execution (RCE) as root vulnerability found on a Marathon-Mesos instance. The exploit involved using Shodan to locate unauthenticated Marathon UIs, then crafting a `curl` command to create a Marathon application that executed `/usr/bin/wget --post-data='id'` to a listener, demonstrating root-level command execution via this container orchestration platform. Tools used included netcat, curl, and a web browser. |
| 2019-04-20 2019 | PDFReacter SSRF to ROOT Level Local File Read which led to RCE intermediate SSRF | PDFReacter is a parser that converts HTML content to PDF. |
| 2018-11-09 2018 | elttam - Ruby 2.x Universal RCE Deserialization Gadget Chain advanced | Library for Ruby 2.x universal RCE deserialization gadget chains, detailing exploitation of arbitrary deserialization and releasing a public gadget chain for command execution. It discusses serialization, deserialization pitfalls, and code reuse attacks via gadget chains, noting limitations of previous payloads requiring specific gems and libraries. This resource explores hunting for gadgets within the standard library, focusing on techniques that implicitly load additional libraries or allow partial control over arguments to `require`. |
| 2018-07-06 2018 | Latex to RCE, Private Bug Bounty Program intermediate | The content discusses the author's participation in a private bug bounty program focused on a CMS journal site, approximately a year ago. The author aims to share their learnings from this experience, particularly related to exploiting a vulnerability in Latex to achieve Remote Code Execution (RCE). The bug bounty program provided an opportunity for the author to enhance their skills in identifying and exploiting security flaws. |
| 2018-06-07 2018 | How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! intermediate SSRF | The content appears to be a title mentioning chaining four vulnerabilities on GitHub Enterprise, from SSRF execution to RCE. The author is identified as 🍊. |
| 2018-04-29 2018 | #BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get… intermediate | The content is about a bug bounty experience where the author bypassed a firewall to achieve Remote Code Execution (RCE) and gained access to a server shell. The author likely shares details of the process and techniques used in this security testing scenario. |
| 2017-11-19 2017 | Leading the Blind to Light! - A Chain to RCE advanced | Writeup detailing a Remote Code Execution chain on Oracle E-Business Suite. The exploit begins with an authentication bypass, leading to blind XXE and information disclosure. This disclosure helps identify an internal endpoint, which through further fuzzing, reveals an SQL injection vulnerability. By re-enabling `xp_cmdshell` via SQL injection, the attacker achieves command execution with administrator privileges. → blog.zsec.uk |
Frequently Asked Questions
- What is remote code execution?
- Remote Code Execution (RCE) is a vulnerability that allows an attacker to run arbitrary commands or code on a target system. It is the most critical class of security vulnerability because it gives the attacker the same level of access as the application or server process, often leading to complete system compromise.
- What are common RCE attack vectors?
- Common vectors include command injection (unsanitized input passed to shell commands), unsafe deserialization (Java, PHP, Python, .NET), Server-Side Template Injection (Jinja2, Twig, Freemarker), file upload bypasses that execute uploaded code, expression language injection in Java frameworks, and prototype pollution in Node.js leading to code execution.
- Why does RCE pay the highest bug bounties?
- RCE represents total system compromise — an attacker can read all data, modify the application, pivot to internal networks, and potentially access cloud infrastructure. The impact is maximum, so bounty programs consistently pay their highest rewards for RCE findings, often ranging from $10,000 to $100,000+ depending on the target.
Weekly AppSec Digest
Get new resources delivered every Monday.