Remote Code Execution
Remote Code Execution (RCE) vulnerabilities allow an attacker to execute arbitrary code on a remote system without authorization. These are among the most severe vulnerabilities as they can lead to complete system compromise.
289
CRITICAL
Execution
Understanding Remote Code Execution
Remote Code Execution vulnerabilities represent the most critical class of security flaws. When exploited, they allow attackers to run arbitrary commands on a target system, often with the same privileges as the vulnerable application.
RCE vulnerabilities commonly arise from unsafe deserialization, command injection, or memory corruption bugs. They're frequently found in web applications, network services, and system utilities.
How to Identify
- •Look for input validation bypasses in file upload functionality
- •Check for unsafe deserialization of user-controlled data
- •Test command execution functions with special characters
- •Review template engines for server-side template injection
Prevention Best Practices
- ✓Use parameterized queries and prepared statements
- ✓Implement strict input validation and sanitization
- ✓Run applications with minimal privileges
- ✓Keep all software dependencies up to date
- ✓Use security headers and Content Security Policy
Remote Code Execution CVEs (289)
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-3761 | 5.3 | An attacker can gain unauthorized access to delete user accounts in the SourceCodester Client Database Management System by manipulating the user_id parameter in a specific file, which can be done remotely. This vulnerability requires no special access, making it easier for attackers to exploit it. | lerouxyxchireclient database management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3760 | 6.9 | An attacker can remotely manipulate a specific part of the university management system to execute unauthorized SQL commands, potentially gaining access to sensitive data in the database. This vulnerability occurs when the system processes a certain input incorrectly, making it easy for attackers to exploit it if they know how to send the right request. | angeljudesuarezuniversity management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3756 | 5.3 | An attacker can remotely manipulate the stock name in the Sales and Inventory System to execute unauthorized SQL commands, potentially gaining access to sensitive data in the database. This vulnerability affects versions up to 1.0 and can be exploited using publicly available methods. | ahsanriaz26gmailcomsales and inventory system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3755 | 5.3 | An attacker can exploit a vulnerability in the sales and inventory system to manipulate database queries by sending specially crafted data through a specific web request, potentially allowing them to access or modify sensitive information. This attack can be carried out remotely, meaning the attacker doesn't need physical access to the system, making it a significant risk. | ahsanriaz26gmailcomsales and inventory system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3754 | 5.3 | An attacker can remotely manipulate the cost argument in the sales and inventory system's add_stock.php file to execute unauthorized SQL commands, potentially gaining access to sensitive data or altering the database. This vulnerability can be exploited without needing any special access or credentials. | ahsanriaz26gmailcomsales and inventory system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3753 | 5.3 | An attacker can remotely manipulate a specific part of the sales and inventory system to execute unauthorized SQL commands, potentially gaining access to sensitive data in the database. This vulnerability affects versions up to 1.0 and requires the attacker to send specially crafted input to a specific file in the system. | ahsanriaz26gmailcomsales and inventory system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3752 | 5.1 | This vulnerability allows an attacker to remotely manipulate the date parameter in the daily task report feature of the employee task management system, potentially leading to unauthorized access to the database. To exploit this flaw, the attacker simply needs to send a specially crafted request to the affected system. | oretnom23employee task management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3751 | 5.1 | This vulnerability allows an attacker to execute malicious SQL commands on the employee task management system, potentially accessing or manipulating sensitive data. It can be exploited remotely by sending specially crafted requests to a specific part of the application without needing any special access or credentials. | oretnom23employee task management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3749 | 5.3 | This vulnerability allows an attacker to upload any type of file to the Bytedesk application, which could lead to malicious files being executed on the server. It can be exploited remotely without needing special access, so it's crucial to upgrade to the latest version to fix this issue. | bytedeskbytedesk | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3748 | 5.3 | An attacker can exploit a flaw in Bytedesk to upload malicious files without restriction, which could lead to unauthorized access or control over the system. This vulnerability affects versions up to 1.3.9, and it is crucial to upgrade to version 1.4.5.1 to protect against potential attacks. | bytedeskbytedesk | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3747 | 6.9 | An attacker can exploit a vulnerability in the university management system to manipulate data in the database by sending specially crafted requests, allowing them to execute unauthorized SQL commands. This can be done remotely without needing to be logged in, and there are publicly available methods to carry out the attack. | angeljudesuarezuniversity management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3746 | 6.9 | An attacker can exploit a vulnerability in the login feature of a tourism website to execute unauthorized SQL commands, potentially gaining access to sensitive data in the database. This can be done remotely by manipulating the username input, and the exploit is publicly known, making it easier for attackers to take advantage of it. | oretnom23simple responsive tourism website | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3740 | 6.9 | This vulnerability allows an attacker to remotely manipulate the university management system's search function to execute unauthorized SQL commands, potentially exposing sensitive student data. The attack can be carried out without needing any special access, making it a significant risk for the system. | angeljudesuarezuniversity management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3738 | 5.3 | This vulnerability allows an attacker to gain unauthorized access to the financial report page of the pet grooming management software, potentially exposing sensitive financial information. The attacker can exploit this remotely, and there are already tools available online to carry out the attack. | mayurikpet grooming management software | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3737 | 5.3 | This vulnerability allows an attacker to bypass authorization controls in the pet grooming management software, potentially letting them create new user accounts without proper permissions. The attack can be carried out remotely, meaning the attacker doesn't need physical access to the system to exploit it. | mayurikpet grooming management software | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3734 | 6.9 | This vulnerability allows an attacker to gain unauthorized access to sensitive manager details in the client database management system by manipulating a specific request sent to the server. The attack can be carried out remotely, meaning the attacker doesn't need physical access to the system, making it a significant risk for users of this software. | lerouxyxchireclient database management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3733 | 5.3 | This vulnerability allows an attacker to trick the server into making unauthorized requests to other internal services, potentially exposing sensitive data or functionality. The attacker can exploit this remotely, but it requires the server to lack proper security checks for access tokens. | Unknown | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3730 | 6.9 | An attacker can exploit a flaw in the Free Hotel Reservation System to manipulate a specific part of the website, allowing them to execute unauthorized SQL commands and potentially access or modify the database remotely. This vulnerability can be triggered simply by altering certain parameters in the URL, making it a serious risk for any system using this software. | itsourcecodefree hotel reservation system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3724 | 5.3 | An attacker can remotely manipulate the patient ID in the queue management system to gain unauthorized access to sensitive functions, potentially allowing them to view or alter patient information. This vulnerability can be exploited without needing any special access or credentials. | pamzeypatients waiting area queue management system | Exploit Available | about 1 month agoMar 8, 2026 |
| CVE-2026-3665 | 4.8 | This vulnerability allows an attacker to crash the xlnt application by causing it to access a part of memory that doesn't exist, leading to a program failure. The attacker must have local access to the system to exploit this issue, and there are publicly available methods to do so. | xlnt-communityxlnt | Exploit Available | about 1 month agoMar 7, 2026 |