Remote Code Execution
Remote Code Execution (RCE) vulnerabilities allow an attacker to execute arbitrary code on a remote system without authorization. These are among the most severe vulnerabilities as they can lead to complete system compromise.
289
CRITICAL
Execution
Understanding Remote Code Execution
Remote Code Execution vulnerabilities represent the most critical class of security flaws. When exploited, they allow attackers to run arbitrary commands on a target system, often with the same privileges as the vulnerable application.
RCE vulnerabilities commonly arise from unsafe deserialization, command injection, or memory corruption bugs. They're frequently found in web applications, network services, and system utilities.
How to Identify
- •Look for input validation bypasses in file upload functionality
- •Check for unsafe deserialization of user-controlled data
- •Test command execution functions with special characters
- •Review template engines for server-side template injection
Prevention Best Practices
- ✓Use parameterized queries and prepared statements
- ✓Implement strict input validation and sanitization
- ✓Run applications with minimal privileges
- ✓Keep all software dependencies up to date
- ✓Use security headers and Content Security Policy
Remote Code Execution CVEs (289)
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-26078 | 7.5 | An attacker can send fake webhook messages to a Discourse site, allowing them to create, change, or delete Patreon pledge data if the site's webhook secret is left blank. To prevent this, it's crucial to set a strong, non-empty webhook secret in the site settings. | discoursediscourse | Theoretical | about 1 month agoFeb 26, 2026 |
| CVE-2026-26077 | 6.5 | This vulnerability allows attackers to send fake data to certain email service integrations on the Discourse platform, which can lead to legitimate user emails being mistakenly marked as undeliverable. It occurs when no authentication token is set up, meaning attackers can exploit this weakness without needing any special access. | discoursediscourse | Theoretical | about 1 month agoFeb 26, 2026 |
| CVE-2025-14343 | 7.6 | This vulnerability allows an attacker to inject malicious scripts into web pages viewed by users, which can lead to stealing sensitive information like login credentials. It occurs when the E-Commerce Product improperly handles user input, and it can be exploited simply by tricking users into clicking on a specially crafted link. | Unknown | Exploit Available | about 1 month agoFeb 26, 2026 |
| CVE-2026-28132 | 5.3 | This vulnerability allows an attacker to inject malicious code into web pages displayed by the WooCommerce Photo Reviews plugin, potentially leading to unauthorized actions or data theft from users. It affects versions up to 1.4.4, and an attacker would need to find a way to submit harmful content that the plugin does not properly filter. | Unknown | Theoretical | about 1 month agoFeb 26, 2026 |
| CVE-2026-1693 | 5.3 | This vulnerability allows a remote attacker to steal user credentials by exploiting an outdated login method still used in certain features of the PcVue software. It requires the attacker to target systems running versions 12.0.0 through 16.3.3, where this insecure method is still enabled. | Unknown | Exploit Available | about 1 month agoFeb 26, 2026 |
| CVE-2026-27701 | 8.8 | An attacker can exploit this vulnerability to inject malicious JavaScript into a GitHub Actions workflow by crafting a pull request title, which could allow them to steal sensitive information from the repository or perform unauthorized actions using the CI bot's permissions. This requires the attacker to create a pull request with a specially designed title, making it a targeted attack on the repository. | Unknown | Theoretical | about 1 month agoFeb 25, 2026 |
| CVE-2026-21725 | 2.0 | This vulnerability allows an attacker with admin access to a data source to delete it again after it has been recreated by someone else, even if they no longer have admin rights to the new version. However, this can only happen within 30 seconds of the original deletion, and the new data source must have the same unique identifier as the deleted one, which is randomly assigned by default. | grafanagrafana | Theoretical | about 1 month agoFeb 25, 2026 |
| CVE-2026-3171 | 5.1 | This vulnerability allows an attacker to inject malicious scripts into the queue management system, which could then be executed in the browsers of users visiting the site. The attacker can exploit this remotely by manipulating the names entered in the system, making it a risk for anyone using the application. | pamzeypatients waiting area queue management system | Exploit Available | about 1 month agoFeb 25, 2026 |
| CVE-2026-3170 | 4.8 | An attacker can inject malicious scripts into the Patients Waiting Area Queue Management System by manipulating the First Name or Last Name fields in the patient search function, allowing them to execute harmful actions on users' browsers. This vulnerability can be exploited remotely, meaning attackers don't need physical access to the system to carry out their attack. | pamzeypatients waiting area queue management system | Exploit Available | about 1 month agoFeb 25, 2026 |
| CVE-2025-11563 | 4.6 | This vulnerability allows an attacker to manipulate the wcurl tool into saving files in unintended locations on the user's system, potentially exposing sensitive data or overwriting important files. It occurs when the attacker uses URLs with special encoded characters that trick the tool, and it specifically affects users of the wcurl command line tool. | curlwcurl | Theoretical | about 1 month agoFeb 25, 2026 |
| CVE-2026-23982 | 7.1 | This vulnerability allows a low-privileged user to access unauthorized data by manipulating existing datasets in Apache Superset. An attacker needs to have permission to create datasets and read charts, which lets them overwrite SQL queries and bypass data access controls. | apachesuperset | Exploit Available | about 1 month agoFeb 24, 2026 |
| CVE-2025-11165 | 9.4 | This vulnerability allows an attacker with scripting privileges in dotCMS to bypass security restrictions and access sensitive Java classes, enabling them to execute arbitrary system commands as the application user. The attacker must be authenticated and have the ability to run scripts to exploit this weakness. | dotcmsdotcms | Theoretical | about 2 months agoFeb 24, 2026 |
| CVE-2025-70327 | 9.8 | This vulnerability allows an attacker with access to the device to inject harmful commands into the system's ping utility, which can lead to the device becoming unresponsive or overloaded. The attacker can exploit this by sending specially crafted input that the device does not properly check, making it a serious risk for devices running the affected firmware. | totolinkx5000r firmware | Theoretical | about 2 months agoFeb 23, 2026 |
| CVE-2025-68930 | 6.5 | An attacker can exploit a vulnerability in the Traccar GPS tracking system to take control of a legitimate user's WebSocket connection, allowing them to send and receive data as if they were that user. This requires the attacker to trick the system into thinking their request is coming from a trusted source, which could happen if the user visits a malicious website while logged into Traccar. | traccartraccar | Theoretical | about 2 months agoFeb 23, 2026 |
| CVE-2025-14905 | 7.2 | An attacker can exploit a flaw in the 389-ds-base server to potentially take control of the system or crash it, especially when processing a large number of alias strings. This happens because the server miscalculates memory size, leading to a situation where it can be tricked into running harmful code or becoming unresponsive. | Unknown | Exploit Available | about 2 months agoFeb 23, 2026 |
| CVE-2026-2984 | 6.9 | An attacker can remotely crash the student result management system by manipulating a specific function in the admin panel, which can lead to a denial of service. This vulnerability is easy to exploit, as the method to do so is publicly available. | munywekistudent result management system | Exploit Available | about 2 months agoFeb 23, 2026 |
| CVE-2026-2983 | 6.9 | An attacker can exploit a flaw in the student result management system to gain unauthorized access to sensitive user data by manipulating a specific file upload function. This vulnerability can be exploited remotely, meaning the attacker does not need physical access to the system, and it has been publicly disclosed, increasing the risk of attacks. | munywekistudent result management system | Exploit Available | about 2 months agoFeb 23, 2026 |
| CVE-2026-2967 | 6.3 | This vulnerability allows an attacker to potentially impersonate a trusted source in communications with the Cesanta Mongoose software, which could lead to unauthorized access or manipulation of data. However, exploiting this flaw is complex and difficult, requiring specific conditions to be met for a successful attack. | cesantamongoose | Exploit Available | about 2 months agoFeb 23, 2026 |
| CVE-2026-2939 | 4.8 | This vulnerability allows an attacker to inject malicious scripts into the student management system, which can then be executed in the browsers of users visiting the affected page. The attacker can exploit this remotely, meaning they don't need physical access to the system, and the exploit details are publicly available, making it easier for them to launch an attack. | itsourcecodestudent management system | Exploit Available | about 2 months agoFeb 22, 2026 |
| CVE-2026-2938 | 6.9 | An attacker can remotely access and manipulate the Student Result Management System due to improper access controls in a specific file, potentially allowing them to change settings or access sensitive information. This vulnerability requires no special privileges, making it easier for attackers to exploit it. | munywekistudent result management system | Exploit Available | about 2 months agoFeb 22, 2026 |