#remote code execution
12 stories taggedremote code execution.
Pre-Auth Root RCE in Progress Kemp LoadMaster: Patch the API Now
CVE-2026-8037 lets an unauthenticated attacker run commands as root via a crafted API request. CVSS 9.8. The vendor has shipped a fix.
Active Exploitation Hits PTC Windchill as Attackers Drop Web Shells on PLM Systems
A critical deserialization flaw in software used by Boeing, Lockheed Martin, and BMW is drawing threat actors toward some of the most sensitive intellectual property in global manufacturing.
Two Critical NGINX Open Source Bugs Open the Door to Remote Code Execution
F5 patches a use-after-free in the HTTP/3 module and a second critical flaw. QUIC-enabled deployments are the immediate concern.
Bucket Squatting in Vertex AI SDK Opened Cross-Tenant RCE Window
A staging-bucket naming flaw in two versions of Google's Vertex AI Python SDK let attackers pre-register a victim's expected bucket and swap in a malicious pickle model before the platform could retrieve the original.
Langflow's Unauthenticated File-Write Flaw Is Being Exploited — Patch Dropped 73 Days Ago
CVE-2026-5027 lets attackers write files to arbitrary paths on exposed servers, and because Langflow ships with login disabled by default, exploitation requires exactly zero credentials.
Ivanti Sentry Carries Two Critical Bugs — One a Perfect 10 — Enabling Full Appliance Takeover
A pair of unauthenticated flaws in the mobile gateway give attackers a clear path to root. Exploit code is already public.
Six Flaws in protobuf.js Turn Serialized Schemas Into Execution Vectors
The JavaScript Protocol Buffers library — pulled 50 million times a week — ships patches for a cluster of CVEs that let attackers use schema metadata to run arbitrary code inside Node.js processes.
Schema as Weapon: Six Flaws in protobuf.js Open a Path to Remote Code Execution
Cyera researchers found that protobuf.js — pulled into apps 50 million times a week — will, under exploitable conditions, turn schema metadata into running code.
Silent RCE in Hugging Face Transformers Hides Behind a Single Config Field
CVE-2026-4372 lets an attacker own any machine that loads a poisoned model — no warnings, no prompts, no trace. The trust_remote_code flag didn't help.
Redis Patches Two-Year-Old Use-After-Free Surfaced by Autonomous AI Bug Hunter
CVE-2026-23479 sat in the blocking-client code from Redis 7.2.0 until the May 5 fixes. An authenticated user could parlay it into arbitrary OS command execution.
Exploit Code Goes Public for Critical Flowise One-Click RCE Flaw
A published proof-of-concept puts every self-hosted Flowise deployment at risk of full remote code execution — no authentication required from the attacker, just a malicious chatflow import.
Critical Argument Injection Zero-Day in Gogs Puts Self-Hosted Git Servers at Risk
A CVSS 9.4 flaw lets authenticated attackers execute arbitrary code through maliciously named pull-request branches — no patch is available.