< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 4 of 35

Critical RCE in Flowise's Custom MCP Tool Revealed

🛡️ Obsidian Security disclosed a critical RCE in the open-source AI workflow platform Flowise (CVE-2026-40933), enabling server takeover when a logged-in user imports a malicious chatflow. Self-hosted deployments are vulnerable by default; Flowise Cloud is not affected. The flaw stems from the Custom MCP tool launching user-supplied commands via stdio without sandboxing, and Flowise's input-validation patch can be bypassed.
read more →

Weekly recap: PAN-OS, Gogs, GlassWorm takedown

🔔 This week's briefing highlights active exploitation of a PAN-OS GlobalProtect authentication bypass (CVE-2026-0257), a critical unauthenticated RCE in Gogs, and the coordinated takedown of GlassWorm C2 infrastructure. Other notable items include a long-standing Linux LPE (CIFSwitch) patched upstream, CERT-In urging rapid patching timelines, and several AI-enabled and supply-chain aided campaigns increasing attacker speed and reach.
read more →

Critical Windows Netlogon RCE Flaw Now Exploited

🔒 The Centre for Cybersecurity Belgium (CCB) warned that threat actors are exploiting a recently patched critical Windows Netlogon vulnerability (CVE-2026-41089). Microsoft patched the stack-based buffer overflow during May 2026 Patch Tuesday, which can allow unauthenticated remote code execution on domain controllers. The CCB urged administrators to apply updates immediately, noting a CVSS score of 9.8, while Microsoft has not yet confirmed active exploitation.
read more →

Flowise MCP flaw enables single-click remote code execution

🔒 Researchers at Obsidian Security disclosed a near-max severity remote code execution flaw in self-hosted Flowise deployments tied to its Model Context Protocol (MCP) stdio server implementation. The issue stems from Flowise allowing attacker-controlled MCP stdio configurations that execute arbitrary OS commands, enabling one-click post-auth RCE via malicious chatflow imports. Flowise Cloud is unaffected, but self-hosted instances should review and potentially disable stdio MCP or apply strict mitigations.
read more →

Notepad++ XML flaws allow local arbitrary code execution

🔒 Two High-severity vulnerabilities in Notepad++ (CVE-2026-48778 and CVE-2026-48800, CVSS 7.8) let local attackers run arbitrary commands by tampering with the editor’s XML configuration files. Both issues affected versions up to 8.9.6 and were patched in 8.9.6.1 along with a lower-severity crash bug (CVE-2026-48770). The flaws stem from unvalidated values in shortcuts.xml and config.xml, enabling persistence and stealthy execution if an attacker can write to a user’s AppData or supply a poisoned settings folder.
read more →

Critical Gogs RCE via Malicious Rebase Branch Name

🔒 A critical Remote Code Execution (RCE) flaw in Gogs, a self-hosted Git service, enables any authenticated user to execute arbitrary commands by creating a pull request with a malicious branch name that injects the --exec flag into git rebase. Rated 9.4 by Rapid7, the bug requires only a registered account on default instances and can be abused without admin privileges or other user interaction. Rapid7 published an exploit module and advises restricting registration and repository creation and auditing rebase merge settings.
read more →

Critical Gogs zero-day enables remote code execution

🛡️ An unpatched zero-day in the Gogs self-hosted Git service allows authenticated non-admin users to gain remote code execution on Internet-facing instances. The flaw, an argument injection in the Merge() code path affecting Gogs 0.14.2 and 0.15.0+dev, can be exploited via malicious branch names during a rebase-merge operation. Researcher Jonah Burges reported the issue in March; maintainers have acknowledged but not yet patched it. Shadowserver and Shodan count thousands of exposed Gogs servers, many with default open registration enabled.
read more →

KnowledgeDeliver zero-day enables web shell installs

🛡️ Mandiant found attackers exploited a critical unauthenticated deserialization flaw (CVE-2026-5426) in KnowledgeDeliver LMS to deliver the Godzilla web shell. The issue stemmed from a shared hardcoded ASP.NET machineKey across customer deployments, allowing signed malicious ViewState payloads and remote code execution. Compromised installations were used to push fake installers, deploy Cobalt Strike beacons, and modify site scripts to load attacker-controlled payloads.
read more →

ABB Terra AC Heap Overflow Risks and Fixes

🔒 ABB reported a heap-based buffer overflow in select Terra AC EV chargers that can be triggered via crafted OCPP messages. Exploitation may allow heap pollution, denial-of-service, altered firmware behavior, or possible remote code execution; the vendor has released patched firmware versions. ABB strongly recommends avoiding unencrypted HTTP for OCPP connections and applying updates promptly to mitigate remote exploitation risks.
read more →

ABB zenon Remote Transport Missing Authentication

🔒 ABB has identified a vulnerability in affected versions of the ABB Ability™ zenon Remote Transport Service that permits unauthorized use of the Reboot OS function, allowing an attacker to trigger a system reboot without required authentication. Remote exploitation requires prior access to the target network. Vendors report no evidence of active exploitation at this time. Workarounds include restricting network access and disabling the zensyssrv.exe service when Remote Transport is not needed.
read more →

Microsoft fixes critical SharePoint remote code flaw

🛡️ Microsoft released updates to address a SharePoint remote code execution vulnerability, CVE-2026-45659, rated CVSS 8.8 and classified as Important. The flaw involves deserialization of untrusted data, allowing an authenticated attacker with minimal Site Member permissions to execute code over a network without elevated privileges. Microsoft credited researcher MEOW for the discovery and urged administrators to apply the updates for affected SharePoint versions. The advisory follows recent fixes for other SharePoint issues that have been exploited in the wild.
read more →

KnowledgeDeliver LMS ViewState Flaw Enables Web Shell

🛡️ A high-severity ASP.NET ViewState deserialization flaw (CVE-2026-5426) in Digital Knowledge KnowledgeDeliver was exploited as a zero-day to deploy the Godzilla web shell and later Cobalt Strike Beacon. Google Mandiant and GTIG found attackers abused hard-coded machineKey values in vendor-supplied web.config files to craft malicious __VIEWSTATE payloads, gaining unauthenticated RCE on affected instances prior to February 24, 2026. The intrusion included file system escalation, tampering with site JavaScript to deliver a fake security plugin, and a targeted encrypted payload named for the victim organization.
read more →

CISA Adds Drupal SQL Injection to KEV Catalog

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SQL injection flaw in Drupal Core (CVE-2026-9082, CVSS 6.5) to its Known Exploited Vulnerabilities list after evidence of active exploitation. The vulnerability affects all supported Drupal Core versions and could enable privilege escalation and remote code execution via crafted requests using the database abstraction API. Patches were released across multiple 8.x–11.x branches, with manual patches required for Drupal 9.5 and 8.9.
read more →

Drupal SQL injection flaw now being exploited

🔒 Drupal has warned administrators that a "highly critical" SQL injection vulnerability, tracked as CVE-2026-9082, is being actively targeted in the wild. Discovered by Google/Mandiant researcher Michael Maturi, the flaw affects Drupal's database abstraction API and allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL. Exploitation requires no authentication and can lead to remote code execution, privilege escalation, and data disclosure; Drupal has released updates and urges immediate patching.
read more →

Ubiquiti patches three max-severity UniFi OS flaws

🛡️ Ubiquiti issued updates addressing three maximum-severity vulnerabilities in UniFi OS that allow remote, unauthenticated attackers to modify systems, read files via path traversal, and perform command injection after gaining network access. Additional fixes include another critical command injection and a high-severity information disclosure issue. The flaws were reported via HackerOne and can be exploited with low complexity; Ubiquiti has not confirmed any in-the-wild exploitation. Censys reports nearly 100,000 Internet-exposed UniFi OS endpoints, with about 50,000 in the United States, though it is unclear how many have been remediated.
read more →

Critical ChromaDB RCE Flaw Leaves Servers Exposed

🔒 Researchers disclosed a critical vulnerability in ChromaDB (CVE-2026-45829) that allows unauthenticated attackers to execute arbitrary code and access sensitive data on affected servers. The flaw is a race condition in the FastAPI-based API server that fetches and executes remote embedding model code before performing authentication checks. HiddenLayer says versions 1.0.0 through 1.5.8 are affected and many public instances remain vulnerable; they recommend using the Rust implementation and restricting network access until a patch is available.
read more →

Chromium leak exposes unfixed persistent JavaScript flaw

🛡️ Google inadvertently published details of an unfixed Chromium vulnerability that allows JavaScript to continue running after the browser is closed, enabling remote code execution via persistent Service Workers. Reported by researcher Lyra Rebane in December 2022, the issue affects all Chromium-based browsers and was marked fixed in February 2024 but a patch was not shipped. The bug tracker entry was briefly made public on May 20, revealing the exploit still works in Chrome Dev 150 and Edge 148, making attacks stealthier and increasing risk until an emergency fix is released.
read more →

ABB B&R Automation Studio: SQLite component vulnerabilities

🔒 ABB disclosed multiple vulnerabilities in affected versions of B&R Automation Studio stemming from an outdated third-party SQLite component. An update to Automation Studio 6.5 corrects these issues and the vendor urges customers to apply the update promptly. The advisory lists numerous memory safety and logic issues (heap overflows, integer overflows, use-after-free, NULL dereferences, improper input validation, and more) that could enable unauthorized access, data exposure, or remote code execution. Customers should follow the product manual to identify versions and install updates, and apply general security recommendations as mitigation.
read more →

ABB B&R UEFI PXE Vulnerabilities and Vendor Updates

🔒 ABB B&R reported multiple vulnerabilities in the UEFI PXE implementation of affected B&R PCs and controllers. EDK2 Network Package issues include out-of-bounds reads, buffer overflows, infinite loops, and weak PRNG usage that can lead to remote code execution, DoS, DNS poisoning, or data exposure. Vendor updates are available for many product versions and users are advised to apply patches or follow mitigations.
read more →

Highly Critical PostgreSQL SQLi Fix Released for Drupal

🛡️ Drupal issued emergency updates addressing a "highly critical" SQL injection flaw tracked as CVE-2026-9082 in its database abstraction API that can be exploited against sites using PostgreSQL, allowing information disclosure and in some cases privilege escalation or remote code execution. The vendor released patched builds for supported 11.x and 10.x branches and published manual patches for EOL versions. Upstream Symfony and Twig fixes are also included in recent releases.
read more →