All news with #remote code execution tag

⚠ A critical arbitrary file upload vulnerability has been identified in the Ninja Forms – File Upload Plugin for WordPress, impacting versions up to 3.3.26 and rated CVSS 9.8. The flaw allows unauthenticated attackers to upload malicious files (including .php), bypass validation, and achieve remote code execution. Wordfence validated the report after it was disclosed on January 8, 2026, and the developer issued a complete patch in version 3.3.27 on March 19; administrators should update immediately.

🚨 A critical design oversight in Flowise, a low-code platform for building LLM flows, allows arbitrary JavaScript to be injected via its Custom MCP node. The vulnerability (CVE-2025-59528) results from unsafe parsing in convertToValidJSONString, which feeds user input to the Function() constructor and executes with full Node.js privileges. A patch shipped in v3.0.6 and the latest public release is v3.1.1, but thousands of internet-exposed instances remain at risk as attackers have begun exploiting unpatched deployments.

🔎 Horizon3.ai researchers used Anthropic's Claude to help uncover a remote code execution vulnerability, CVE-2026-34197, in Apache ActiveMQ Classic that reportedly persisted for about 13 years. The flaw allows an attacker to invoke Jolokia management operations to fetch a remote configuration file and execute arbitrary OS commands; default admin:admin credentials or prior exposure via CVE-2024-32114 can make exploitation trivial. Patches are available in versions 5.19.4 and 6.2.3, and administrators are advised to update, remove default credentials, and inspect broker logs for signs of compromise.

⚠️ A critical vulnerability in the Ninja Forms File Uploads premium add-on (identified as CVE-2026-0740) allows unauthenticated attackers to upload arbitrary files, including PHP, enabling remote code execution. Wordfence reports active exploitation and has blocked thousands of attempts. The flaw affects versions up to 3.3.26; the vendor issued a full fix in 3.3.27 on March 19. Users of the File Upload extension should upgrade immediately and apply available mitigations.

🚨 Security researchers report active exploitation of Flowise via CVE-2025-59528, a CVSS-10 arbitrary JavaScript injection that can lead to remote command execution and filesystem access. The flaw stems from the CustomMCP node unsafely evaluating user-supplied mcpServerConfig, allowing execution of supplied scripts. The developer fixed the issue in Flowise 3.0.6; users should upgrade to 3.1.1 or at minimum 3.0.6 and restrict public exposure.

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.

🔴 New findings show threat actors are actively exploiting a maximum-severity code injection flaw in Flowise (CVE-2025-59528) that can lead to remote code execution. The issue stems from the CustomMCP node executing user-supplied JavaScript in the mcpServerConfig string, granting access to sensitive Node.js modules and full runtime privileges. Flowise released a fix in the npm package v3.0.6; affected deployments should upgrade immediately. VulnCheck reports exploitation activity originating from a single Starlink IP and warns of 12,000+ internet-exposed instances.

🛡️ Google has patched a fourth zero-day in Chrome this year, addressing CVE-2026-5281 in Dawn, the browser's WebGPU implementation, which allowed remote code execution via a crafted HTML page when the renderer process was compromised. The company confirmed an exploit exists in the wild and urges users to update to Chrome 146.0.7680.178 or newer. This fix follows earlier 2026 patches for CSS memory handling, the Skia graphics library, and the V8 JavaScript engine.

🔓 Cisco Talos has linked a large-scale credential harvesting campaign to a threat cluster tracked as UAT-10608 that exploited CVE-2025-55182 in React Server Components and the Next.js App Router to breach at least 766 hosts. The intruders deployed a multi-stage dropper that collected environment variables, SSH keys, cloud metadata credentials, API keys, and other secrets before aggregating them in a password-protected web GUI called NEXUS Listener. Researchers accessed an exposed instance and observed a broad array of stolen items, including Stripe keys, GitHub tokens, AI platform keys, webhook secrets, and database connection strings. Organizations are urged to patch vulnerable Next.js deployments, enforce least privilege, enable IMDSv2, rotate credentials, and implement secret scanning.

🔒 Cisco released patches for two critical vulnerabilities in its management software that carry a CVSS score of 9.8. CVE-2026-20093 in the Integrated Management Controller (IMC) allows an unauthenticated attacker to bypass authentication and change any user password via a crafted HTTP request. CVE-2026-20160 affects Smart Software Manager On‑Prem and can enable remote command execution as root due to an exposed internal service. Cisco provided fixed releases and urges customers to update immediately; there are no known in-the-wild exploits to date.

🔓 Researchers at watchTowr disclosed two critical flaws in Progress ShareFile Storage Zones Controller (SZC): an authentication bypass (CVE-2026-2699) and a remote code execution via file upload/extraction (CVE-2026-2701). The issues can be chained to grant unauthenticated access to the admin interface, modify zone configuration, and deploy ASPX webshells to the application webroot. Progress issued a patch in ShareFile 5.12.4 on March 10; administrators should apply it immediately given thousands of internet-exposed SZC instances.

⚠ Hitachi Energy disclosed a critical Java deserialization flaw in the Jaspersoft/Jasper Report library used by Ellipse, tracked as CVE-2025-10492, which can enable remote code execution. Affected versions include Ellipse 9.0.50 and earlier and the issue carries a CVSS 3.1 score of 9.8. Immediate mitigations include restricting loading of external custom reports to only administrator-approved Jasper files, isolating control systems from public networks, and following updates from Hitachi Energy PSIRT.

🔍 Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.

⚠️ Shadowserver reports over 14,000 Internet-exposed BIG-IP APM instances remain vulnerable to CVE-2025-53521 after the flaw was reclassified from DoS to remote code execution. F5 confirmed the reclassification and warned that attackers are exploiting unpatched systems with access policies on virtual servers. F5 and CISA have published IOCs and mitigation guidance, and F5 recommends rebuilding compromised devices from known-good sources.

⚠️ The GIGABYTE Control Center contains a critical arbitrary file-write vulnerability (CVE-2026-4415) affecting versions 25.07.21.01 and earlier when the pairing feature is enabled. Taiwan's CERT warns unauthenticated remote attackers could write files anywhere on the underlying OS, enabling arbitrary code execution, privilege escalation, or denial-of-service. GIGABYTE released version 25.12.10.01 with fixes for download path management, message processing, and command encryption and strongly advises immediate upgrade; users should obtain installers only from the vendor portal to avoid trojanized packages.

🛡️ Researcher Hung Nguyen used the Claude assistant to locate remote code execution flaws in Vim and GNU Emacs that can trigger simply by opening a crafted file. Claude produced multiple refined proof‑of‑concept exploits and suggested mitigations. Vim was patched in Vim 9.2.0272, while the Emacs issue remains unpatched because maintainers attribute the root cause to Git's core.fsmonitor behavior; users should avoid opening untrusted files.

⚠️ Five-month-old F5 BIG-IP APM flaw initially classified as a denial-of-service is now confirmed as a pre-authentication remote code execution vulnerability (CVE-2025-53521) being exploited in the wild. F5 updated its advisory, raised the CVSS to 9.8, and CISA added the issue to its KEV catalog after reports of active exploitation and observed root‑level malware persistence. Affected versions include 15.1.x, 16.1.x, 17.1.x and 17.5.x; F5 has released fixes, IOCs, and hardening guidance, but organizations should patch immediately and perform compromise assessments rather than rely solely on backups.

🔒 Researchers disclosed two vulnerabilities in OpenAI’s AI stack affecting Codex and ChatGPT. BeyondTrust found a command injection flaw in Codex that let a malicious GitHub branch name execute code inside task containers and expose short-lived GitHub tokens. Check Point Research discovered a hidden outbound channel in ChatGPT’s code execution runtime that could silently transmit chats, uploads, or outputs to an external server. OpenAI patched both issues before public disclosure and researchers warn that autonomous code execution increases long-term risk.

⚠️ A critical authentication flaw (CVE-2026-1579) in the MAVLink protocol used by PX4 Autopilot can allow unauthenticated actors with MAVLink access to execute arbitrary shell commands via the SERIAL_CONTROL message. The issue affects PX4 Autopilot v1.16.0_SITL_latest_stable. PX4 recommends enabling MAVLink 2.0 message signing for all non‑USB links and following the vendor's security hardening guidance to reduce exposure.

⚠️ The UK’s NCSC is urging organisations to immediately patch a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) tracked as CVE-2025-53521, which is under active exploitation and can enable remote code execution when an APM access policy is configured on a virtual server. F5 has reclassified the issue from a denial‑of‑service to RCE with a revised CVSS of 9.8 after new information, and CISA has added it to its KEV catalog with a mandated federal patch deadline. Customers should follow F5’s incident‑handling and forensic guidance, isolate or rebuild affected systems, and report suspected compromises to the NCSC.