< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 9 of 35

April Patch Tuesday: Windows, SharePoint, SAP Fixes

🔒 Microsoft’s April Patch Tuesday addresses 167 vulnerabilities, including an actively exploited SharePoint Server zero-day and a critical Windows IKE remote code execution bug. Administrators should prioritize CVE-2026-32201 in SharePoint and the 9.8-rated CVE-2026-33824 in the Windows IKE service. Temporary mitigations—blocking UDP ports 500/4500 or restricting traffic to known peers—reduce risk but do not replace patching. Teams must also apply critical SAP fixes and validate Microsoft Defender and Active Directory protections.
read more →

Microsoft April 2026 Patch Tuesday: 165 Vulnerabilities

🔒 Microsoft released its April 2026 Patch Tuesday addressing 165 vulnerabilities across Windows, Office, .NET and server components, including eight rated critical. Critical issues include a .NET DoS (CVE-2026-23666), Remote Desktop and Office use-after-free flaws that can lead to code execution (CVE-2026-32157, CVE-2026-32190), multiple Word local code-execution bugs (CVE-2026-33114, CVE-2026-33115), and an IKEv2 double-free enabling remote code execution (CVE-2026-33824). Talos notes SharePoint vulnerability CVE-2026-32201 is being exploited in the wild and has released Snort rules; administrators should prioritize exposed services and apply mitigations such as blocking UDP 500/4500 if IKE is unused.
read more →

Microsoft April 2026 Patch Tuesday: 167 Flaws, 2 Zero-Days

🔒 Microsoft released its April 2026 Patch Tuesday addressing 167 vulnerabilities, including two zero-days and eight Critical flaws. The updates patch an actively exploited SharePoint Server spoofing bug (CVE-2026-32201) and a publicly disclosed Microsoft Defender elevation-of-privilege flaw (CVE-2026-33825) that can grant SYSTEM privileges. Multiple Microsoft Office RCEs exploitable via preview panes or malicious documents were fixed; administrators should prioritize installing these patches immediately.
read more →

Composer Perforce VCS Flaws Enable Command Execution

⚠️ Two high-severity vulnerabilities in Composer's Perforce VCS driver (CVE-2026-40176, CVSS 7.8; CVE-2026-40261, CVSS 8.8) can enable arbitrary command injection when processing a malicious repository configuration or a crafted source reference. The issues affect releases prior to 2.9.6 and 2.2.27 and are fixed in those versions; users should upgrade immediately. If you cannot patch, inspect composer.json files for Perforce fields, restrict repositories to trusted sources, and avoid dist-preferred installs. Composer reported no evidence of public exploitation and disabled Perforce metadata publishing on Packagist.org as a precaution.
read more →

ShowDoc RCE CVE-2025-0520 Exploited on Unpatched Servers

⚠️ A critical remote code execution vulnerability, tracked as CVE-2025-0520 (aka CNVD-2020-26585), is being actively exploited against unpatched instances of ShowDoc. The flaw is an unrestricted, unauthenticated file upload caused by improper file-extension validation, allowing attackers to deploy PHP web shells and execute arbitrary code. The bug was fixed in ShowDoc 2.8.7 (October 2020) and the project now ships as version 3.8.1, but researchers observed an exploit dropping a web shell on a U.S.-based honeypot and note more than 2,000 internet-facing instances, most located in China. Administrators should upgrade immediately and scan for signs of compromise.
read more →

April 2026 Patch Tuesday: Two Zero-Days, Eight Critical

⚠️ Microsoft’s April 2026 Patch Tuesday addresses 164 CVEs, including two zero-days and eight Critical vulnerabilities. The release focuses heavily on elevation-of-privilege flaws (57% of patches) and updates for Windows, Office and developer tools. Notable fixes include an exploited SharePoint spoofing zero-day (CVE-2026-32201), a disclosed Defender elevation-of-privilege issue (CVE-2026-33825), and several high‑risk RCEs; deploy patches promptly and apply recommended mitigations.
read more →

Adobe issues emergency patch for Acrobat/Reader zero-day

🔒 Adobe released an emergency security update to fix a zero-day tracked as CVE-2026-34621, which has been exploited since at least December to bypass Acrobat/Reader sandbox protections. The flaw lets malicious PDFs invoke privileged JavaScript APIs (for example util.readFileIntoStream() and RSS.addFeed()) to read local files and exfiltrate data with no user interaction beyond opening the file. Affected versions of Acrobat DC, Acrobat Reader DC and Acrobat 2024 have fixes available; Adobe urges users to update via Help > Check for Updates or by downloading the installer.
read more →

Critical Pre-Auth RCE in Marimo Exploited Quickly in the Wild

⚠️ A critical pre-authentication remote code execution vulnerability in Marimo (tracked as CVE-2026-39987) allows unauthenticated attackers to obtain a full interactive shell by connecting to the exposed /terminal/ws endpoint. The flaw affects all Marimo versions before 0.23.0 and was exploited in the wild within 9 hours and 41 minutes of disclosure. Sysdig observed an attacker steal cloud credentials in under three minutes. Update to 0.23.0 or block public access and rotate any exposed keys.
read more →

Critical Marimo Pre-Auth RCE Now Under Active Exploitation

⚠️ A critical pre-auth remote code execution (RCE) in Marimo (CVE-2026-39987) permits unauthenticated access to an interactive shell via the /terminal/ws WebSocket endpoint in versions 0.20.4 and earlier. Sysdig observed exploitation beginning within 10 hours of the public disclosure, with attackers quickly harvesting .env files, cloud credentials and SSH keys. Marimo released v0.23.0 to patch the issue; users should upgrade immediately, restrict external access, monitor WebSocket connections, and rotate any exposed secrets.
read more →

Marimo RCE Exploited Within Hours; Patch Released Urgent

⚠️ A critical pre-auth remote code execution flaw, CVE-2026-39987, in Marimo allowed unauthenticated attackers to obtain a full PTY shell via the /terminal/ws WebSocket endpoint. The issue affected all versions up to and including 0.20.4 and was addressed in Marimo 0.23.0. Security researchers at Sysdig observed exploitation within 9 hours and 41 minutes of public disclosure, with rapid credential-theft activity on a honeypot. Operators were able to explore the file system and access .env and SSH key files without requiring proof-of-concept code.
read more →

Backdoored Smart Slider 3 Pro Update Distributes Backdoor

🔒 A compromised update for Smart Slider 3 Pro (v3.5.1.35) was delivered through the plugin’s official update channel on April 7, 2026, and remained accessible for roughly six hours before detection. Security firm Patchstack and maintainer Nextend confirmed unauthorized access to Nextend’s update infrastructure and a fully attacker-authored build was distributed. The trojanized update installs a multi-stage backdoor that provides pre-authenticated RCE, hidden administrative accounts, multi-location persistence, and automatic data exfiltration to a command-and-control domain; operators should update to v3.5.1.36 and audit affected sites. The free Smart Slider edition is not impacted.
read more →

13-Year-Old Remote Code Execution in ActiveMQ Classic

⚠️ Researchers disclosed a critical remote code execution flaw in Apache ActiveMQ Classic that remained undetected for 13 years and can allow arbitrary system command execution. Tracked as CVE-2026-34197 with a CVSS score of 8.8, the bug affects Classic releases before 5.19.4 and 6.0.0 through 6.2.3; fixes were released in 5.19.4 and 6.2.3. Administrators should apply the updates, review Jolokia access controls, and inspect broker logs for indicators of compromise.
read more →

Critical File Upload Flaw in Ninja Forms (WordPress)

⚠ A critical arbitrary file upload vulnerability has been identified in the Ninja Forms – File Upload Plugin for WordPress, impacting versions up to 3.3.26 and rated CVSS 9.8. The flaw allows unauthenticated attackers to upload malicious files (including .php), bypass validation, and achieve remote code execution. Wordfence validated the report after it was disclosed on January 8, 2026, and the developer issued a complete patch in version 3.3.27 on March 19; administrators should update immediately.
read more →

Critical Flowise flaw enables JavaScript injection in AI

🚨 A critical design oversight in Flowise, a low-code platform for building LLM flows, allows arbitrary JavaScript to be injected via its Custom MCP node. The vulnerability (CVE-2025-59528) results from unsafe parsing in convertToValidJSONString, which feeds user input to the Function() constructor and executes with full Node.js privileges. A patch shipped in v3.0.6 and the latest public release is v3.1.1, but thousands of internet-exposed instances remain at risk as attackers have begun exploiting unpatched deployments.
read more →

Claude-assisted discovery of long-hidden ActiveMQ RCE

🔎 Horizon3.ai researchers used Anthropic's Claude to help uncover a remote code execution vulnerability, CVE-2026-34197, in Apache ActiveMQ Classic that reportedly persisted for about 13 years. The flaw allows an attacker to invoke Jolokia management operations to fetch a remote configuration file and execute arbitrary OS commands; default admin:admin credentials or prior exposure via CVE-2024-32114 can make exploitation trivial. Patches are available in versions 5.19.4 and 6.2.3, and administrators are advised to update, remove default credentials, and inspect broker logs for signs of compromise.
read more →

Critical RCE Flaw in Ninja Forms File Uploads Plugin

⚠️ A critical vulnerability in the Ninja Forms File Uploads premium add-on (identified as CVE-2026-0740) allows unauthenticated attackers to upload arbitrary files, including PHP, enabling remote code execution. Wordfence reports active exploitation and has blocked thousands of attempts. The flaw affects versions up to 3.3.26; the vendor issued a full fix in 3.3.27 on March 19. Users of the File Upload extension should upgrade immediately and apply available mitigations.
read more →

Max-severity Flowise RCE (CVE-2025-59528) Now Exploited

🚨 Security researchers report active exploitation of Flowise via CVE-2025-59528, a CVSS-10 arbitrary JavaScript injection that can lead to remote command execution and filesystem access. The flaw stems from the CustomMCP node unsafely evaluating user-supplied mcpServerConfig, allowing execution of supplied scripts. The developer fixed the issue in Flowise 3.0.6; users should upgrade to 3.1.1 or at minimum 3.0.6 and restrict public exposure.
read more →

Over 1,000 Exposed ComfyUI Instances Targeted — Miner Botnet

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.
read more →

Active Exploitation of Critical Flowise RCE (CVE-2025-59528)

🔴 New findings show threat actors are actively exploiting a maximum-severity code injection flaw in Flowise (CVE-2025-59528) that can lead to remote code execution. The issue stems from the CustomMCP node executing user-supplied JavaScript in the mcpServerConfig string, granting access to sensitive Node.js modules and full runtime privileges. Flowise released a fix in the npm package v3.0.6; affected deployments should upgrade immediately. VulnCheck reports exploitation activity originating from a single Starlink IP and warns of 12,000+ internet-exposed instances.
read more →

Google patches fourth Chrome zero-day this year in 2026

🛡️ Google has patched a fourth zero-day in Chrome this year, addressing CVE-2026-5281 in Dawn, the browser's WebGPU implementation, which allowed remote code execution via a crafted HTML page when the renderer process was compromised. The company confirmed an exploit exists in the wild and urges users to update to Chrome 146.0.7680.178 or newer. This fix follows earlier 2026 patches for CSS memory handling, the Skia graphics library, and the V8 JavaScript engine.
read more →