// #rce
51 articles — page 1 of 3
Langflow CVE-2026-5027 Exploitation Accelerates: AI Workflow Builder's Path Traversal RCE Under Active Attack
Exploitation of CVE-2026-5027 in Langflow, the AI workflow builder, has intensified following public PoC release. The path traversal remote code execution vulnerability, added to CISA's KEV on 8 June, is being used to deploy credential stealers and post-exploitation agents against organisations running unsecured Langflow instances. Upgrade to Langflow 1.3.5 immediately.
Veeam Backup & Replication CVE-2026-44963 (CVSS 9.4): Domain Users Can Execute Remote Code on Backup Infrastructure
Veeam has patched CVE-2026-44963, a CVSS 9.4 remote code execution vulnerability in Veeam Backup & Replication that allows any domain user to execute arbitrary code on the Veeam backup server. The vulnerability exploits insufficient authorisation in the Veeam Backup Service API. Organisations using Veeam in Active Directory environments should apply the patch immediately.
Three CVSS 9.8 Windows Flaws Demand Emergency Action: Kernel RCE, Wormable HTTP.sys, and DHCP Client
CVE-2026-45657 (Windows Kernel), CVE-2026-47291 (HTTP.sys), and CVE-2026-44815 (DHCP Client) each carry CVSS 9.8 and enable unauthenticated remote code execution. All three were publicly disclosed before Microsoft's June patch, giving attackers a head start. This article provides technical detail and remediation guidance for each flaw.
Windows Kerberos KDC Remote Code Execution CVE-2026-47288 Puts Domain Controllers at Critical Risk
CVE-2026-47288 is a critical remote code execution vulnerability in the Windows Kerberos Key Distribution Centre that allows network-adjacent unauthenticated attackers to execute arbitrary code on Active Directory domain controllers. All supported Windows Server versions are affected. Domain controllers should be treated as the highest-priority patch target in the June 2026 update cycle.
CVE-2026-45247: CISA Adds Mirasvit Magento Cache Warmer RCE to KEV — Unauthenticated PHP Deserialization Exploited in Wild
CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalogue on 3 June, confirming active exploitation of a CVSS 9.8 PHP deserialization vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2. Attackers exploit a malicious serialised cookie value to execute arbitrary code without authentication. The patch has been available since 25 May; organisations running Mirasvit FPC Warmer must update immediately.
Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited
Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.
SketchUp CVE-2026-9264: Malicious SKP File Delivers RCE via Embedded IE11 Browser — CVSS 9.3
Trimble disclosed CVE-2026-9264, a CVSS 9.3 remote code execution vulnerability in SketchUp 2026, on 22 May. An attacker who convinces a user to open a crafted .skp file can achieve code execution and local file exfiltration via XSS in SketchUp's Dynamic Components feature, which renders HTML content using an embedded IE11 browser with full local file system access.
ChromaDB CVSS 10.0 Pre-Auth RCE CVE-2026-45829: AI Vector Database Compromise via HuggingFace Model Injection
HiddenLayer and the Cloud Security Alliance published disclosures of CVE-2026-45829, a CVSS 10.0 unauthenticated remote code execution vulnerability in ChromaDB's Python FastAPI server, on 18–20 May 2026. Attackers can inject malicious code via a crafted HuggingFace-hosted model before the authentication gate fires. Approximately 73% of ChromaDB deployments are internet-exposed. No patch exists for affected versions.
Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain — Five Days After Patch Tuesday Fixed CVE-2026-40365
Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.
Pwn2Own Berlin 2026 Day 2: DEVCORE Chains Three Bugs for Exchange SYSTEM RCE — 15 Zero-Days and $385K Awarded
The second day of Pwn2Own Berlin saw DEVCORE's Orange Tsai chain three previously unknown vulnerabilities to achieve SYSTEM-level remote code execution on fully patched Microsoft Exchange Server, earning $200,000. Day 2 also featured Red Hat Enterprise Linux LPE, additional Windows 11 privilege escalation, and LM Studio AI exploitation across 15 unique zero-days.
NGINX 18-Year-Old Heap Buffer Overflow CVE-2026-42945 — CVSS 9.2 Flaw Affects All Versions Since 0.6.27 Including Modern API Gateways
A heap buffer overflow in NGINX's chunked transfer encoding handler, present since version 0.6.27 released in 2008, has been assigned CVE-2026-42945 with a CVSS score of 9.2. The vulnerability affects all NGINX versions through the latest release and has potential for both denial-of-service and remote code execution. Patches are available and the broad deployment of NGINX as a web server, reverse proxy, and API gateway makes this a wide-impact event.
Critical Exim MTA Remote Code Execution CVE-2026-45185 — Use-After-Free in GnuTLS Shutdown Affects Millions of Linux Email Servers
A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS TLS session shutdown handler enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. Exim is the default MTA on Debian, Ubuntu, and many Linux distributions, putting tens of millions of internet-facing mail servers at risk. Patches are available and should be applied immediately.
Microsoft May 2026 Patch Tuesday Fixes 120 Vulnerabilities — No Zero-Days but Wormable RCEs Demand Immediate Action
Microsoft released 120 security fixes in May's Patch Tuesday update, including 17 Critical-rated vulnerabilities and no actively exploited zero-days. Among the most significant are a network-based Windows DNS Client RCE and an authenticated SharePoint Server RCE. Security teams should prioritise network-facing systems within 48 hours.
SAP May 2026 Security Patch Day: Critical SQL Injection in S/4HANA and Unauthenticated RCE in Commerce Cloud
SAP's May 2026 Security Patch Day addresses 14 vulnerabilities including two Critical-rated flaws: a SQL injection in S/4HANA Enterprise Search (CVE-2026-34260, CVSS 9.6) and an unauthenticated remote code execution in Commerce Cloud's Spring Security configuration (CVE-2026-34263, CVSS 9.6). Organisations running SAP ERP or e-commerce infrastructure should patch immediately.
SharePoint Server RCE and Office Preview Pane Vulnerabilities Fixed in May Patch Tuesday — Enterprise Document Attack Surface Elevated
May's Patch Tuesday patches an authenticated RCE in SharePoint Server (CVE-2026-40365) and multiple Office vulnerabilities exploitable via the Windows Explorer and Outlook preview pane without opening files. Together they represent a significant enterprise document attack surface. Assess SharePoint exposure and validate Office update deployment this week.
Windows DNS Client RCE CVE-2026-41096: Attacker-Controlled DNS Servers Can Trigger Memory Corruption on All Windows Versions
CVE-2026-41096 in the Windows DNS Client allows an attacker controlling a DNS server to send a crafted response that triggers memory corruption on any Windows system performing standard DNS resolution. No user interaction or authentication is required, and the flaw affects all supported Windows versions. Patch network-facing systems within 24 hours.
Eclipse BaSyx ICS Platform: CVE-2026-7411 CVSS 10.0 Path Traversal RCE Threatens Industrial Asset Administration
Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.
Ivanti EPMM CVE-2026-6973 — Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
OpenEMR: Three Critical Vulnerabilities Expose Patient Records Across 100,000 Healthcare Providers
Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the world's most widely deployed open-source electronic medical records and practice management system, used by over 100,000 healthcare providers globally. Three of the vulnerabilities are critical, allowing unauthenticated remote code execution and patient record exfiltration. OpenEMR 7.0.2 patch 2 addresses all reported issues; unpatched instances are a direct patient data and regulatory liability.
ProFTPD CVE-2026-42167 — Authentication Bypass Leading to Remote Code Execution
A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
GitHub Enterprise Server CVE-2026-3854 — Critical RCE via Single Git Push, No Authentication Required
CVE-2026-3854, a critical-severity remote code execution vulnerability in GitHub Enterprise Server, allows an attacker to execute arbitrary code on the server with a single specially crafted Git push, requiring no authentication. Any internet-exposed or internally-accessible GHES instance is vulnerable. GitHub has released hotfixes across all supported branches; apply immediately.
Wazuh SIEM/XDR Platform CVE-2026-30893 — CVSS 9.0 Remote Code Execution in Enterprise SOC Infrastructure
CVE-2026-30893, rated CVSS 9.0, is a remote code execution vulnerability in the Wazuh open-source security platform affecting versions 4.x and later. Wazuh is widely deployed as a SIEM, XDR, and compliance platform in enterprise SOC environments. Compromising the Wazuh manager means compromising your security monitoring backbone — patch to 4.11.2 immediately.
Hugging Face LeRobot CVE-2026-25874 — Critical Unpatched RCE via Pickle Deserialization in Unauthenticated gRPC Endpoint
A critical unpatched remote code execution vulnerability in Hugging Face's LeRobot robotics AI framework allows unauthenticated attackers to execute arbitrary code on any server running the gRPC control interface. CVE-2026-25874, rated CVSS 9.3, affects the project's dataset loading and remote control pipeline via Python pickle deserialization. No patch is available; mitigations focus on network isolation.