remote code execution
-
Critical Gogs flaw can let authenticated users run code on servers
A critical, unpatched flaw in Gogs can let authenticated users run arbitrary code on affected servers under certain conditions, with Rapid7 rating the issue 9.4 on the CVSS scale and reporting no CVE yet.
-
Microsoft patches SharePoint flaw that could let authenticated attackers run code
Microsoft has patched a SharePoint remote code execution flaw tracked as CVE-2026-45659, saying an authenticated attacker with Site Member access could exploit it. The update covers several SharePoint Server versions.
-
Researchers disclose critical SEPPMail gateway flaws that could allow remote code execution
Researchers disclosed seven critical flaws in SEPPMail Secure E-Mail Gateway that could allow remote code execution and reading of arbitrary mail. SEPPmail has issued fixes across recent versions, including patches for multiple CVEs rated above 9.0.
-
NGINX flaw left hidden for 18 years could allow remote code execution
A critical NGINX rewrite module flaw hidden for 18 years can let a remote attacker trigger code execution or denial of service with crafted requests, according to a technical analysis and vendor advisory.
-
Critical Exim flaw can let remote attackers run code on affected servers
A critical Exim flaw fixed in version 4.99.3 could let unauthenticated attackers execute code on affected mail servers. The bug affects some GnuTLS-based builds before 4.99.3 and is triggered during TLS shutdown with chunked SMTP traffic.
-
Ivanti says EPMM flaw exploited in limited attacks, CISA adds it to watchlist
Ivanti said a high-severity flaw in its Endpoint Manager Mobile software has been used in limited attacks and can allow remote code execution on affected on-premises systems. CISA added the issue to its exploited vulnerability catalog.
-
vm2 library hit by a dozen critical Node.js sandbox escape flaws
A dozen critical vm2 vulnerabilities disclosed on May 7, 2026 can let attackers escape Node.js sandboxes, run code on the host and bypass allowlists. Fixes are available in vm2 3.11.2 and earlier patch releases.
-
Apache fixes critical HTTP/2 flaw that could enable remote code execution
Apache has patched CVE-2026-23918 in HTTP Server 2.4.67, a critical HTTP/2 double free that can cause denial-of-service and, in some setups, remote code execution.
-
MetInfo CMS flaw under active exploitation after April patch
Threat actors are exploiting a critical MetInfo CMS flaw, CVE-2026-29014, that can enable remote code execution. VulnCheck said activity began on April 25 and intensified on May 1, after MetInfo released patches on April 7.
-
Weaver E-cology flaw exploited in attacks since March
Hackers have exploited a critical Weaver E-cology vulnerability since mid-March to run discovery commands. The flaw affects E-cology 10.0 builds before March 12, and the vendor says upgrading is the only fix.
