#rce
28 articles
Technology and government sectors bore the brunt of a wave of remote code execution attacks between April 12 and May 21, 2026. ZCyberNews tracked 33 articles, with 21 rated critical and 11 high. The threat actor PhantomCore was observed exploiting critical vulnerabilities including CVE-2026-20223 (CVSS 10), CVE-2025-54987, CVE-2026-22679, CVE-2026-31251, and CVE-2026-45033. Affected regions spanned Asia, China, Global, and Russia, with impacts also recorded in manufacturing, research, and software development sectors.
CRITICALCVE-2026-20223 (CVSS 10): Unauthenticated API Access in Cisco Secure
CVE-2026-20223 (CVSS 10.0): Unauthenticated attackers can access internal REST APIs in Cisco Secure Workload with Site Admin privileges. No authentication required.
CRITICALCVE-2026-2586: Authenticated RCE in GlassFish Admin Console
CVE-2026-2586 (CVSS 9.1) lets authenticated users execute arbitrary OS commands via crafted requests to GlassFish's Administration Console. No patch available as of May 20.
CRITICALCVE-2026-4883: Piotnet Forms Plugin RCE via Phar Upload
CVE-2026-4883 (CVSS 9.8) in Piotnet Forms ≤2.1.40 lets unauthenticated attackers upload .phar or .phtml files via an incomplete extension blacklist, enabling remote code execution.
CRITICALCVE-2026-7301: SGLang Scheduler RCE via Pickle Deserialization
CVE-2026-7301 (CVSS 9.8) lets attackers execute arbitrary code on SGLang servers by sending malicious pickle payloads to the scheduler's ROUTER socket, which binds to 0.0.0.0 by...
CRITICALGitHub Copilot CLI Flaw CVE-2026-45033 Enables RCE via Malicious Repos
CVE-2026-45033 (CVSS 9.8) in GitHub Copilot CLI before 1.0.43 lets attackers achieve remote code execution by embedding a malicious bare git repository in a project directory.
HIGHLibsixel Heap Overflow CVE-2026-44636 Lets Attackers Trigger RCE
CVE-2026-44636 (CVSS 7.8): A signed integer overflow in libsixel 1.8.7-r1 and earlier lets attackers trigger a heap buffer overflow via crafted SIXEL images, enabling potential...
CRITICALCosyVoice gRPC Server Insecure Deserialization Flaw CVE-2026-31251
CVE-2026-31251: CosyVoice gRPC server deserializes untrusted models via torch.load() without weights_only=True, enabling RCE via crafted .pt files. No patch confirmed.
CRITICALAngular Expressions Sandbox Escape CVE-2026-44643 Allows RCE
CVE-2026-44643 in Angular Expressions <1.5.2 lets attackers escape the sandbox via malicious filter expressions to execute arbitrary code on the system.
HIGHCyberPanel 2.1 Flaw Lets Authenticated Attackers Execute Remote Code
CVE-2021-47949 (CVSS 8.8) in CyberPanel 2.1 lets authenticated attackers read arbitrary files and execute code via symlink attacks through the filemanager controller endpoint.
MEDIUMCVE-2023-47268: PrusaSlicer 3MF Files Can Execute Arbitrary Code
CVE-2023-47268 (CVSS 5.3): A crafted 3mf project file in PrusaSlicer through 2.6.1 executes arbitrary code when sliced — no user interaction beyond opening the file.
CRITICALLibreNMS Pre-24.10.0 RCE via OS Command Injection (CVE-2024-51092)
CVE-2024-51092 (CVSS 9.1): LibreNMS before 24.10.0 allows unauthenticated remote attackers to execute arbitrary OS commands via AboutController.php, SettingsController.php, and...
HIGHPraisonAI Flaw Lets Agents Execute Arbitrary Python Tools
CVE-2026-44339 (CVSS 8.6) in PraisonAI multi-agent framework lets agents resolve undeclared tool names against module globals, enabling arbitrary Python execution.
CRITICALWeaver E-cology Zero-Day CVE-2026-22679 Exploited Since March
CVE-2026-22679 (CVSS 9.8) in Weaver E-cology OA has been exploited in the wild since mid-March 2026. Attackers run discovery commands post-exploit. No patch available.
HIGHFoxit PDF Reader CVE-2026-5943 Use-After-Free RCE Exploited via
CVE-2026-5943: A use-after-free in Foxit PDF Reader's AcroForm annotation handling allows unauthenticated RCE (CVSS 7.8). Requires user to open a malicious PDF.
CRITICALPhantomCore Exploits TrueConf Zero-Days in Russian Network Attacks
Pro-Ukrainian hacktivist group PhantomCore has been exploiting three TrueConf vulnerabilities since September 2025 to execute remote commands on Russian servers, Positive…
HIGHDelta ASDA-Soft PAR Buffer Overflow Hits 7.8 CVSS
CVE-2026-5726: A stack-based buffer overflow in Delta Electronics ASDA-Soft PAR file parsing scores 7.8 CVSS and enables remote code execution via crafted PAR files.
CRITICALCritical Code Execution Flaw Patched in NI LabVIEW
A critical vulnerability (CVE-2026-32861) in NI LabVIEW allows remote attackers to execute arbitrary code by tricking a user into opening a malicious LVCLASS file, with a CVSS score of 7.8.
HIGHGIMP HDR File Parsing Vulnerability Enables Remote Code Execution
A heap-based buffer overflow vulnerability (CVE-2026-2050) in the GNU Image Manipulation Program (GIMP) allows remote attackers to execute arbitrary code when a user opens a malicious HDR image file.
HIGHGStreamer qtdemux Flaw Enables Remote Code Execution
A stack-based buffer overflow vulnerability (CVE-2026-5056) in the GStreamer multimedia framework's qtdemux component allows remote attackers to execute arbitrary code, posing a risk to numerous media-processing applications.
HIGHHP DeskJet 2855e Printer Vulnerable to Remote Code Execution
A stack-based buffer overflow vulnerability (CVE-2026-4682) in the HP DeskJet 2855e printer allows network-adjacent attackers to execute arbitrary code without authentication, earning a CVSS score of 8.8.
HIGHMicrosoft Windows Snipping Tool Vulnerability Enables Remote Code Execution
A vulnerability (CVE-2026-32183) in the Microsoft Windows Snipping Tool allows remote attackers to execute arbitrary code via a malicious file or webpage, requiring only user interaction to trigger the exploit.
CRITICALQNAP TS-453E QVRPro Exposed Method Enables Remote Code Execution
A critical vulnerability (CVE-2026-22898) in QNAP TS-453E QVRPro allows network-adjacent attackers to execute arbitrary code without authentication, receiving a CVSS score of 8.8 from the Zero Day Initiative.
CRITICALTrend Micro Apex One Console Vulnerable to Unauthenticated RCE
CVE-2025-54987, a critical 9.8 CVSS flaw in Trend Micro Apex One, allows unauthenticated attackers to execute arbitrary code via directory traversal in the management console.
CRITICALCritical Nginx UI Vulnerability Actively Exploited for Remote Server Takeover
Attackers are actively exploiting CVE-2026-33032, a critical flaw in the Nginx UI management tool, to execute arbitrary code and gain full control of affected web servers.
CRITICALShowDoc RCE Vulnerability CVE-2025-0520 Under Active Exploitation
Attackers are actively exploiting CVE-2025-0520, a critical RCE flaw in ShowDoc, to compromise unpatched servers via unrestricted file upload. The vulnerability has a CVSS score of 9.4.
CRITICALCritical Marimo RCE Flaw Exploited Within Hours of Disclosure
A critical pre-authentication remote code execution vulnerability (CVE-2026-39987) in the Marimo Python notebook was exploited in the wild within 10 hours of public disclosure, posing a severe risk to data science environments.
HIGHOrthanc DICOM CVE-2023-26012: Pre-Auth RCE on Imaging Servers
Three flaws in Orthanc DICOM server let unauthenticated attackers crash, read, or take over hospital imaging systems. Affected versions and patch details inside.
CRITICALJuniper Patches Critical RCE Flaw in Junos OS, Dozens of Other Vulnerabilities
Juniper Networks has released patches for a critical, pre-authentication remote code execution vulnerability in Junos OS, alongside dozens of other security fixes.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.