Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: rce (62 articles)Clear

Critical Everest Forms WordPress plugin flaw exploited to create rogue admins

Wordfence reports active exploitation of CVE-2026-3300 (CVSS 9.8), a remote code execution flaw in the Everest Forms Pro WordPress plugin (about 4,000 active installations) affecting all versions up to 1.9.12. The Calculation Addon's process_filter() function concatenates user-submitted form-field values into a PHP string and passes it to eval() without proper escaping; sanitize_text_field() does not escape single quotes, so unauthenticated attackers can inject and run arbitrary PHP by submitting a crafted value in any string-type field when a form uses the Complex Calculation feature. Exploitation began April 13; Wordfence has blocked 29,300+ attempts. The common payload creates a rogue admin named 'diksimarina.' Patch 1.9.13 shipped March 18.

Check
Inventory WordPress sites for Everest Forms Pro and confirm version 1.9.13 or later. Audit for a rogue admin named 'diksimarina' and review forms using the Complex Calculation feature.
Affected
Everest Forms Pro versions up to 1.9.12 using the Complex Calculation feature. Unauthenticated attackers inject PHP via any string-type field into an unescaped eval(). Exploited since April 13.
Fix
Upgrade Everest Forms Pro to 1.9.13 immediately. Remove rogue admins (e.g. 'diksimarina'), rotate admin credentials, and audit for web shells. Block the published attacker IPs.

Cisco Unified CM critical SSRF CVE-2026-20230 lets unauthenticated attackers write files and escalate to root - public PoC, WebDialer required

Cisco has patched CVE-2026-20230, a critical server-side request forgery flaw in Unified Communications Manager (formerly CallManager), the central control system for Cisco IP telephony. An unauthenticated remote attacker can send a crafted HTTP request to write files to the underlying OS and later elevate to root - Cisco rated it Critical despite the CVSS score because of that root-escalation potential. Cisco's PSIRT is aware of public proof-of-concept exploit code but has not seen active exploitation yet. The flaw only affects systems with the WebDialer service enabled, which is off by default. There are no workarounds; admins should upgrade to 14SU6 or 15SU5, or disable WebDialer until patched.

Check
Inventory Cisco Unified CM deployments and check whether WebDialer is enabled (Tools > Service Activation > CTI Services). Confirm version against fixed 14SU6 or 15SU5. Monitor for crafted HTTP requests.
Affected
Cisco Unified CM systems with the WebDialer service enabled (off by default). CVE-2026-20230 allows unauthenticated SSRF to write files and escalate to root. Public PoC exists; no active exploitation yet.
Fix
Upgrade to Unified CM 14SU6 or 15SU5. If patching must wait, disable the Cisco WebDialer Web Service via Service Activation to block exploitation. No other workaround exists.

Autonomous AI tool finds 2-year-old Redis use-after-free RCE CVE-2026-23479 - most cloud Redis runs passwordless, exploit public

Team Xint Code has disclosed CVE-2026-23479, a use-after-free remote code execution flaw in Redis that sat unnoticed in every stable branch from 7.2.0 until the May 5 fixes - over two years. The bug lives in unblockClientOnKey(), which keeps using a client pointer after processCommandAndResetClient() can free it. Exploitation needs an authenticated session, but Wiz's analysis finds Redis in most cloud environments with the majority running passwordless, where the default user already holds every privilege the exploit chain requires. The published exploit leaks a heap pointer via Lua, reclaims a freed client with a fake structure, and overwrites a GOT entry to repoint strcasecmp() at system(). NVD rates it 8.8.

Check
Inventory Redis instances and confirm version is past the May 5 fix. Identify passwordless or internet-reachable deployments. Audit for unexpected Lua EVAL activity and child processes spawned by redis-server.
Affected
Redis 7.2.0 through the May 5 fixes (over two years of stable branches). Exploitation needs an authenticated session, but most cloud Redis runs passwordless with the all-privileged default user.
Fix
Upgrade Redis to the patched release. Require authentication and strong ACLs, bind to localhost or private networks, never expose Redis to the internet. Enable full RELRO when building images.

HP Poly VVX VoIP phones: unauthenticated root RCE CVE-2026-0826 via oversized ICE candidate in SIP INVITE, patches available

Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.

Check
Inventory HP Poly VoIP phones (VVX and ICE-enabled models) by firmware. Confirm SIP/VoIP interfaces are not reachable from untrusted networks. Apply the CVE-2026-0826 patch for affected models.
Affected
HP Poly VoIP phones (VVX 450 confirmed) with ICE enabled. An unauthenticated SIP INVITE carrying an oversized ICE candidate triggers a root-level stack overflow; fixed-address libraries make ROP practical.
Fix
Apply Rapid7-referenced patches immediately. Place VoIP phones on a dedicated VLAN with strict ACLs. Block SIP from untrusted networks and monitor for malformed INVITE traffic.

Critical Windows Netlogon RCE CVE-2026-41089 now exploited - unauthenticated code execution on domain controllers, all Server versions, CCB Belgium warns

The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.

Check
Inventory all domain controllers and confirm the May 2026 Patch Tuesday update (CVE-2026-41089) is applied. Review Netlogon RPC traffic and DC event logs for anomalous unauthenticated requests.
Affected
All currently supported Windows Server versions acting as domain controllers, unpatched against the May 2026 fix. Unauthenticated attackers can gain RCE on a DC, enabling full domain compromise.
Fix
Apply the May 2026 Patch Tuesday update to every domain controller immediately. Restrict Netlogon RPC exposure to trusted networks. Monitor for post-exploitation lateral movement from DCs.

Attackers drive LLM agent for post-exploitation after Marimo CVE-2026-39987 RCE - AWS Secrets Manager to PostgreSQL exfil in minutes

Sysdig has documented a real-world intrusion in which a threat actor used an LLM agent to drive post-exploitation after compromising an internet-reachable Marimo notebook via CVE-2026-39987, a pre-authentication RCE affecting all Marimo versions up to 0.20.4 (fixed in 0.23.0). The attacker extracted two cloud credentials from the host, replayed them through a fanned-out egress pool to pull an SSH private key from AWS Secrets Manager, then used it to open eight short SSH sessions against a downstream bastion. The bastion phase exfiltrated the full schema and contents of an internal PostgreSQL database in under two minutes. The May 10 incident shows attackers operationalizing AI agents for hands-on-keyboard work.

Check
Inventory Marimo notebook deployments and confirm version is 0.23.0 or later. Check whether any are internet-reachable. Audit AWS Secrets Manager access logs and bastion SSH sessions since early May.
Affected
All Marimo versions up to and including 0.20.4 (pre-auth RCE, fixed in 0.23.0). Internet-reachable notebooks with access to cloud credentials and SSH keys are at highest risk.
Fix
Upgrade Marimo to 0.23.0+. Remove notebooks from public internet exposure. Rotate cloud credentials and SSH keys reachable from compromised hosts. Tighten Secrets Manager IAM scoping and add anomaly alerts.

Gogs unpatched zero-day argument-injection RCE affects all default-configured instances; open registration plus rebase-merge toggle is the chain

Rapid7's Jonah Burgess has disclosed an unpatched argument-injection RCE in Gogs, the self-hosted Git service often used as a GitLab/GitHub Enterprise alternative. The flaw affects Gogs 0.14.2 and 0.15.0+dev and requires authentication, but Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no repository creation limits, so any internet-facing default-configured instance is effectively unauthenticated-exploitable: an attacker creates an account and repo, enables rebase merging in settings, and the entire exploit chain runs without third-party interaction. Code execution lands as the Gogs server-process user. No CVE has been assigned and no patch is available; mitigations involve disabling open registration.

Check
Inventory Gogs and Forgejo instances. Check whether DISABLE_REGISTRATION is true and MAX_CREATION_LIMIT is positive. Audit recently-created accounts and repositories on default-configured instances.
Affected
Gogs 0.14.2 and 0.15.0+dev. Any instance with default config (open registration, no creation limit) is effectively unauthenticated. No CVE assigned, no patch available yet.
Fix
Disable open registration (DISABLE_REGISTRATION = true) and set strict MAX_CREATION_LIMIT. Restrict instances to authenticated VPN access. Monitor for unexpected new accounts and rebase-merge toggle changes.

Microsoft issues out-of-band SharePoint RCE patch CVE-2026-45659 for Subscription Edition, 2019, and 2016 servers

Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.

Check
Inventory SharePoint deployments by edition (Subscription, 2019, 2016) and confirm patch level. Check for unusual deserialization activity in IIS logs since the patch ships.
Affected
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 prior to the May 26 out-of-band updates.
Fix
Apply Microsoft's out-of-band CVE-2026-45659 patches across all SharePoint versions. Rotate machine keys after patching - prior SharePoint key-theft incidents enabled persistent post-patch access.

Google leaks unfixed Chromium flaw - Service Workers run JavaScript after browser closes, enabling silent botnet on Chrome, Edge, Brave

Google has accidentally published the technical details of an unfixed Chromium vulnerability that lets a malicious webpage run JavaScript on a visitor's device even after the browser is closed. The issue, originally reported by researcher Lyra Rebane in December 2022, abuses a Service Worker download task that never terminates. It was marked 'fixed' on February 12 and the bug tracker went public on May 20 after the 14-week visibility timer expired, but Rebane re-tested the latest Chrome Dev 150 and Edge 148 and confirmed the bug still works. Microsoft Edge no longer shows a download prompt, making the persistence completely silent. All Chromium-based browsers are affected.

Check
Inventory Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, Arc) and check current Service Worker activity at chrome://serviceworker-internals/ for unexpected background fetches surviving browser close.
Affected
All Chromium-based browsers including Chrome Dev 150 and Edge 148 (and earlier). Confirmed bug in Service Worker handling. The Edge variant is silent (no download prompt).
Fix
No vendor patch yet. Until one ships: enforce a Chrome/Edge policy that blocks background-fetch or restricts service-worker scopes. Educate users to manually unregister Service Workers via chrome://serviceworker-internals/.

Drupal ships highly critical PostgreSQL RCE fix across 11.x and 10.x - SA-CORE patches now live, Drupal 7 unaffected

Drupal has shipped the highly critical core security release teased by PSA-2026-05-18. The flaw lets attackers achieve remote code execution on Drupal sites running PostgreSQL backends. Fixed versions are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. The releases for supported branches also pull in upstream Symfony and Twig security fixes, making the upgrade essential even on MySQL deployments. Best-effort manual patches are available for end-of-life Drupal 9.5 and 8.9. Drupal 7 is not affected. The Drupal Security Team had warned that working exploits could follow within hours of disclosure, so administrators should patch now.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL-backed deployments (highest-impact path). Check for unusual database queries or admin-account changes during the May 20 disclosure window.
Affected
Drupal core 11.3.x, 11.2.x, 11.1.x, 10.6.x, 10.5.x, 10.4.x. Best-effort patches for EOL 9.5 and 8.9. Drupal 7 not affected. PostgreSQL backends face RCE; MySQL deployments still need the upgrade.
Fix
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 immediately. For EOL 9.5 and 8.9, apply the manual patches and plan migration to a supported branch.