Threats Tagged 'code-execution'

CVE-2026-39949 is an authenticated remote code execution vulnerability in Cacti versions up to and including 1.2.30. The flaw arises from unsanitized variable substitution in RRDtool command-line arguments, allowing users with graph management privileges to inject arbitrary OS commands via host metadata fields such as the device notes. Exploitation requires authenticated access with permissions to create devices and graph templates. An attacker can craft malicious input in the notes field and trigger code execution during graph rendering.

A high-severity vulnerability (CVE-2026-5027) in the Langflow low-code AI development platform allows unauthenticated attackers to write files to arbitrary locations via a path traversal flaw in the 'POST /api/v2/files' endpoint. This flaw enables remote code execution (RCE) because the filename parameter is not sanitized, and Langflow's default unauthenticated auto-login allows attackers to reach the vulnerable endpoint without credentials. Exploitation attempts have been observed in the wild, with attackers dropping test files on victim systems. Approximately 7,000 Langflow instances are internet-accessible, mostly in North America. The vulnerability was publicly disclosed in March 2026, and no patch or official fix information is provided in the source content.