Command-Injection
CVE-2026-8037: Pre-Auth Root RCE in Progress Kemp LoadMaster Now Under Active Exploitation
CVE-2026-8037, a CVSS 9.8 uninitialized-heap flaw in Progress Kemp LoadMaster's escape_quotes() function, lets unauthenticated attackers run root commands on the load balancer's management API. eSentire observed exploitation attempts starting June 29.
GuardFall: Decades-Old Bash Quoting Tricks Defeat Safety Guards in 10 of 11 Open-Source AI Coding Agents
Adversa AI's GuardFall research shows that quote removal, $IFS spacing, command substitution, and other decades-old shell tricks bypass the command guards in opencode, Goose, Cline, Aider, and seven other open-source AI coding agents — turning a poisoned README into silent credential theft.
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection — CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
Ivanti Sentry CVE-2026-10520: Unauthenticated Root RCE via handleMessage, Now in CISA KEV
A CVSS 10.0 OS command injection in Ivanti Sentry's unauthenticated /mics/api/v2/sentry/mics-config/handleMessage endpoint yields remote code execution as root. watchTowr published a PoC on June 10, CISA added it to KEV on June 11 with a June 14 deadline, and exploitation has followed.
Cisco Catalyst SD-WAN Manager CVE-2026-20245: Root Command Execution, No Patch Yet
Cisco's seventh SD-WAN zero-day of 2026. CVE-2026-20245 lets a netadmin upload a crafted file and execute commands as root on SD-WAN Manager. Exploited in the wild, no fix at disclosure.
CVE-2026-3854: A Single Git Push Owned GitHub.com — and 88% of Enterprise Servers Were Still Vulnerable at Disclosure
Wiz disclosed a CVSS 8.7 RCE in GitHub's internal git push pipeline. Any authenticated user could execute arbitrary commands on backend servers with one git push. 88% of Enterprise Server instances were still unpatched on disclosure day.
Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)
Two critical (CVSS 10.0) RCE bugs in Spinnaker, disclosed April 21, 2026 with working PoCs: SpEL expression injection in Echo and shell injection in Clouddriver gitrepo artifacts. Any authenticated user pops the CD plane and walks out with every stored cloud credential.
Two Critical FortiSandbox Flaws Let Unauthenticated Attackers Execute Commands and Bypass Auth
Fortinet discloses CVE-2026-39808 and CVE-2026-39813 — two CVSS 9.1 flaws in FortiSandbox allowing unauthenticated command execution and authentication bypass via crafted HTTP requests.
Composer Command Injection (CVE-2026-40261, CVE-2026-40176): Any Malicious Repository Can Execute Code on Your Build Machines
Two high-severity command injection flaws in PHP's Composer package manager allow arbitrary command execution via malicious repository metadata — no Perforce installation required for the worst one.
Three High-Severity Command Injection Flaws in AWS Research and Engineering Studio Give Authenticated Users Root RCE
AWS patches three CVSS 8.8 command injection and privilege escalation bugs in Research and Engineering Studio (RES) — any authenticated user could get root on virtual desktop hosts or the cluster manager.
CVE-2026-0625: Unauthenticated RCE via DNS Config Endpoint Hits Millions of End-of-Life D-Link Routers
A critical command injection flaw in the dnscfg.cgi endpoint of legacy D-Link DSL, DIR, and DNS devices enables unauthenticated RCE — with no patches coming and active exploitation dating back to November 2025.