RCE - Daily CVE Reports (Page 2)

RCE

CVE-2024-12029: Remote Code Execution via Model Deserialization in InvokeAI

Executive Summary CVE-2024-12029 is a critical remote code execution (RCE) vulnerability affecting InvokeAI versions 5.3.1 through 5.4.2. This vulnerability stems from the unsafe deserialization of model files using torch.load without proper validation within the /api/v2/models/install API endpoint. An attacker can exploit this

RCE

CVE-2025-27520: BentoML Remote Code Execution via Insecure Deserialization

Executive Summary CVE-2025-27520 is a critical vulnerability affecting BentoML, a Python library for building AI application serving systems. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server due to insecure deserialization of untrusted data. Specifically, the vulnerability resides in the serde.py module and is triggered when

RCE

CVE-2025-27364: Remote Code Execution in MITRE Caldera via Linker Flag Injection

Executive Summary CVE-2025-27364 is a critical Remote Code Execution (RCE) vulnerability affecting MITRE Caldera, a cyber security platform used for automated adversary emulation. The vulnerability exists in the dynamic agent (implant) compilation functionality of the Caldera server. By crafting a malicious web request to the Caldera server API, an unauthenticated

RCE

CVE-2025-24813: Apache Tomcat Path Equivalence Vulnerability Leading to RCE and Information Disclosure

Executive Summary CVE-2025-24813 is a critical vulnerability affecting Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2. This vulnerability stems from improper path equivalence checks when handling filenames containing internal dots ("."

RCE

CVE-2025-1316: Remote Code Execution Vulnerability in Edimax IC-7100 IP Camera

Executive Summary CVE-2025-1316 is a critical vulnerability affecting the Edimax IC-7100 IP camera. This vulnerability stems from improper neutralization of requests, allowing a remote attacker to inject and execute arbitrary commands on the device. With a CVSS v3.1 score of 9.8 (Critical), this flaw poses a significant risk,

RCE

CVE-2025-24016: Unsafe Deserialization Vulnerability in Wazuh Leading to Remote Code Execution

Executive Summary CVE-2025-24016 is a critical remote code execution (RCE) vulnerability affecting Wazuh, a widely used open-source security information and event management (SIEM) platform. This vulnerability stems from unsafe deserialization of DistributedAPI (DAPI) parameters, allowing an attacker with API access to execute arbitrary Python code on the Wazuh server. Specifically,

Ruby

CVE-2025-27407: Remote Code Execution in graphql-ruby via Malicious Schema Loading

Executive Summary CVE-2025-27407 is a critical vulnerability in the graphql-ruby library, a popular Ruby implementation of GraphQL. The vulnerability arises from the unsafe handling of schema definitions loaded via GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load. Systems that load schemas from untrusted JSON sources are particularly at risk.