CVE-2026-27476

Critical CVSS: 9.3

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

Vendor

Product

CWE

CWE-78

Yayın Tarihi

2026-02-19 21:18:33

Güncelleme

2026-02-20 13:49:47

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-78 CRITICAL 2026

Referanslar

https://packetstorm.news/files/id/215819/ https://www.vulncheck.com/advisories/rustfly-command-injection-via-udp-remote-control