CVE-2026-27476

CRITICAL WAF: High

CVSS 9.8 Published: 2026-02-19

CWE-78

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

WAF Coverage Analysis

OS Command Injection High WAF Coverage

OWASP: A03:2021 Injection

932xxx - Remote Code Execution

References

packetstorm.news
www.vulncheck.com

Back to CVE Database