Several server and developer administration tools have disclosed severe code-execution vulnerabilities affecting exposed management functionality. Termix reported an authenticated OS command injection in GET /ssh/file_manager/ssh/resolvePath, where double-quoted user input allowed shell substitution via $(...) and backticks, enabling arbitrary commands on the connected remote host under the active SSH account. A separate Termix issue, tracked as CVE-2026-45746, affected versions prior to 2.3.2 and allowed attackers to tamper with a client-controlled sessionId to access other users' active File Manager SSH sessions, potentially leading to unauthorized file operations and remote code execution on another user's VPS.
Other disclosures showed similar high-impact flaws in JavaScript-based backends. DbGate fixed an RCE in v7.1.9 after researchers found that POST /runners/start and POST /runners/load-reader concatenated attacker-controlled values into generated JavaScript executed by a forked Node.js process; in anonymous-auth deployments, the issue could permit unauthenticated RCE. BrowserStack Runner through 0.9.5 was assigned CVE-2026-49143 for an unauthenticated RCE in the /_log handler, where crafted JSON passed through vm.runInNewContext() and eval() allowed attackers to escape the sandbox and invoke child_process on reachable runner instances.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
The CVE-2026-45746 record states that a Broken Access Control issue in Termix File Manager affecting versions prior to 2.3.2 was fixed in version 2.3.2.
A follow-up report described exploitation of CVE-2026-49143 using a crafted JSON payload that escapes scope, reaches the Node.js process object, and invokes child_process.execSync() to run OS commands.
CVE-2026-49143 was disclosed for BrowserStack Runner through version 0.9.5, describing unauthenticated remote code execution via crafted JSON passed to vm.runInNewContext() and eval() in the /_log handler.
The CVE-2026-49143 record states it was received by disclosure@vulncheck.com on June 2, 2026, for an unauthenticated RCE in BrowserStack Runner's /_log HTTP handler.
A GitHub advisory disclosed an authenticated OS command injection vulnerability in Termix's GET /ssh/file_manager/ssh/resolvePath endpoint, demonstrated against v2.1.0 with proof-of-concept command execution on the connected remote host.
The DbGate advisory publicly disclosed an RCE flaw in the JSON script runner, warning that default anonymous-auth deployments could permit unauthenticated code execution.
The DbGate JSON script runner remote code execution issue was reportedly acknowledged by the project on 2026-04-24.
DbGate version 7.1.9 reportedly fixed the JSON script runner remote code execution vulnerability by 2026-04-22.
A remote code execution vulnerability in DbGate's JSON script runner was reportedly discovered, affecting the POST /runners/start and POST /runners/load-reader paths through unsafe interpolation into dynamically generated JavaScript.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvereports.com
Open sourcecvefeed.io
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.