Topic Hub
Remote Code Execution
RCE is the highest-severity class of web vulnerability — the attacker executes arbitrary code on the server. It can arise from a dozen different attack vectors. This hub collects every RCE path in one place.
SSTI
Deserialization
File Upload
Command Injection
Prototype Pollution
SQLi INTO OUTFILE
▌ RCE Attack Vectors
📝
SSTI → RCE
Template engine injection → arbitrary Python/Java/Ruby execution
🔓
Deserialization
Java ysoserial, PHP PHPGGC, Python pickle, .NET gadget chains
📂
File Upload
Extension bypass, magic bytes, webshells (PHP/JSP/ASP/ASPX)
💻
Command Injection
OS command injection via unsanitized shell parameters
⚡
Prototype Pollution
Node.js gadget chains from Object.prototype poisoning to RCE
🗄️
SQLi → RCE
INTO OUTFILE, xp_cmdshell, COPY TO PROGRAM — SQL to shell
▌ Deep Dives
Research
SSTI
Blind SSTI to RCE: Without Output
Timing delays, DNS callbacks, and engine fingerprinting when the app returns no output.
Research
Node.js
Prototype Pollution → RCE: Node.js Gadget Chains
How Object.prototype poisoning triggers gadget chains into full RCE — CVE-2024-38999.
Research
Apache
Confusion Attacks: Apache ACL Bypass → RCE
URL decoding inconsistencies across Apache modules chained into unauthenticated RCE.
Research
HTTP
HTTP Request Smuggling → Account Takeover
CL.TE and TE.CL desync attacks leading to cache poisoning and account takeover.
▌ CVE Research — RCE Discoveries
CVE-2025-69457
Tourism Website 3.1 — RCE
SQLi auth bypass + File upload → shell
CVE-2025-69458
Movie Rating System 1.0 — RCE
SQLi + INTO OUTFILE → webshell
CVE-2025-69460
Image Gallery 1.0 — RCE
Auth bypass + unrestricted upload → shell
Most Impactful RCE CVEs
CVE-2021-44228 — Log4Shell (Log4j)
CVE-2017-5638 — Struts2 (Equifax)
CVE-2019-2725 — WebLogic deserialization
CVE-2021-21985 — VMware vCenter
CVE-2022-26134 — Confluence
CVE-2021-22986 — F5 BIG-IP
CVE-2023-38890 — Shopping Portal (by Tağmaç)
CVE-2024-38999 — RequireJS (Prototype Pollution)