CVE-2026-27476

CRITICAL

RustFly 2.0.0 - Command Injection

Title source: llm

Description

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

References (2)

[Various Sources] https://packetstorm.news/files/id/215819/

[Third Party Advisory] https://www.vulncheck.com/advisories/rustfly-command-injection-via-udp-remote-control

Scores

CVSS v3 9.8

EPSS 0.0038

EPSS Percentile 59.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status draft

Timeline

Published Feb 19, 2026

Tracked Since Feb 20, 2026