Critical severity9.8NVD Advisory· Published Feb 19, 2026· Updated Apr 15, 2026

CVE-2026-27476

Description

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstorm.news/files/id/215819/nvd
www.vulncheck.com/advisories/rustfly-command-injection-via-udp-remote-controlnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000