CVE-2026-27476 CRITICAL

CVE-2026-27476: RustFly 2.0.0 Command Injection via UDP Remote Control

Vendor Bixat

Product RustFly

Weakness CWE-78

Published February 19, 2026

Last update February 20, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

Key dates

02Disclosure timeline

February 19, 2026 CVE published

February 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27476

Related vulnerabilities

CVE-2026-27476: RustFly 2.0.0 Command Injection via UDP Remote Control

01Description

02Disclosure timeline

03References

04Related CVE