CVE-2026-27476

CRITICAL 9.8

RustFly 2.0.0 Command Injection via UDP Remote Control

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.

CWE	CWE-78
Vendor	bixat
Product	rustfly
Published	Feb 19, 2026
Last Updated	Feb 20, 2026

Stay Ahead of the Next One

Get instant alerts for bixat rustfly

Be the first to know when new critical vulnerabilities affecting bixat rustfly are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Bixat / RustFly

2.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

packetstorm.news: https://packetstorm.news/files/id/215819/ vulncheck.com: https://www.vulncheck.com/advisories/rustfly-command-injection-via-udp-remote-control

Credits

indoushka