Remote-Code-Execution on HackingPassion.com : root@HackingPassion.com-[~]https://hackingpassion.com/tags/remote-code-execution/Recent content in Remote-Code-Execution on HackingPassion.com : root@HackingPassion.com-[~]HugoenMon, 08 Jun 2026 14:14:52 +0200Internet Explorer Can Still Take Over a Fully Patched Windows PC in 2026https://hackingpassion.com/internet-explorer-webbrowser-rce/Mon, 08 Jun 2026 14:14:52 +0200https://hackingpassion.com/internet-explorer-webbrowser-rce/<p>Internet Explorer can still take over a fully patched Windows machine, years after Microsoft retired it in 2022. The code that ran it was never removed from Windows, and a researcher just turned it into working remote code execution.</p> <p>The researcher behind it, Igor Sak-Sakovskiy, published the work with Microsoft&rsquo;s permission. The piece he pulled apart is called the <strong>WebBrowser control</strong>, the same code that drew web pages in Internet Explorer for decades. It still runs inside programs written in Visual Basic, .NET and C#, the kind of older business software and legacy tools that quietly kept the component alive. One detail makes it stranger. No official Microsoft document says this component is retired or about to be. People treat it as gone, while it keeps running underneath.</p>GitHub RCE CVE-2026-3854: One Semicolon, Millions of Private Repositorieshttps://hackingpassion.com/github-rce-cve-2026-3854/Wed, 29 Apr 2026 11:54:47 +0200https://hackingpassion.com/github-rce-cve-2026-3854/<p><strong>GitHub RCE CVE.</strong> A semicolon broke GitHub. One character in a push option field, and a security researcher was running code on the backend servers that store private repositories from millions of users and organizations. The git service user that processes every push on those servers has filesystem access to every repository on the node, and that access does not check who the repository belongs to. Private code from banks, hospitals, governments, and individual developers all sits on the same shared infrastructure. The command that got the researcher there is something every developer already runs every day.</p>Microsoft Bing CVSS 10.0: CVE-2026-33819 Remote Code Execution Explainedhttps://hackingpassion.com/bing-rce-cve-2026-33819/Sat, 25 Apr 2026 11:10:39 +0200https://hackingpassion.com/bing-rce-cve-2026-33819/<p><strong>Bing had a CVSS 10.0 vulnerability</strong> in its backend infrastructure, the same infrastructure that powers Edge, Windows Search, and Copilot integrations across Microsoft&rsquo;s ecosystem. Microsoft fixed it on March 10 without saying a word publicly. The CVE showed up six weeks later, on April 23. Nobody outside the company knew this had been sitting in the infrastructure that hundreds of millions of people use every day.</p> <p>The CVE number is <strong>2026-33819</strong>. The vulnerability class is <strong>deserialization of untrusted data</strong>, and the idea behind it is simpler than it sounds.</p>