What is RCE (Remote Code Execution)?

The ability for an attacker to execute arbitrary code on a remote server.

Full explanation

RCE is the most severe outcome possible. Any input-handling bug that leads to attacker-controlled code execution on the server — unsafe deserialization, command injection, SQL injection chained to `xp_cmdshell`, template injection, malicious npm package execution via postinstall script — qualifies as RCE.

Example

An npm package with a `postinstall` script that runs arbitrary code on every `npm install` of a downstream project.

FAQ

What is the most common RCE in 2026?

Supply-chain attacks via malicious npm packages — typosquatting and maintainer takeovers. Socket.dev tracks these.