CVSS: 1.8EPSS: %CPEs: 1EXPL: 0CVE-2026-1225 – Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino
https://notcve.org/view.php?id=CVE-2026-1225
22 Jan 2026 — ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. • https://logback.qos.ch/news.html#1.5.25 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2026-1331 – AMASTAR Technology|MeetingHub - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-1331
22 Jan 2026 — MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. • https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.1EPSS: %CPEs: 1EXPL: 0CVE-2026-24049 – wheel Allows Arbitrary File Permission Modification via Path Traversal
https://notcve.org/view.php?id=CVE-2026-24049
22 Jan 2026 — ., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. • https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.6EPSS: %CPEs: 1EXPL: 0CVE-2025-27378 – SQL Injection in AES Due to Inactive SQL Parsing Configuration
https://notcve.org/view.php?id=CVE-2025-27378
22 Jan 2026 — AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. • https://www.altium.com/platform/security-compliance/security-advisories • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: %CPEs: 1EXPL: 0CVE-2026-23946 – Tendenci has Authenticated Remote Code Execution via Pickle Deserialization
https://notcve.org/view.php?id=CVE-2026-23946
22 Jan 2026 — This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. • https://docs.python.org/3/library/pickle.html#restricting-globals • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.2EPSS: %CPEs: 1EXPL: 0CVE-2026-23873 – HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
https://notcve.org/view.php?id=CVE-2026-23873
21 Jan 2026 — This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. • https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2026-23737 – seroval Affected by Remote Code Execution via JSON Deserialization
https://notcve.org/view.php?id=CVE-2026-23737
21 Jan 2026 — In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. • https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.3EPSS: %CPEs: 1EXPL: 0CVE-2026-23630 – Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
https://notcve.org/view.php?id=CVE-2026-23630
21 Jan 2026 — In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). ... Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. • https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2026-23524 – Laravel Redis Horizontal Scaling Insecure Deserialization
https://notcve.org/view.php?id=CVE-2026-23524
21 Jan 2026 — In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. • https://cwe.mitre.org/data/definitions/502.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-22807 – vLLM affected by RCE via auto_map dynamic module loading during model initialization
https://notcve.org/view.php?id=CVE-2026-22807
21 Jan 2026 — Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. • https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •