CVSS: 4.5EPSS: %CPEs: 1EXPL: 0CVE-2026-1770 – Improper Control of Dynamically-Managed Code Resources in Crafter Studio
https://notcve.org/view.php?id=CVE-2026-1770
02 Feb 2026 — Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution). • https://docs.craftercms.org/current/security/advisory.html#cv-2026020201 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 7.6EPSS: %CPEs: 1EXPL: 0CVE-2025-14914 – IBM WebSphere Application Server Liberty Path Traversal
https://notcve.org/view.php?id=CVE-2025-14914
02 Feb 2026 — IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. • https://www.ibm.com/support/pages/node/7258224 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: %CPEs: -EXPL: 0CVE-2026-1761 – Libsoup: stack-based buffer overflow in libsoup multipart response parsingmultipart http response
https://notcve.org/view.php?id=CVE-2026-1761
02 Feb 2026 — This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. • https://access.redhat.com/security/cve/CVE-2026-1761 • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.6EPSS: %CPEs: 1EXPL: 0CVE-2026-1186 – Path Traversal in EAP Legislator
https://notcve.org/view.php?id=CVE-2026-1186
02 Feb 2026 — Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file. This issue was fixed in version 2.25a. • https://abcpro.pl/eap-legislator • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-5986 – Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2024-5986
02 Feb 2026 — A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. ... The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files. • https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3 • CWE-73: External Control of File Name or Path •
CVSS: 9.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-2356 – Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2356
02 Feb 2026 — This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. ... The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version ... • https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-10279 – Privilege Escalation in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2025-10279
02 Feb 2026 — This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. • https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a • CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2026-1744 – D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting
https://notcve.org/view.php?id=CVE-2026-1744
02 Feb 2026 — A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. • https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25253
https://notcve.org/view.php?id=CVE-2026-25253
01 Feb 2026 — OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. • https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37064 – EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37064
01 Feb 2026 — EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\ to inject malicious code that would execute with LocalSystem privileges. • https://epson.com/support/easymp-network-projection-v2-86-for-windows • CWE-428: Unquoted Search Path or Element •