CVSS: 7.6EPSS: %CPEs: 1EXPL: 0CVE-2025-14914 – IBM WebSphere Application Server Liberty Path Traversal
https://notcve.org/view.php?id=CVE-2025-14914
02 Feb 2026 — IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. • https://www.ibm.com/support/pages/node/7258224 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: %CPEs: -EXPL: 0CVE-2026-1761 – Libsoup: stack-based buffer overflow in libsoup multipart response parsingmultipart http response
https://notcve.org/view.php?id=CVE-2026-1761
02 Feb 2026 — This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. • https://access.redhat.com/security/cve/CVE-2026-1761 • CWE-121: Stack-based Buffer Overflow •
CVSS: 7.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-10279 – Privilege Escalation in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2025-10279
02 Feb 2026 — This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. • https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a • CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2026-1744 – D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting
https://notcve.org/view.php?id=CVE-2026-1744
02 Feb 2026 — A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. • https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37052 – AirControl 1.4.2 - PreAuth Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-37052
30 Jan 2026 — AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges. • https://www.exploit-db.com/exploits/48541 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2026-1705 – D-Link DSL-6641K Web ad_virtual_server_vdsl cross site scripting
https://notcve.org/view.php?id=CVE-2026-1705
30 Jan 2026 — A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. • https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-ad_virtual_server_vdsl-Configuration-2eeb5c52018a805d97adfb23dfec39c9?source=copy_link • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25153 – @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
https://notcve.org/view.php?id=CVE-2026-25153
30 Jan 2026 — Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 con... • https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25141 – Orval has a code injection via unsanitized x-enum-descriptions uing JS comments
https://notcve.org/view.php?id=CVE-2026-25141
30 Jan 2026 — While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. • https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25129 – PsySH has Local Privilege Escalation via CWD .psysh.php auto-load
https://notcve.org/view.php?id=CVE-2026-25129
30 Jan 2026 — If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. ... This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. • https://github.com/bobthecow/psysh/releases/tag/v0.11.23 • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2026-1700 – projectworlds House Rental and Property Listing sms.php cross site scripting
https://notcve.org/view.php?id=CVE-2026-1700
30 Jan 2026 — A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. • https://github.com/jiahao412/CVE/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •