CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22608 – Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection
https://notcve.org/view.php?id=CVE-2026-22608
10 Jan 2026 — Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. • https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-15495 – BiggiDroid Simple PHP CMS editsite.php unrestricted upload
https://notcve.org/view.php?id=CVE-2025-15495
09 Jan 2026 — A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. • https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36875 – AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution
https://notcve.org/view.php?id=CVE-2020-36875
09 Jan 2026 — The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution. ... The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution. • https://accessally.com/software-release/accessally-3-3-2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-69426 – Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE
https://notcve.org/view.php?id=CVE-2025-69426
09 Jan 2026 — The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the con... • https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-69425 – Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE
https://notcve.org/view.php?id=CVE-2025-69425
09 Jan 2026 — The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. The Ruck... • https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce • CWE-306: Missing Authentication for Critical Function CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-64093 – Unauthenticated Remote Code Execution via the device hostname
https://notcve.org/view.php?id=CVE-2025-64093
09 Jan 2026 — Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. • https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 1CVE-2025-13761 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-13761
09 Jan 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. • https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: -EXPL: 0CVE-2025-64091 – Authenticated Remote Code Execution in the NTP-configuration
https://notcve.org/view.php?id=CVE-2025-64091
09 Jan 2026 — This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. • https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-64090 – Authenticated Remote Code Execution in device hostname
https://notcve.org/view.php?id=CVE-2025-64090
09 Jan 2026 — This vulnerability allows authenticated attackers to execute commands via the hostname of the device. • https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-70974
https://notcve.org/view.php?id=CVE-2025-70974
09 Jan 2026 — Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered... • https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •