CVSS: 6.8EPSS: %CPEs: 1EXPL: 0CVE-2026-23946 – Tendenci has Authenticated Remote Code Execution via Pickle Deserialization
https://notcve.org/view.php?id=CVE-2026-23946
22 Jan 2026 — This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. • https://docs.python.org/3/library/pickle.html#restricting-globals • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.2EPSS: %CPEs: 1EXPL: 0CVE-2026-23873 – HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
https://notcve.org/view.php?id=CVE-2026-23873
21 Jan 2026 — This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. • https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2026-23737 – seroval Affected by Remote Code Execution via JSON Deserialization
https://notcve.org/view.php?id=CVE-2026-23737
21 Jan 2026 — seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the seri... • https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2026-23524 – Laravel Redis Horizontal Scaling Insecure Deserialization
https://notcve.org/view.php?id=CVE-2026-23524
21 Jan 2026 — In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. • https://cwe.mitre.org/data/definitions/502.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-22807 – vLLM affected by RCE via auto_map dynamic module loading during model initialization
https://notcve.org/view.php?id=CVE-2026-22807
21 Jan 2026 — vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This ha... • https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: %CPEs: 1EXPL: 0CVE-2026-22793 – 5ire vulnerable to Remote Code Execution (RCE) via ECharts
https://notcve.org/view.php?id=CVE-2026-22793
21 Jan 2026 — This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. • https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: %CPEs: 1EXPL: 0CVE-2026-22792 – 5ire vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2026-22792
21 Jan 2026 — 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command e... • https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.5EPSS: %CPEs: 1EXPL: 3CVE-2021-47860 – GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
https://notcve.org/view.php?id=CVE-2021-47860
21 Jan 2026 — GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. • https://www.vulncheck.com/advisories/getsimple-cms-custom-js-csrf-to-xss-to-rce • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.6EPSS: %CPEs: 1EXPL: 2CVE-2021-47778 – GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection
https://notcve.org/view.php?id=CVE-2021-47778
21 Jan 2026 — An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. • http://get-simple.info • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: %CPEs: 1EXPL: 1CVE-2021-47887 – Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2021-47887
21 Jan 2026 — OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. • https://web.archive.org/web/20211207181409/https://www.oki.com/me/printing/services-and-solutions/smart-solutions/print-job-accounting/index.html • CWE-428: Unquoted Search Path or Element •