CVSS: 8.2EPSS: %CPEs: 1EXPL: 0CVE-2026-0805 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
https://notcve.org/view.php?id=CVE-2026-0805
30 Jan 2026 — An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. • https://gitlab.com/crafty-controller/crafty-4/-/issues/650 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.9EPSS: %CPEs: 1EXPL: 0CVE-2026-0963 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
https://notcve.org/view.php?id=CVE-2026-0963
30 Jan 2026 — An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. • https://gitlab.com/crafty-controller/crafty-4/-/issues/660 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: %CPEs: 1EXPL: 0CVE-2026-25116 – Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal
https://notcve.org/view.php?id=CVE-2026-25116
29 Jan 2026 — Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the ope... • https://github.com/runtipi/runtipi/releases/tag/v4.7.2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: %CPEs: -EXPL: 0CVE-2026-1340
https://notcve.org/view.php?id=CVE-2026-1340
29 Jan 2026 — A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: %CPEs: -EXPL: 0CVE-2026-1281 – Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2026-1281
29 Jan 2026 — A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: %CPEs: -EXPL: 0CVE-2026-1457 – Authenticated RCE Vulnerability Due to Buffer Overflow on TP-Link VIGI C385
https://notcve.org/view.php?id=CVE-2026-1457
29 Jan 2026 — An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges. Authenticate... • https://www.tp-link.com/en/support/download/vigi-c385/v1/#Firmware • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2026-24780 – AutoGPT is Vulnerable to RCE via Disabled Block Execution
https://notcve.org/view.php?id=CVE-2026-24780
29 Jan 2026 — Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. • https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-276: Incorrect Default Permissions CWE-863: Incorrect Authorization •
CVSS: 8.5EPSS: %CPEs: 1EXPL: 1CVE-2020-37017 – CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37017
29 Jan 2026 — CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalSystem permissions. • https://www.vulncheck.com/advisories/codemeter-codemeterexe-unquoted-service-path • CWE-428: Unquoted Search Path or Element •
CVSS: 8.4EPSS: %CPEs: 1EXPL: 2CVE-2020-37013 – Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)
https://notcve.org/view.php?id=CVE-2020-37013
29 Jan 2026 — Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. • https://archive.org/details/tucows_288670_Audio_Playback_Recorder • CWE-121: Stack-based Buffer Overflow •
CVSS: 10.0EPSS: %CPEs: 1EXPL: 1CVE-2020-37012 – Tea LaTex 1.0 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-37012
29 Jan 2026 — Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. • https://www.vulncheck.com/advisories/tea-latex-remote-code-execution • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •