CVSS: 4.5EPSS: %CPEs: 1EXPL: 0CVE-2026-1770 – Improper Control of Dynamically-Managed Code Resources in Crafter Studio
https://notcve.org/view.php?id=CVE-2026-1770
02 Feb 2026 — Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution). • https://docs.craftercms.org/current/security/advisory.html#cv-2026020201 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.6EPSS: %CPEs: -EXPL: 0CVE-2026-1761 – Libsoup: stack-based buffer overflow in libsoup multipart response parsingmultipart http response
https://notcve.org/view.php?id=CVE-2026-1761
02 Feb 2026 — A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. • https://access.redhat.com/security/cve/CVE-2026-1761 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-5986 – Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2024-5986
02 Feb 2026 — A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. ... The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files. • https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3 • CWE-73: External Control of File Name or Path •
CVSS: 9.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-2356 – Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2356
02 Feb 2026 — The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0... • https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25253
https://notcve.org/view.php?id=CVE-2026-25253
01 Feb 2026 — OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. • https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37064 – EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37064
01 Feb 2026 — EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\ to inject malicious code that would execute with LocalSystem privileges. • https://epson.com/support/easymp-network-projection-v2-86-for-windows • CWE-428: Unquoted Search Path or Element •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37063 – TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37063
01 Feb 2026 — TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. • https://www.exploit-db.com/exploits/48085 • CWE-428: Unquoted Search Path or Element •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37062 – DHCP Turbo 4.6.1298- 'DHCP Turbo 4' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37062
01 Feb 2026 — DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. • https://www.exploit-db.com/exploits/48080 • CWE-428: Unquoted Search Path or Element •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37061 – BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37061
01 Feb 2026 — BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions. • https://www.exploit-db.com/exploits/48078 • CWE-428: Unquoted Search Path or Element •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37055 – SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37055
01 Feb 2026 — SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. • https://www.enigmasoftware.com • CWE-428: Unquoted Search Path or Element •