CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-13062 – Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass
https://notcve.org/view.php?id=CVE-2025-13062
15 Jan 2026 — This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: %CPEs: 2EXPL: 0CVE-2025-37181 – Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
https://notcve.org/view.php?id=CVE-2025-37181
14 Jan 2026 — Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-37185 – Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface
https://notcve.org/view.php?id=CVE-2025-37185
14 Jan 2026 — Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: %CPEs: 2EXPL: 0CVE-2025-37183 – Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
https://notcve.org/view.php?id=CVE-2025-37183
14 Jan 2026 — Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: %CPEs: 2EXPL: 0CVE-2025-37182 – Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
https://notcve.org/view.php?id=CVE-2025-37182
14 Jan 2026 — Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22686 – Sandbox Escape via Host Error Prototype Chain in enclave-vm
https://notcve.org/view.php?id=CVE-2026-22686
13 Jan 2026 — Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. ... This breaks enclave-vm’s core security guarantee of isolating untrusted code. • https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-693: Protection Mechanism Failure •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-50893 – VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload
https://notcve.org/view.php?id=CVE-2022-50893
13 Jan 2026 — VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. • https://www.vulncheck.com/advisories/viaviweb-wallpaper-admin-code-execution-via-image-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-54339 – Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter
https://notcve.org/view.php?id=CVE-2023-54339
13 Jan 2026 — Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system. • https://www.vulncheck.com/advisories/webgrind-remote-command-execution-rce-via-datafile-parameter • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-54338 – Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2023-54338
13 Jan 2026 — Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. • https://pjo2.github.io/tftpd64 • CWE-428: Unquoted Search Path or Element •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-54335 – eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-54335
13 Jan 2026 — Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. • https://www.vulncheck.com/advisories/extplorer-authentication-bypass-remote-code-execution-rce • CWE-306: Missing Authentication for Critical Function •