CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-0963 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
https://notcve.org/view.php?id=CVE-2026-0963
30 Jan 2026 — An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. • https://gitlab.com/crafty-controller/crafty-4/-/issues/660 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-0797 – GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2026-0797
30 Jan 2026 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. ... An attacker can leverage this vulnerability to execute code in the context of the current process. •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25116 – Runtipi vulnerable to unauthenticated docker-compose.yml Overwrite via Path Traversal
https://notcve.org/view.php?id=CVE-2026-25116
29 Jan 2026 — By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. • https://github.com/runtipi/runtipi/releases/tag/v4.7.2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-306: Missing Authentication for Critical Function •
CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25063 – gradle-completion has a Bash command injection issue
https://notcve.org/view.php?id=CVE-2026-25063
29 Jan 2026 — A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. ... While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. • https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-157: Failure to Sanitize Paired Delimiters •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-1340
https://notcve.org/view.php?id=CVE-2026-1340
29 Jan 2026 — A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 13%CPEs: 2EXPL: 0CVE-2026-1281 – Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2026-1281
29 Jan 2026 — A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-1457 – Authenticated RCE Vulnerability Due to Buffer Overflow on TP-Link VIGI C385
https://notcve.org/view.php?id=CVE-2026-1457
29 Jan 2026 — An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges. Authenticate... • https://www.tp-link.com/en/support/download/vigi-c385/v1/#Firmware • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24780 – AutoGPT is Vulnerable to RCE via Disabled Block Execution
https://notcve.org/view.php?id=CVE-2026-24780
29 Jan 2026 — Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. • https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-276: Incorrect Default Permissions CWE-863: Incorrect Authorization •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2026-1598 – Bdtask Bhojon All-In-One Restaurant Management System User Information profile cross site scripting
https://notcve.org/view.php?id=CVE-2026-1598
29 Jan 2026 — A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. • https://github.com/4m3rr0r/PoCVulDb/issues/12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-37017 – CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path
https://notcve.org/view.php?id=CVE-2020-37017
29 Jan 2026 — CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalSystem permissions. • https://www.vulncheck.com/advisories/codemeter-codemeterexe-unquoted-service-path • CWE-428: Unquoted Search Path or Element •