CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2026-1331 – AMASTAR Technology|MeetingHub - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-1331
22 Jan 2026 — MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. • https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: %CPEs: 1EXPL: 0CVE-2026-23946 – Tendenci has Authenticated Remote Code Execution via Pickle Deserialization
https://notcve.org/view.php?id=CVE-2026-23946
22 Jan 2026 — This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. • https://docs.python.org/3/library/pickle.html#restricting-globals • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.2EPSS: %CPEs: 1EXPL: 0CVE-2026-23873 – HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
https://notcve.org/view.php?id=CVE-2026-23873
21 Jan 2026 — This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. • https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2026-23737 – seroval Affected by Remote Code Execution via JSON Deserialization
https://notcve.org/view.php?id=CVE-2026-23737
21 Jan 2026 — In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. • https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2026-23524 – Laravel Redis Horizontal Scaling Insecure Deserialization
https://notcve.org/view.php?id=CVE-2026-23524
21 Jan 2026 — In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. • https://cwe.mitre.org/data/definitions/502.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-22807 – vLLM affected by RCE via auto_map dynamic module loading during model initialization
https://notcve.org/view.php?id=CVE-2026-22807
21 Jan 2026 — Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. • https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: %CPEs: 1EXPL: 0CVE-2026-22793 – 5ire vulnerable to Remote Code Execution (RCE) via ECharts
https://notcve.org/view.php?id=CVE-2026-22793
21 Jan 2026 — Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. • https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: %CPEs: 1EXPL: 0CVE-2026-22792 – 5ire vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2026-22792
21 Jan 2026 — This enables unauthorized creation of MCP servers and lead to remote command execution. • https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.5EPSS: %CPEs: 1EXPL: 3CVE-2021-47860 – GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
https://notcve.org/view.php?id=CVE-2021-47860
21 Jan 2026 — GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. • https://www.vulncheck.com/advisories/getsimple-cms-custom-js-csrf-to-xss-to-rce • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.6EPSS: %CPEs: 1EXPL: 2CVE-2021-47778 – GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection
https://notcve.org/view.php?id=CVE-2021-47778
21 Jan 2026 — GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. • https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-php-code-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •