CVSS: 10.0EPSS: %CPEs: 1EXPL: 0CVE-2025-52694 – Execution of arbitrary SQL commands
https://notcve.org/view.php?id=CVE-2025-52694
12 Jan 2026 — Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet. • https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22608 – Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection
https://notcve.org/view.php?id=CVE-2026-22608
10 Jan 2026 — Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. • https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-15495 – BiggiDroid Simple PHP CMS editsite.php unrestricted upload
https://notcve.org/view.php?id=CVE-2025-15495
09 Jan 2026 — A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. • https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36875 – AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution
https://notcve.org/view.php?id=CVE-2020-36875
09 Jan 2026 — AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-69426 – Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE
https://notcve.org/view.php?id=CVE-2025-69426
09 Jan 2026 — By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. • https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-69425 – Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE
https://notcve.org/view.php?id=CVE-2025-69425
09 Jan 2026 — An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. ... An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. • https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce • CWE-306: Missing Authentication for Critical Function CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-64093 – Unauthenticated Remote Code Execution via the device hostname
https://notcve.org/view.php?id=CVE-2025-64093
09 Jan 2026 — Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. • https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 1CVE-2025-13761 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-13761
09 Jan 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. • https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: -EXPL: 0CVE-2025-64091 – Authenticated Remote Code Execution in the NTP-configuration
https://notcve.org/view.php?id=CVE-2025-64091
09 Jan 2026 — This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. • https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-64090 – Authenticated Remote Code Execution in device hostname
https://notcve.org/view.php?id=CVE-2025-64090
09 Jan 2026 — This vulnerability allows authenticated attackers to execute commands via the hostname of the device. • https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •