ThreatScope by DIAMATIX: Active Exploitation Risks & Critical CVEs (26 January – 1 February 2026)
During the period 26 January – 1 February 2026, DIAMATIX analyzed a set of critical and high-severity vulnerabilities, several of which are zero-day or near-zero-day, affecting automation platforms, sandboxing technologies, endpoint software, archive utilities, enterprise tools, and network devices.
This week’s findings strongly cluster around sandbox escape, code injection, and remote code execution, highlighting how trusted execution environments continue to be a primary attack target.
Vulnerability Overview
| CVE ID | Product / Platform | Vulnerability Type | Impact |
|---|---|---|---|
| CVE-2026-1470 | n8n | Eval Injection | Remote Code Execution |
| CVE-2026-0863 | n8n | Eval Injection | OS Command Execution |
| CVE-2026-22709 | vm2 (Node.js) | Sandbox Escape | Arbitrary Code Execution |
| CVE-2025-8088 | WinRAR | Path Traversal (0-day) | Remote Code Execution |
| CVE-2026-21509 | Microsoft Office | Security Feature Bypass (0-day) | Local Privilege Abuse |
| CVE-2026-24002 | Grist-Core | Sandbox Escape | Server Compromise |
| CVE-2020-37033 | SourceCodester / Infor Storefront | SQL Injection | Database Compromise |
| CVE-2026-1723 | TOTOLINK X6000R | OS Command Injection | Full Device Compromise |
| CVE-2026-1281 | Ivanti EPM Mobile | Code Injection | Unauthenticated RCE |
1. Automation & Workflow Platforms: Eval Injection in n8n
Observed vulnerabilities:
CVE-2026-1470 – Eval injection allowing sandbox bypass and full RCE
CVE-2026-0863 – Python sandbox escape enabling arbitrary OS command execution
These vulnerabilities affect n8n, a widely used workflow automation platform, allowing authenticated users to escape expression and task sandboxes.
Why this matters:
Automation platforms operate at the intersection of systems, credentials, and data. When sandbox boundaries fail, attackers gain execution paths with high privilege and broad reach across environments.
2. Sandboxing & Runtime Isolation: Node.js vm2 Escape
Observed vulnerability:
CVE-2026-22709 – Critical sandbox escape in vm2 for Node.js
Improper sanitization of global Promise callbacks allows attackers to escape the sandbox and execute arbitrary code.
Why this matters:
Sandboxing is often treated as a hard security boundary. When isolation mechanisms fail, they invalidate trust assumptions across CI/CD pipelines, plugins, and embedded scripting environments.
3. Archive & Document Handling: WinRAR and Microsoft Office Zero-Days
Observed vulnerabilities:
CVE-2025-8088 – WinRAR path traversal (zero-day) enabling code execution via malicious archives
CVE-2026-21509 – Microsoft Office security feature bypass via untrusted input
Both vulnerabilities exploit user interaction workflows and bypass expected safety controls.
Why this matters:
Archive and document tools remain reliable initial access vectors. Zero-day flaws here allow attackers to bypass user trust with minimal technical complexity.
4. Enterprise & Data Platforms: Grist-Core Sandbox Escape
Observed vulnerability:
CVE-2026-24002 – Remote code execution in Grist-Core when using the
pyodidesandbox flavor
Malicious spreadsheets can execute arbitrary processes on the server hosting Grist.
Why this matters:
Data platforms often execute untrusted user logic. When sandboxing assumptions fail, data processing becomes an execution vector.
5. Web Applications & Databases: SQL Injection
Observed vulnerability:
CVE-2020-37033 – SQL injection in SourceCodester / Infor Storefront B2B 1.0
Attackers can manipulate authentication queries and extract or modify database contents.
Why this matters:
Despite being a well-known class, SQL injection remains highly effective where input validation and parameterization are incomplete.
6. Network & IoT Devices: OS Command Injection
Observed vulnerability:
CVE-2026-1723 – OS command injection in TOTOLINK X6000R
Unauthenticated attackers can execute arbitrary commands remotely.
Why this matters:
Network and IoT devices often operate with high trust and low visibility, making them ideal persistence points once compromised.
7. Endpoint & Device Management: Ivanti EPM Mobile
Observed vulnerability:
CVE-2026-1281 – Code injection leading to unauthenticated remote code execution
This flaw allows attackers to fully compromise managed mobile environments.
Why this matters:
Endpoint management platforms are control planes. Compromise here enables large-scale lateral impact across managed devices.
Key Takeaways
Sandbox and isolation failures dominate this week’s risk landscape
Automation and workflow tools amplify the impact of code execution flaws
Zero-day vulnerabilities continue to target everyday user workflows
Device management and network hardware remain high-value targets
Trust boundaries are repeatedly crossed where execution is assumed safe
ThreatScope by DIAMATIX delivers expert-level visibility into real exploitation paths — focused on patterns, not panic.
Trusted · Innovative · Vigilant
