EUVD-2026-1174

A command injection vulnerability in the executecommand function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input...

EUVD-2026-1209

A stored Cross-Site Scripting XSS vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The injected payload is stored and executed when any...

EUVD-2026-0958

A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112B20190227. This vulnerability affects the function sub401510 of the file cstecgi.cgi. The manipulation of the argument UPLOADFILENAME leads to command injection. The attack may be initiated remotely. The exploit has been...

EUVD-2026-0984

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0...

EUVD-2026-1007

Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8...

EUVD-2026-0983

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in CodexThemes TheGem Theme Elements for Elementor thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements for Elementor: from n/a through = 5.11.0...

EUVD-2026-0991

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in CodexThemes TheGem Theme Elements for WPBakery thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements for WPBakery: from n/a through = 5.11.0...

EUVD-2026-1013

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through = 1.7.7...

EUVD-2026-0999

Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through = 0.19...

EUVD-2026-1020

RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication...

EUVD-2026-1018

iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the...

EUVD-2026-1031

FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or...

EUVD-2026-1009

AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6...

EUVD-2026-1032

Forcepoint One DLP Client, version 23.04.5642 and possibly newer versions, includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. ctypes is a foreign function interface FFI for Python, enabling calls to DLLs/shared libraries, memory allocation, and direct code...

EUVD-2026-1072

The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the data-caption HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

EUVD-2026-1083

Not used...

EUVD-2026-1089

Not used...

EUVD-2026-1075

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE /subscribers REST API endpoint in all versions up to, and including, 2.2.0. This is due to the permissioncallback only validating wprest nonce without checking user...

EUVD-2026-1091

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the...

EUVD-2026-1080

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dirpath' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers,...