EUVD-2026-3166

EUVD-2026-3166...

EUVD-2026-3165

EUVD-2026-3165...

EUVD-2026-2880

Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0...

EUVD-2026-2867

Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions,...

EUVD-2026-2868

Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on t...

EUVD-2026-2893

Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash...

EUVD-2026-2889

Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem...

EUVD-2026-2907

Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent...

EUVD-2026-2930

A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data...

EUVD-2026-2900

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps...

EUVD-2026-2898

This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen...

EUVD-2026-2939

The Librarian supervisord status page can be retrieved by the webfetch tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions...

EUVD-2026-2946

The Librarian contains a information leakage vulnerability through the webfetch tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions ...

EUVD-2026-2933

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC all versions 1.15.0 on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service /pprof/heap does not validate the user-provided extraoptions parameter and...

EUVD-2026-2966

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the completepayment AJAX action being registered via wpajaxnopriv,...

EUVD-2026-2955

The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'relatedpostsbytax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

EUVD-2026-2934

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension...

EUVD-2026-2968

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the...

EUVD-2026-2985

Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server...

EUVD-2026-2986

Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files...