EUVD-2026-5004

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...

CVE-2025-12892

The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivatepluginoption function in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to update the...

SQL Plugin Job Fails with Error: "Mandatory arguments not set" or "Starting retention policy task"

Challenge After the upgrade or installation of the patch for Veeam Backup & Replication 12.3.2.4165, existing Veeam Plug-In for Microsoft SQL jobs fail with the following error: Failed to backup database. Error: Mandatory arguments not set Session failed: Mandatory arguments not set. Starting...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via improper sanitization of parameters in the smart.disk.get process. An attacker can inject arbitrary arguments into the smartctl command by supplying crafted input, potentially leading to the exposure of...

PT-2025-34243 · WordPress · Eslint-Ban-Moment

Name of the Vulnerable Software and Affected Versions: eslint-ban-moment versions 3.0.0 and earlier Description: The eslint-ban-moment plugin exposes a sensitive Supabase URI in the .env file. A valid Supabase URI containing a username and password grants an attacker complete unauthorized access...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GET autocomplete/GetChannelSubscriptions endpoint. An attacker can retrieve channel subscription details by making unauthorized API calls. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through improper enforcement of channel member permissions for playbook run participants. An attacker without the 'Manage Channel Members' permission can add or remove users from public and private channels by...

PT-2024-16598 · WordPress · The Popup Box – Create Countdown

Name of the Vulnerable Software and Affected Versions: The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress versions up to, and including, 4.9.7 Description: The issue is related to a missing capability check on the deactivate plugin option function, which...

PT-2024-23858

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.22.0 Description A denial-of-service issue is present in the media upload process, causing the server to crash without restarting. This affects both development and production environments. Usually, errors in the...

PT-2024-25435 · WordPress · All In One Seo

Name of the Vulnerable Software and Affected Versions: All in One SEO WordPress plugin versions prior to 4.6.1.1 Description: The issue allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks due to the plugin not validating and escaping some of its Post...

WordPress VideoWhisper Video Presentation 3.31.17 - Remote File Upload

WordPress Kernel theme is prone to a remote file upload vulnerability. Because of this vulnerability, anyone can upload the files for the example, .zip, .rar, .mp3, .jpeg, .txt, .html, etc. to an wordpress site. Solution Upgrade the plugin...

CVE-2008-4440

The to-upgrade plugin in feta 1.4.16 allows local users to overwrite arbitrary files via a symlink on the 1 /tmp/feta.install.$USER and 2 /tmp/feta.avail.$USER temporary files...

Code injection

The to-upgrade plugin in feta 1.4.16 allows local users to overwrite arbitrary files via a symlink on the 1 /tmp/feta.install.$USER and 2 /tmp/feta.avail.$USER temporary files...