EUVD-2026-29426

Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a...

EUVD-2026-29422

The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stmsaveuserextrafields function updating sensitive user meta fields from POST data without verifyin...

EUVD-2026-29427

Affected devices do not properly validate and sanitize Technology Object TO name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the...

EUVD-2026-29428

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the...

EUVD-2025-209783

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows SQL Injection. This issue affects E-Commerce Website: before 4.5.001...

EUVD-2026-29429

Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of backdoors, performin...

EUVD-2026-29430

A vulnerability has been identified in Teamcenter V2312 All versions V2312.0014, Teamcenter V2406 All versions V2406.0012, Teamcenter V2412 All versions V2412.0009, Teamcenter V2506 All versions V2506.0005, Teamcenter V2512 All versions. The affected application does not properly encode or filter...

EUVD-2026-29423

A vulnerability has been identified in SIMATIC CN 4100 All versions V5.0. The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or perform unauthorized actions...

EUVD-2025-209781

A vulnerability has been identified in RUGGEDCOM ROX MX5000 All versions V2.17.1, RUGGEDCOM ROX MX5000RE All versions V2.17.1, RUGGEDCOM ROX RX1400 All versions V2.17.1, RUGGEDCOM ROX RX1500 All versions V2.17.1, RUGGEDCOM ROX RX1501 All versions V2.17.1, RUGGEDCOM ROX RX1510 All versions V2.17.1...

EUVD-2025-209780

A vulnerability has been identified in RUGGEDCOM ROX MX5000 All versions V2.17.1, RUGGEDCOM ROX MX5000RE All versions V2.17.1, RUGGEDCOM ROX RX1400 All versions V2.17.1, RUGGEDCOM ROX RX1500 All versions V2.17.1, RUGGEDCOM ROX RX1501 All versions V2.17.1, RUGGEDCOM ROX RX1510 All versions V2.17.1...

EUVD-2024-55574

A vulnerability has been identified in SIPROTEC 5 6MD84 CP300 All versions = V7.80 = V7.80 = V7.80 = V7.80 = V7.80 = V7.80, SIPROTEC 5 7SA82 CP150 All versions = V7.80 = V7.80 = V7.80, SIPROTEC 5 7SD82 CP150 All versions = V7.80 = V7.80 = V7.80, SIPROTEC 5 7SJ81 CP150 All versions = V7.80, SIPROT...

EUVD-2025-209779

A vulnerability has been identified in blueplanet 100 NX3 M8 All versions, blueplanet 100 TL3 GEN2 All versions V6.1.4.9, blueplanet 105 TL3 All versions, blueplanet 105 TL3 GEN2 All versions V6.1.4.9, blueplanet 110 TL3 All versions, blueplanet 125 NX3 M11 All versions, blueplanet 125 TL3 All...

EUVD-2025-209778

The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system...

EUVD-2025-209782

A vulnerability has been identified in RUGGEDCOM ROX MX5000 All versions V2.17.1, RUGGEDCOM ROX MX5000RE All versions V2.17.1, RUGGEDCOM ROX RX1400 All versions V2.17.1, RUGGEDCOM ROX RX1500 All versions V2.17.1, RUGGEDCOM ROX RX1501 All versions V2.17.1, RUGGEDCOM ROX RX1510 All versions V2.17.1...

EUVD-2026-29421

The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the box shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD-2026-29420

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2026-29414

The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the editposhidden parameter in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

EUVD-2026-29412

The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify t...

EUVD-2026-29408

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the savesettings function, which is registered on the adminpostcccf7savesettings...

EUVD-2026-29409

The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaAppsAdminAppPage function. This makes it possible for unauthenticated attackers to trick a site...

EUVD-2026-29403

The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2026-29418

The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyiadminpage function. This makes it possible for unauthenticated attackers to update the plugin's...

EUVD-2026-29406

The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lpupdatemds AJAX action in all versions up to, and including, 2.2.2. This is due to the wpajaxnoprivlpupdatemds action being registered without nonce verification or capability checks,...

EUVD-2026-29417

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification via checkadminreferer or wpverifynonce in the...

EUVD-2026-29411

The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widgetarea' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...

EUVD-2026-29410

The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-29407

The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permissioncallback of 'returntrue', which bypasses all...

EUVD-2026-29415

The WP Google Maps Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-29405

The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints gwd-backup.php and gwd-logs.php not verifying authentication when the API key has not been...

EUVD-2026-29416

The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

EUVD-2026-29419

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsbhandleslekpaymentredirect function placing the merchant's slekkey and sleksecret API credentials directly into a client-side HTML form, and additionally embedding the...

EUVD-2026-29413

The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access a...

EUVD-2026-29400

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

EUVD-2026-29396

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

EUVD-2026-29397

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...

EUVD-2026-29402

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

EUVD-2026-29394

The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin exposing a REST API endpoint /wp-json/ipospays/v1/savesettings with 'permissioncallback' set to 'returntrue', which allows unauthenticated access...

EUVD-2026-29401

The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2026-29395

The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the wpsbdpostcarousel shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2026-29398

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fancy-img-show shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

EUVD-2026-29393

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsrreview AJAX handler lacks both capability checks and nonce verification. The only access control is an isuserloggedin check...

EUVD-2026-29399

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saabcancelbooking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR,...

EUVD-2026-29389

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl function. This makes...

EUVD-2026-29388

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterimages function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing pregreplace that does not properly handle HTML attribute boundaries when replacing sr...

EUVD-2026-29391

The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kcseoativetab parameter in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD-2026-29390

An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections...

EUVD-2026-29392

Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53...

EUVD-2026-29386

A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH...

EUVD-2026-29384

An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker...

EUVD-2026-29382

ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if a...