Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3339
Publication date:
21/03/2026
The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the `kbd_open_upload_dir` AJAX action. This is due to insufficient validation of the `kbd_path` parameter, which is only sanitized with `sanitize_text_field()` - a function that does not strip path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to list the contents of arbitrary directories on the server outside of the intended uploads directory.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-3350
Publication date:
21/03/2026
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-32666
Publication date:
21/03/2026
WebCTRL systems that communicate over BACnet inherit the protocol&amp;#39;s lack<br /> of network layer authentication. WebCTRL does not implement additional <br /> validation of BACnet traffic so an attacker with network access could <br /> spoof BACnet packets directed at either the WebCTRL server or associated<br /> AutomatedLogic controllers. Spoofed packets may be processed as <br /> legitimate.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-33424
Publication date:
21/03/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2026

CVE-2026-33237
Publication date:
21/03/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin&amp;#39;s `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler&amp;#39;s callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet. Version 26.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-33238
Publication date:
21/03/2026
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp4` filenames and their full absolute filesystem paths wherever they exist on the server — including locations outside the web root, such as private or premium media directories. Version 26.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-2430
Publication date:
21/03/2026
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where the `src` URL contains a space followed by `src=`, causing the regex to break the HTML structure and promote text inside attribute values into executable HTML attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-24060
Publication date:
21/03/2026
Service information is not encrypted when transmitted as BACnet packets <br /> over the wire, and can be sniffed, intercepted, and modified by an <br /> attacker. Valuable information such as the File Start Position and File <br /> Data can be sniffed from network traffic using Wireshark&amp;#39;s BACnet <br /> dissector filter. The proprietary format used by WebCTRL to receive <br /> updates from the PLC can also be sniffed and reverse engineered.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-25086
Publication date:
21/03/2026
Under certain conditions, an attacker could bind to the same port used <br /> by WebCTRL. This could allow the attacker to craft and send malicious <br /> packets and impersonate the WebCTRL service without requiring code <br /> injection into the WebCTRL software.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-2352
Publication date:
21/03/2026
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;ao_post_preload&amp;#39; meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping when the value is rendered into a `` tag in `autoptimizeImages.php`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted the "Image optimization" or "Lazy-load images" setting is enabled in the plugin configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-33476
Publication date:
20/03/2026
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-3864
Publication date:
20/03/2026
A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026
Subscribe to Vulnerabilities