Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-14372

Publication date:
09/07/2026
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config).
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-12590

Publication date:
09/07/2026
Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as their primary safeguard against oversized request bodies will accept arbitrarily large payloads, leading to excessive memory and CPU usage and denial of service. Patches: This issue is fixed in body-parser 1.20.6 and 2.3.0. After the fix, invalid limit values throw a clear error at parser construction time instead of silently disabling enforcement, while null and undefined continue to fall back to the default limit of 100kb. Workarounds: Validate the limit value before passing it to body-parser. For example, parse the value at startup and reject any configuration where the result is null or a non-finite number.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-5793

Publication date:
09/07/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Inrove Software and Internet Services BiEticaret allows Reflected XSS.<br /> <br /> This issue affects BiEticaret: before v3.3.57.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-5955

Publication date:
09/07/2026
Improper neutralization of special elements used in an SQL command (&amp;#39;SQL injection&amp;#39;) vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection.<br /> <br /> This issue affects BiEticaret: before v3.3.57.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-56459

Publication date:
09/07/2026
HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-56460

Publication date:
09/07/2026
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
Severity CVSS v4.0: Pending analysis
Last modification:
13/07/2026

CVE-2026-56458

Publication date:
09/07/2026
HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-15158

Publication date:
09/07/2026
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or .ttf as a substring via strpos() rather than validating that those strings appear as the final extension via PATHINFO_EXTENSION — allowing double-extension filenames such as shell.woff2.php to pass MIME validation and be handled as permitted font files. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. This vulnerability is only exploitable when the premium version of the plugin (blocksy-companion-pro) is installed with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active; the free blocksy-companion plugin does not contain the vulnerable code paths.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-1365

Publication date:
09/07/2026
Insertion of sensitive information into sent data vulnerability in Sayax Energy Technologies Inc. OSOS allows Authentication Bypass.<br /> <br /> This issue affects OSOS: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-1989

Publication date:
09/07/2026
Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-2342

Publication date:
09/07/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS.<br /> <br /> This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-12433

Publication date:
09/07/2026
The Hydra Booking – Appointment Scheduling &amp; Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026