Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1630

Publication date:
14/05/2026
WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the victim&amp;#39;s browser.<br /> <br /> This issue was fixed in versions 2026.1.3.109 and 2025.2.1.293.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2026

CVE-2025-15025

Publication date:
14/05/2026
Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects Library Automation System: from v.21.6 before v.22.1.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-5790

Publication date:
14/05/2026
Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2026

CVE-2026-5798

Publication date:
14/05/2026
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
Severity CVSS v4.0: HIGH
Last modification:
14/05/2026

CVE-2026-6008

Publication date:
14/05/2026
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.<br /> <br /> This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-4029

Publication date:
14/05/2026
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-4030

Publication date:
14/05/2026
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-4031

Publication date:
14/05/2026
The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name based on the database name, table prefix, date, and Swatch Internet Time, making interception reliable. Successful exploitation leads to Sensitive Information Exposure including database credentials, user password hashes, and personally identifiable information. This vulnerability requires that the site administrator has configured scheduled backups.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-43644

Publication date:
14/05/2026
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go&amp;#39;s content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker&amp;#39;s page.
Severity CVSS v4.0: MEDIUM
Last modification:
01/06/2026

CVE-2025-12008

Publication date:
14/05/2026
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects Yaay Social Media App: from 3.8.0 through 24102025.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-45205

Publication date:
14/05/2026
Uncontrolled Recursion vulnerability in Apache Commons.<br /> <br /> When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.<br /> This issue affects Apache Commons: from 2.2 before 2.15.0.<br /> <br /> Users are recommended to upgrade to version 2.15.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026

CVE-2026-8295

Publication date:
14/05/2026
An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e.g., 32-bit builds). The overflow can cause insufficient buffer allocation, leading to out-of-bounds memory reads in SIMD routines and potentially resulting in information disclosure, memory corruption, or malformed JSON output.<br /> This vulnerability has been fixed in 4.6.4 release
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026