Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6253

Publication date:
13/05/2026
curl might erroneously pass on credentials for a first proxy to a second<br /> proxy.<br /> <br /> This can happen when the following conditions are true:<br /> <br /> 1. curl is setup to use specific different proxies for different URL schemes<br /> 2. the first proxy needs credentials<br /> 3. the second proxy uses no credentials<br /> 4. while using the first proxy (using say `http://`), curl is asked to follow<br /> a redirect to a URL using another scheme (say `https://`), accessed using a<br /> second, different, proxy
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-6276

Publication date:
13/05/2026
Using libcurl, when a custom `Host:` header is first set for an HTTP request<br /> and a second request is subsequently done using the same *easy handle* but<br /> without the custom `Host:` header set, the second request would use stale<br /> information and pass on cookies meant for the first host in the second<br /> request. Leak them.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-4782

Publication date:
13/05/2026
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the &amp;#39;fusion_get_svg_from_file&amp;#39; function with the &amp;#39;custom_svg&amp;#39; parameter of the &amp;#39;fusion_section_separator&amp;#39; shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-4798

Publication date:
13/05/2026
The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-44931

Publication date:
13/05/2026
The newly introduced RecordUsage D-Bus method https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c in<br /> malcontent-timerd allows arbitrary users in the system to slowly fill up disk space<br /> in /var/lib/malcontent-timerd
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-4873

Publication date:
13/05/2026
A vulnerability exists where a connection requiring TLS incorrectly reuses an<br /> existing unencrypted connection from the same connection pool. If an initial<br /> transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request<br /> to that same host bypasses the TLS requirement and instead transmit data<br /> unencrypted.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-41051

Publication date:
13/05/2026
csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-2515

Publication date:
13/05/2026
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;handle_ajax_action&amp;#39; function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the &amp;#39;hostinger_reach_connection_notice_action&amp;#39; action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-25710

Publication date:
13/05/2026
The new upstream added a privileged D-Bus<br /> helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in the system.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2026

CVE-2024-47091

Publication date:
13/05/2026
Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-3004

Publication date:
13/05/2026
The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick&amp;#39; attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-25705

Publication date:
13/05/2026
A vulnerability has been identified in [Rancher&amp;#39;s Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI extension could abuse that to: * Overwrite Rancher binaries or configuration to inject code.<br /> <br /> * Write to /var/lib/rancher/ to tamper with cluster state.<br /> <br /> * If hostPath volumes are mounted, write to the host node filesystem.<br /> <br /> * Use this issue to chain with other attack vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026