Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1433

Publication date:
06/07/2026
uniFLOW Universal Login Manager (ULM) Standalone<br /> contains an information disclosure vulnerability that may allow an<br /> authenticated administrator to access sensitive configuration information<br /> through the ULM Remote User Interface (RUI). Exploitation requires<br /> administrative privileges and may disclose configuration data associated with<br /> SMTP or LDAP integrations. ULM deployments connected to uniFLOW Server or<br /> uniFLOW Online are not affected.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-6382

Publication date:
06/07/2026
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-14807

Publication date:
06/07/2026
ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.
Severity CVSS v4.0: CRITICAL
Last modification:
06/07/2026

CVE-2026-14808

Publication date:
06/07/2026
Prog<br /> Management System developed by PROG MIS has a Exposure of Sensitive<br /> Information vulnerability, allowing unauthenticated remote attackers to view<br /> a specific page and obtain the database account and password.
Severity CVSS v4.0: CRITICAL
Last modification:
06/07/2026

CVE-2026-14800

Publication date:
06/07/2026
A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
06/07/2026

CVE-2026-14801

Publication date:
06/07/2026
A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-14802

Publication date:
06/07/2026
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-11766

Publication date:
06/07/2026
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-11855

Publication date:
06/07/2026
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-11962

Publication date:
06/07/2026
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-12083

Publication date:
06/07/2026
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2024-6228

Publication date:
06/07/2026
The Notifications for Forms &amp; WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026