Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4085
Publication date:
22/04/2026
The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the 'wrapper_class' attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4088
Publication date:
22/04/2026
The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4089
Publication date:
22/04/2026
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4090
Publication date:
22/04/2026
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-31431
Publication date:
22/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: algif_aead - Revert to operating out-of-place<br /> <br /> This mostly reverts commit 72548b093ee3 except for the copying of<br /> the associated data.<br /> <br /> There is no benefit in operating in-place in algif_aead since the<br /> source and destination come from different mappings. Get rid of<br /> all the complexity added for in-place operation and just copy the<br /> AD directly.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-31432
Publication date:
22/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix OOB write in QUERY_INFO for compound requests<br /> <br /> When a compound request such as READ + QUERY_INFO(Security) is received,<br /> and the first command (READ) consumes most of the response buffer,<br /> ksmbd could write beyond the allocated buffer while building a security<br /> descriptor.<br /> <br /> The root cause was that smb2_get_info_sec() checked buffer space using<br /> ppntsd_size from xattr, while build_sec_desc() often synthesized a<br /> significantly larger descriptor from POSIX ACLs.<br /> <br /> This patch introduces smb_acl_sec_desc_scratch_len() to accurately<br /> compute the final descriptor size beforehand, performs proper buffer<br /> checking with smb2_calc_max_out_buf_len(), and uses exact-sized<br /> allocation + iov pinning.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-31433
Publication date:
22/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix potencial OOB in get_file_all_info() for compound requests<br /> <br /> When a compound request consists of QUERY_DIRECTORY + QUERY_INFO<br /> (FILE_ALL_INFORMATION) and the first command consumes nearly the entire<br /> max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()<br /> with PATH_MAX, causing out-of-bounds write beyond the response buffer.<br /> In get_file_all_info(), there was a missing validation check for<br /> the client-provided OutputBufferLength before copying the filename into<br /> FileName field of the smb2_file_all_info structure.<br /> If the filename length exceeds the available buffer space, it could lead to<br /> potential buffer overflows or memory corruption during smbConvertToUTF16<br /> conversion. This calculating the actual free buffer size using<br /> smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is<br /> insufficient and updating smbConvertToUTF16 to use the actual filename<br /> length (clamped by PATH_MAX) to ensure a safe copy operation.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-2719
Publication date:
22/04/2026
The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;Exceptions&amp;#39; setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-3362
Publication date:
22/04/2026
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;Minimum Count&amp;#39; settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input&amp;#39;s value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4074
Publication date:
22/04/2026
The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;cheikh&amp;#39; and &amp;#39;lang&amp;#39; shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline blocks using PHP short tags ( and ) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-1845
Publication date:
22/04/2026
The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-2714
Publication date:
22/04/2026
The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;Enquiry Form Title&amp;#39; setting in all versions up to, and including, 5.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026
Subscribe to Vulnerabilities