Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-15624
Publication date:
17/04/2026
Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. <br /> In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
Severity CVSS v4.0: CRITICAL
Last modification:
17/04/2026

CVE-2025-15625
Publication date:
17/04/2026
Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
Severity CVSS v4.0: CRITICAL
Last modification:
17/04/2026

CVE-2025-15622
Publication date:
17/04/2026
Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.
Severity CVSS v4.0: MEDIUM
Last modification:
17/04/2026

CVE-2026-40002
Publication date:
17/04/2026
Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific partitions and set writable system properties.
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2026

CVE-2026-6451
Publication date:
17/04/2026
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-33392
Publication date:
17/04/2026
In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2026

CVE-2026-23853
Publication date:
17/04/2026
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use of weak credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to the system.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-6441
Publication date:
17/04/2026
The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin&amp;#39;s scheduled WordPress cron event (fbc_scheduled_update).
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-6443
Publication date:
17/04/2026
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin&amp;#39;s they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4659
Publication date:
17/04/2026
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site&amp;#39;s base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-5797
Publication date:
17/04/2026
The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users&amp;#39; quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-6482
Publication date:
17/04/2026
The Rapid7 Insight Agent (versions &gt; 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.
Severity CVSS v4.0: HIGH
Last modification:
28/04/2026
Subscribe to Vulnerabilities