Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1316
Publication date:
12/02/2026
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media[].href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers (if 'Enable for Guests' is enabled) to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2026-1671
Publication date:
12/02/2026
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2026-2276
Publication date:
12/02/2026
Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.
Severity CVSS v4.0: MEDIUM
Last modification:
12/02/2026

CVE-2025-15574
Publication date:
12/02/2026
When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-15575
Publication date:
12/02/2026
The firmware update functionality does not verify the authenticity of the supplied firmware update files. This allows attackers to flash malicious firmware update files on the device. Initial analysis of the firmware update functionality does not show any cryptographic checks (e.g. digital signature checks) on the supplied firmware update files. Furthermore, ESP32 security features such as secure boot are not used.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-15573
Publication date:
12/02/2026
The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a man-in-the-middle position to act as the legitimate MQTT server and issue arbitrary commands to devices.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2026-1356
Publication date:
12/02/2026
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2026-21722
Publication date:
12/02/2026
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.<br /> <br /> This did not leak any annotations that would not otherwise be visible on the public dashboard.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-41117
Publication date:
12/02/2026
Stack traces in Grafana&amp;#39;s Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.<br /> <br /> Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-15577
Publication date:
12/02/2026
An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older.
Severity CVSS v4.0: HIGH
Last modification:
12/02/2026

CVE-2026-2327
Publication date:
12/02/2026
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
Severity CVSS v4.0: MEDIUM
Last modification:
12/02/2026

CVE-2025-14892
Publication date:
12/02/2026
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026
Subscribe to Vulnerabilities