Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-5361

Publication date:
14/05/2026
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-46445

Publication date:
14/05/2026
SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-46446

Publication date:
14/05/2026
SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-5486

Publication date:
14/05/2026
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined with direct string concatenation in SQL query construction. The vulnerability is exacerbated because the normalizeAjaxInputData() function calls stripslashes() on all user input, removing the protection provided by WordPress's wp_magic_quotes() function. Subsequently, the filter_search parameter is escaped using the deprecated wpdb->_escape() function and then directly concatenated into a LIKE clause without using prepared statements. This makes it possible for authenticated attackers, with Contributor-level access and above (who can obtain a valid nonce through the Elementor editor), to inject arbitrary SQL commands and extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-44919

Publication date:
14/05/2026
In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-46419

Publication date:
14/05/2026
Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-41281

Publication date:
14/05/2026
Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in information disclosure or data tampering.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2026

CVE-2026-32991

Publication date:
13/05/2026
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-8500

Publication date:
13/05/2026
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.<br /> <br /> Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command.<br /> <br /> The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-29206

Publication date:
13/05/2026
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-44478

Publication date:
13/05/2026
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026

CVE-2026-45158

Publication date:
13/05/2026
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026