Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-41054

Publication date:
20/05/2026
In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`cred.uid != 0`) and prepares a negative acknowledgement (`ASCII_NAK`), it **fails to stop execution**. The code proceeds to the `switch` statement, allowing any local unprivileged user to execute privileged commands such as `MAGIC_CHROOT`.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-33278

Publication date:
20/05/2026
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Severity CVSS v4.0: CRITICAL
Last modification:
15/07/2026

CVE-2026-9059

Publication date:
20/05/2026
NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the &amp;#39;orderby&amp;#39; parameter on the REST API endpoints &amp;#39;/imagely/v1/galleries&amp;#39; and &amp;#39;/imagely/v1/albums&amp;#39;.<br /> <br /> <br /> <br /> The root cause is an insufficient sanitization function (&amp;#39;_clean_column()&amp;#39;) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the &amp;#39;NextGEN Gallery overview&amp;#39; capability (assigned to the Administrator role by default) to inject arbitrary SQL into the &amp;#39;ORDER BY&amp;#39; clause.
Severity CVSS v4.0: CRITICAL
Last modification:
20/05/2026

CVE-2026-9065

Publication date:
20/05/2026
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters (&amp;#39;model_name&amp;#39;, &amp;#39;model_id&amp;#39;, &amp;#39;integration_id&amp;#39;, &amp;#39;provider&amp;#39;) on the REST API endpoint &amp;#39;/surecart/v1/integrations/{id}&amp;#39;.<br /> <br /> The root cause is a flawed escaping bypass in the query builder (&amp;#39;wp-query-builder&amp;#39;). Values passed to the &amp;#39;where()&amp;#39; method are only sanitized via &amp;#39;$wpdb-&gt;prepare()&amp;#39; when they do **not** contain a dot (&amp;#39;.&amp;#39;) or the WordPress table prefix (&amp;#39;wp_&amp;#39;). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the &amp;#39;WHERE&amp;#39; clause, allowing full UNION-based extraction of the database.
Severity CVSS v4.0: CRITICAL
Last modification:
20/05/2026

CVE-2026-6405

Publication date:
20/05/2026
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator&amp;#39;s browser whenever the plugin settings page is visited.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-5200

Publication date:
20/05/2026
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-6566

Publication date:
20/05/2026
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks &amp;#39;NextGEN Manage gallery&amp;#39; permissions and does not enforce gallery ownership or &amp;#39;NextGEN Manage others gallery&amp;#39; permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and &amp;#39;NextGEN Manage gallery&amp;#39; capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-7385

Publication date:
20/05/2026
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-5776

Publication date:
20/05/2026
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-44392

Publication date:
20/05/2026
Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.
Severity CVSS v4.0: MEDIUM
Last modification:
20/05/2026

CVE-2026-47784

Publication date:
20/05/2026
In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-47783

Publication date:
20/05/2026
In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026