Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62110
Publication date:
23/04/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS.This issue affects Rescue Shortcodes: from n/a through 3.3.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-28040
Publication date:
23/04/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-31532
Publication date:
23/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: raw: fix ro-&gt;uniq use-after-free in raw_rcv()<br /> <br /> raw_release() unregisters raw CAN receive filters via can_rx_unregister(),<br /> but receiver deletion is deferred with call_rcu(). This leaves a window<br /> where raw_rcv() may still be running in an RCU read-side critical section<br /> after raw_release() frees ro-&gt;uniq, leading to a use-after-free of the<br /> percpu uniq storage.<br /> <br /> Move free_percpu(ro-&gt;uniq) out of raw_release() and into a raw-specific<br /> socket destructor. can_rx_unregister() takes an extra reference to the<br /> socket and only drops it from the RCU callback, so freeing uniq from<br /> sk_destruct ensures the percpu area is not released until the relevant<br /> callbacks have drained.<br /> <br /> [mkl: applied manually]
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2026-5464
Publication date:
23/04/2026
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the &amp;#39;onboarding_key&amp;#39; transient to any user with the &amp;#39;exactmetrics_view_dashboard&amp;#39; capability. This key is the sole authorization gate for the &amp;#39;/wp-json/exactmetrics/v1/onboarding/connect-url&amp;#39; REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the &amp;#39;exactmetrics_connect_process&amp;#39; AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-6885
Publication date:
23/04/2026
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Severity CVSS v4.0: CRITICAL
Last modification:
24/04/2026

CVE-2026-6886
Publication date:
23/04/2026
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.
Severity CVSS v4.0: CRITICAL
Last modification:
24/04/2026

CVE-2026-6887
Publication date:
23/04/2026
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity CVSS v4.0: CRITICAL
Last modification:
24/04/2026

CVE-2026-6903
Publication date:
23/04/2026
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software.<br /> <br /> Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim&amp;#39;s browser by directing the victim to a malicious website.<br /> <br /> The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.
Severity CVSS v4.0: HIGH
Last modification:
24/04/2026

CVE-2026-3960
Publication date:
23/04/2026
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-3259
Publication date:
23/04/2026
A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error during the refresh process.<br /> <br /> This vulnerability was patched on 29 January 2026, and no customer action is needed.
Severity CVSS v4.0: HIGH
Last modification:
24/04/2026

CVE-2026-41564
Publication date:
23/04/2026
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.<br /> <br /> The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and any randomized operation they perform can produce identical output, including key generation. Two ECDSA or DSA signatures from different processes are enough to recover the signing private key through nonce-reuse key recovery.<br /> <br /> This affects preforking services such as the Starman web server, where a Crypt::PK::* object loaded at startup is inherited by every worker process.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-41040
Publication date:
23/04/2026
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.
Severity CVSS v4.0: HIGH
Last modification:
24/04/2026
Subscribe to Vulnerabilities