Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8760
Publication date:
27/05/2026
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-7614
Publication date:
27/05/2026
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-8040
Publication date:
27/05/2026
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-6268
Publication date:
27/05/2026
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-9236
Publication date:
27/05/2026
The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-8450
Publication date:
27/05/2026
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().<br /> <br /> send_file() opens its string argument with Perl&amp;#39;s 2-arg open(). The 2-arg form interprets magic prefixes: &amp;#39;| cmd&amp;#39; and &amp;#39;cmd |&amp;#39; open a pipe to a subprocess, &amp;#39;&gt; path&amp;#39; and &amp;#39;&gt;&gt; path&amp;#39; open the path for write or append.<br /> <br /> Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (&amp;#39;cmd |&amp;#39;) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-49000
Publication date:
27/05/2026
An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to data leakage or tampering, such as hard-coded keys or the use of weak encryption algorithms.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-6287
Publication date:
27/05/2026
The ShopLentor - WooCommerce Builder for Elementor &amp; Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;blockUniqId&amp;#39; block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2025-14481
Publication date:
27/05/2026
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the &amp;#39;post_id&amp;#39; parameter, including posts owned by other users, private posts, and draft posts.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-48999
Publication date:
27/05/2026
Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim&amp;#39;s browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-9022
Publication date:
27/05/2026
The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;url&amp;#39; Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published before it executes for site visitors, which requires an editor or administrator to approve and publish the contributor&amp;#39;s post.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-48959
Publication date:
27/05/2026
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.<br /> <br /> fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.<br /> <br /> Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip-&gt;new($zip, Name =&gt; $target) drives a per-byte read loop scaling with the entry&amp;#39;s compressed size, up to the non-Zip64 4 GiB cap.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026
Subscribe to Vulnerabilities