Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-41351
Publication date:
28/01/2026
Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate ‘self-signed’ access URLs.
Severity CVSS v4.0: MEDIUM
Last modification:
28/01/2026

CVE-2026-1381
Publication date:
28/01/2026
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1400
Publication date:
28/01/2026
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-7740
Publication date:
28/01/2026
Default credentials vulnerability exists in SuprOS<br /> product. If exploited, this could allow an authenticated<br /> local attacker to use an admin account created during<br /> product deployment.
Severity CVSS v4.0: HIGH
Last modification:
28/01/2026

CVE-2026-0702
Publication date:
28/01/2026
The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the &amp;#39;fields&amp;#39; parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1053
Publication date:
28/01/2026
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-0818
Publication date:
28/01/2026
CSS-based exfiltration of the content from partially encrypted emails when allowing remote content. This vulnerability affects Thunderbird
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1054
Publication date:
28/01/2026
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1389
Publication date:
28/01/2026
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the &amp;#39;bplde_save_document_library&amp;#39;, &amp;#39;bplde_get_single&amp;#39;, and &amp;#39;bplde_delete_document_library&amp;#39; AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the &amp;#39;id&amp;#39; parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-40537
Publication date:
28/01/2026
SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-40551
Publication date:
28/01/2026
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-40552
Publication date:
28/01/2026
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026
Subscribe to Vulnerabilities