Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-12435

Publication date:
01/07/2026
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026

CVE-2026-12575

Publication date:
01/07/2026
DVP80ES3 with <br /> Improper Resource Shutdown or Release vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026

CVE-2026-12576

Publication date:
01/07/2026
DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026

CVE-2026-12577

Publication date:
01/07/2026
DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
01/07/2026

CVE-2026-12732

Publication date:
01/07/2026
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;class_wrapper_form&amp;#39; shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf(&amp;#39;&amp;#39;, $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action(&amp;#39;learn-press/filter-courses/layout&amp;#39;, $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026

CVE-2026-13733

Publication date:
01/07/2026
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;no_data_msg&amp;#39; Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Although wp_kses_post is applied to post content on save, it only strips HTML tokens and does not neutralize C-style escape sequences embedded within shortcode attribute values, meaning contributors can craft a payload that survives the kses filter and is silently reconstructed into a raw script tag at render time.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026

CVE-2026-50043

Publication date:
01/07/2026
Improper neutralization of special elements used in an OS command (&amp;#39;OS Command Injection&amp;#39;) issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege.
Severity CVSS v4.0: HIGH
Last modification:
01/07/2026

CVE-2026-56016

Publication date:
01/07/2026
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.<br /> <br /> The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl&amp;#39;s rand() is unsuitable for security purposes because it is predictable and reversible.<br /> <br /> An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026

CVE-2026-10538

Publication date:
01/07/2026
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.
Severity CVSS v4.0: HIGH
Last modification:
01/07/2026

CVE-2026-10539

Publication date:
01/07/2026
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. <br /> <br /> <br /> <br /> This vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.
Severity CVSS v4.0: CRITICAL
Last modification:
01/07/2026

CVE-2026-10540

Publication date:
01/07/2026
The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentially earlier unsupported versions
Severity CVSS v4.0: MEDIUM
Last modification:
01/07/2026

CVE-2026-11387

Publication date:
01/07/2026
The SMS Alert – SMS &amp; OTP for WooCommerce, Order Notifications &amp; Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user&amp;#39;s identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user&amp;#39;s email addresses, including administrators, and leverage that to reset the user&amp;#39;s password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2026