Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4126
Publication date:
22/04/2026
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4128
Publication date:
22/04/2026
The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4076
Publication date:
22/04/2026
The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4082
Publication date:
22/04/2026
The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('n', 'w', 'h'). These attributes are extracted using extract() and directly interpolated into the HTML output without any escaping such as esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4085
Publication date:
22/04/2026
The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the 'wrapper_class' attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4088
Publication date:
22/04/2026
The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4089
Publication date:
22/04/2026
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-4090
Publication date:
22/04/2026
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-31431
Publication date:
22/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: algif_aead - Revert to operating out-of-place<br /> <br /> This mostly reverts commit 72548b093ee3 except for the copying of<br /> the associated data.<br /> <br /> There is no benefit in operating in-place in algif_aead since the<br /> source and destination come from different mappings. Get rid of<br /> all the complexity added for in-place operation and just copy the<br /> AD directly.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-31432
Publication date:
22/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix OOB write in QUERY_INFO for compound requests<br /> <br /> When a compound request such as READ + QUERY_INFO(Security) is received,<br /> and the first command (READ) consumes most of the response buffer,<br /> ksmbd could write beyond the allocated buffer while building a security<br /> descriptor.<br /> <br /> The root cause was that smb2_get_info_sec() checked buffer space using<br /> ppntsd_size from xattr, while build_sec_desc() often synthesized a<br /> significantly larger descriptor from POSIX ACLs.<br /> <br /> This patch introduces smb_acl_sec_desc_scratch_len() to accurately<br /> compute the final descriptor size beforehand, performs proper buffer<br /> checking with smb2_calc_max_out_buf_len(), and uses exact-sized<br /> allocation + iov pinning.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-31433
Publication date:
22/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix potencial OOB in get_file_all_info() for compound requests<br /> <br /> When a compound request consists of QUERY_DIRECTORY + QUERY_INFO<br /> (FILE_ALL_INFORMATION) and the first command consumes nearly the entire<br /> max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()<br /> with PATH_MAX, causing out-of-bounds write beyond the response buffer.<br /> In get_file_all_info(), there was a missing validation check for<br /> the client-provided OutputBufferLength before copying the filename into<br /> FileName field of the smb2_file_all_info structure.<br /> If the filename length exceeds the available buffer space, it could lead to<br /> potential buffer overflows or memory corruption during smbConvertToUTF16<br /> conversion. This calculating the actual free buffer size using<br /> smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is<br /> insufficient and updating smbConvertToUTF16 to use the actual filename<br /> length (clamped by PATH_MAX) to ensure a safe copy operation.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-2719
Publication date:
22/04/2026
The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;Exceptions&amp;#39; setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026
Subscribe to Vulnerabilities