Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2016-20074
Publication date:
15/06/2026
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via lzcs_admin.php to modify plugin configuration parameters like lzcs_color and lzcs_count.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026

CVE-2016-20075
Publication date:
15/06/2026
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2016-20076
Publication date:
15/06/2026
WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and download_backup_file parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access wp-config.php, database dumps, and other sensitive files, or delete critical files .htaccess to expose backup directories.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2016-20067
Publication date:
15/06/2026
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026

CVE-2016-20068
Publication date:
15/06/2026
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2016-20069
Publication date:
15/06/2026
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2016-20066
Publication date:
15/06/2026
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026

CVE-2026-49757
Publication date:
15/06/2026
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.<br /> <br /> AshAuthentication&amp;#39;s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.<br /> <br /> A provider login presenting a victim&amp;#39;s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim&amp;#39;s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim&amp;#39;s email (or who benefits from provider-side email reuse or reclamation) obtains the victim&amp;#39;s full local privileges.<br /> <br /> The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider&amp;#39;s email_verified claim is trusted (trust_email_verified?).<br /> <br /> This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
Severity CVSS v4.0: CRITICAL
Last modification:
15/06/2026

CVE-2026-34026
Publication date:
15/06/2026
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2026-34027
Publication date:
15/06/2026
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026

CVE-2026-34028
Publication date:
15/06/2026
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026

CVE-2026-34029
Publication date:
15/06/2026
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This key can be used to decrypt the licence.whs file, which contains sensitive information about the licensing party and a second key that can be used to decrypt other configuration files.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026
Subscribe to Vulnerabilities