Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45212
Publication date:
12/05/2026
Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-45213
Publication date:
12/05/2026
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-45214
Publication date:
12/05/2026
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-45215
Publication date:
12/05/2026
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-2465
Publication date:
12/05/2026
Incorrect Authorization vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard FOR-S allows Privilege Escalation.<br /> <br /> This issue affects Turboard FOR-S: from 7.01.2026 before 18.02.2026.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-41713
Publication date:
12/05/2026
A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-41712
Publication date:
12/05/2026
Spring AI&amp;#39;s chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-32684
Publication date:
12/05/2026
The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-8162
Publication date:
12/05/2026
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-7428
Publication date:
12/05/2026
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database.<br /> <br /> <br /> <br /> <br /> Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
Severity CVSS v4.0: CRITICAL
Last modification:
12/05/2026

CVE-2026-6001
Publication date:
12/05/2026
Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects BAPSİS: before v.202604152042.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-6800
Publication date:
12/05/2026
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026
Subscribe to Vulnerabilities