Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-49877

Publication date:
30/06/2026
Improper Authorization vulnerability in Apache ActiveMQ.<br /> <br /> An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.<br /> This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.<br /> <br /> Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-49434

Publication date:
30/06/2026
Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.<br /> <br /> An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM.<br /> This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7.<br /> <br /> <br /> Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-49432

Publication date:
30/06/2026
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.<br /> <br /> A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.<br /> This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.<br /> <br /> <br /> <br /> <br /> Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-13316

Publication date:
30/06/2026
A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-8141

Publication date:
30/06/2026
The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;taxonomy_include_children&amp;#39; parameter in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-9711

Publication date:
30/06/2026
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress &amp;#39;search&amp;#39; parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted the "Enable additional search queries" setting is enabled and at least one published event exists.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-6954

Publication date:
30/06/2026
Cross-Site Scripting (XSS) vulnerability in Intermark IT&amp;#39;s WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the &amp;#39;urlDestino&amp;#39; parameter in &amp;#39;/portal.do&amp;#39;. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.
Severity CVSS v4.0: MEDIUM
Last modification:
30/06/2026

CVE-2026-6953

Publication date:
30/06/2026
HTML injection vulnerability in Intermark IT&amp;#39;s WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the &amp;#39;nombreApellidos&amp;#39;, &amp;#39;dirección &amp;#39;, and &amp;#39;comentarios &amp;#39; parameters to &amp;#39;/processContact.do&amp;#39;.
Severity CVSS v4.0: MEDIUM
Last modification:
30/06/2026

CVE-2026-10763

Publication date:
30/06/2026
PROMOD V is using insecure HTTP communication instead of HTTPS. The vulnerability is due to the lack of HTTPS support from 3rd party Digipede server.
Severity CVSS v4.0: HIGH
Last modification:
30/06/2026

CVE-2026-12076

Publication date:
30/06/2026
Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline.  The vulnerability allows a remote, unauthenticated attacker to execute <br /> arbitrary SQL statements against the underlying PostgreSQL database, <br /> leading to full database compromise, including credential extraction.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 1.5.2 but may also affect other versions.
Severity CVSS v4.0: CRITICAL
Last modification:
30/06/2026

CVE-2026-12610

Publication date:
30/06/2026
A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-13149

Publication date:
30/06/2026
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding &amp;#39;{}&amp;#39; brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Severity CVSS v4.0: HIGH
Last modification:
08/07/2026