Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24816

Publication date:
30/06/2026
Nokia MantaRay is subject to an Improper Access Control vulnerability due to insufficient authorization within the API. Successful exploitation could allow an authenticated attacker to retrieve confidential information beyond their assigned privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2025-7406

Publication date:
30/06/2026
Nokia MantaRay NM is vulnerable to a sudo privilege escalation vulnerability where a local attacker possessing administrative (local admin) privileges can escalate to full root privileges on the host. Successful exploitation results in root-level access to the filesystem and the ability to execute actions as root. The risk can be temporarily mitigated by restricting the set of commands permitted via sudo for the affected accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2025-24815

Publication date:
30/06/2026
Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-45822

Publication date:
30/06/2026
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
Severity CVSS v4.0: MEDIUM
Last modification:
30/06/2026

CVE-2026-12578

Publication date:
30/06/2026
The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.
Severity CVSS v4.0: HIGH
Last modification:
30/06/2026

CVE-2026-56137

Publication date:
30/06/2026
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Severity CVSS v4.0: HIGH
Last modification:
30/06/2026

CVE-2026-56808

Publication date:
30/06/2026
DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who can log in to the web management console of the affected product.
Severity CVSS v4.0: HIGH
Last modification:
30/06/2026

CVE-2026-9576

Publication date:
30/06/2026
The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-12819

Publication date:
30/06/2026
Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.
Severity CVSS v4.0: CRITICAL
Last modification:
30/06/2026

CVE-2026-14164

Publication date:
30/06/2026
A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-56809

Publication date:
30/06/2026
Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the web browser of the user who accesses a crafted URL.
Severity CVSS v4.0: MEDIUM
Last modification:
09/07/2026

CVE-2026-11581

Publication date:
30/06/2026
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026