Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-57868

Publication date:
07/07/2026
MicroRealEstate is affected by broken object-level access controls in PDF generator functionality.<br /> <br /> This issue affects MicroRealEstate: through 1.0.0-alpha3.
Severity CVSS v4.0: HIGH
Last modification:
07/07/2026

CVE-2026-57869

Publication date:
07/07/2026
Broken object-level access controls and the use of a deterministic pattern during random ID generation in MicroRealEstate allows attackers to access documents uploaded by landlords or tenants without authorization.<br /> <br /> This issue affects MicroRealEstate: through 1.0.0-alpha3.
Severity CVSS v4.0: HIGH
Last modification:
07/07/2026

CVE-2026-57870

Publication date:
07/07/2026
Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization.<br /> <br /> This issue affects MicroRealEstate: through 1.0.0-alpha3.
Severity CVSS v4.0: MEDIUM
Last modification:
07/07/2026

CVE-2026-14345

Publication date:
07/07/2026
The WPFunnels – Funnel Builder for WooCommerce with Checkout &amp; One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the &amp;#39;postData&amp;#39; parameter parameter. This is due to unsanitized write of attacker-controlled postData values into a PHP-includeable .log file combined with the use of include_once to render that file in wpfnl_show_log. This makes it possible for unauthenticated attackers to execute code on the server. Exploitation requires that the Log Settings "Enable Logs" toggle is on and that an administrator subsequently opens the polluted log file via the plugin&amp;#39;s Log Settings View UI; however, the nonce required to reach the optin endpoint is publicly emitted on every funnel step page, so the injection step itself is fully unauthenticated.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-12277

Publication date:
07/07/2026
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-10834

Publication date:
07/07/2026
The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-42201

Publication date:
07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only as &amp;#39;string&amp;#39; at the API layer, with zero shell-safety checks. These values are then interpolated directly into Docker Compose YAML command: strings without any escaping. This issue is fixed in version 4.0.0-beta.474.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-26053

Publication date:
07/07/2026
An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally be authorized to perform. Version of Command Centre affected: 9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-27790

Publication date:
07/07/2026
Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected:<br /> <br /> <br /> <br /> <br /> <br /> * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))<br /> * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))<br /> * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))<br /> * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))<br /> * all versions of 9.10 and prior.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-27844

Publication date:
07/07/2026
Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service. <br /> Version of Command Centre affected:<br /> <br /> <br /> <br /> <br /> <br /> * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))<br /> * 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))<br /> * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))<br /> * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))<br /> * all versions of 9.10 and prior.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-34158

Publication date:
07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a single quote into docker_compose_custom_build_command or docker_compose_custom_start_command to break out of the quoted context and execute arbitrary commands on the managed server host during deployments, escaping the intended Docker container confinement. This issue is fixed in version 4.0.0-beta.469.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-42200

Publication date:
07/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026