Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6272
Publication date:
24/04/2026
A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest.<br /> <br /> 1. Obtain any valid token with only read scope.<br /> 2. Connect to the normal production gRPC API (kuksa.val.v2).<br /> 3. Open OpenProviderStream.<br /> 4. Send ProvideSignalRequest for a target signal ID.<br /> 5. Wait for the broker to forward GetProviderValueRequest.<br /> 6. Reply with attacker-controlled GetProviderValueResponse.<br /> 7. Other clients performing GetValue / GetValues for that signal receive forged data.
Severity CVSS v4.0: HIGH
Last modification:
24/04/2026

CVE-2026-21728
Publication date:
24/04/2026
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.<br /> <br /> Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-3565
Publication date:
24/04/2026
The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() function, where the check_ajax_referer() call is explicitly commented out on line 883. This makes it possible for unauthenticated attackers to trick a logged-in non-administrator user into deleting their own account via a forged request granted they can trick the user into performing an action such as clicking a link or visiting a malicious page.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-3569
Publication date:
24/04/2026
The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and detailed activity descriptions.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-4078
Publication date:
24/04/2026
The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within tags using double-quoted string interpolation (line 489: &amp;#39;"&amp;#39;.$key.&amp;#39;": "&amp;#39;.$value.&amp;#39;"&amp;#39;) without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-11762
Publication date:
24/04/2026
The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-1951
Publication date:
24/04/2026
Delta Electronics AS320T has no checking of the length of the buffer with the directory name<br /> <br /> vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-1952
Publication date:
24/04/2026
Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-1950
Publication date:
24/04/2026
Delta Electronics AS320T has <br /> No checking of the length of the buffer with the file name vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-5364
Publication date:
24/04/2026
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like &amp;#39;$&amp;#39; to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-5428
Publication date:
24/04/2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-6810
Publication date:
24/04/2026
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user&amp;#39;s calendars and view user data associated with the calendar.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026
Subscribe to Vulnerabilities