Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8157

Publication date:
22/06/2026
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2026

CVE-2026-7859

Publication date:
22/06/2026
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2026

CVE-2026-4259

Publication date:
22/06/2026
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2026

CVE-2026-6858

Publication date:
22/06/2026
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2026

CVE-2026-4110

Publication date:
22/06/2026
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2026

CVE-2026-10530

Publication date:
22/06/2026
The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox.
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2026

CVE-2026-6645

Publication date:
22/06/2026
An insecure process execution vulnerability exists in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The application, which typically operates with high-level system privileges, attempts to perform an internal validation check by invoking a secondary system utility using an unqualified file reference.<br /> <br /> <br /> <br /> Because the application does not specify an absolute path to this utility, it relies on the operating system&amp;#39;s default search order to locate the executable. Under specific conditions, a local attacker with the ability to modify directories within the system&amp;#39;s search path could plant a malicious binary that mimics the expected utility. This could result in the malicious code being executed with SYSTEM privileges, leading to a full compromise of the affected host.
Severity CVSS v4.0: HIGH
Last modification:
23/06/2026

CVE-2026-8918

Publication date:
22/06/2026
A permissive list of allowed inputs in ASUS Armoury Crate allows a local administrator to perform arbitrary memory read/write operations or cause a system crash (BSOD) by bypassing the validation mechanism.Refer to the &amp;#39;<br /> Security Update for Armoury Crate App &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
24/06/2026

CVE-2026-11745

Publication date:
22/06/2026
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
Severity CVSS v4.0: HIGH
Last modification:
22/06/2026

CVE-2026-11746

Publication date:
22/06/2026
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
Severity CVSS v4.0: CRITICAL
Last modification:
22/06/2026

CVE-2026-11748

Publication date:
22/06/2026
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
Severity CVSS v4.0: MEDIUM
Last modification:
22/06/2026

CVE-2026-12822

Publication date:
22/06/2026
A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
26/06/2026