Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-49774

Publication date:
16/06/2026
Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.<br /> <br /> This issue affects RD Station: from n/a through 5.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-52711

Publication date:
16/06/2026
Unauthenticated Broken Access Control in WooCommerce POS
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-52712

Publication date:
16/06/2026
Subscriber SQL Injection in Attendance Manager
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-39437

Publication date:
16/06/2026
Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-2381

Publication date:
16/06/2026
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-10825

Publication date:
16/06/2026
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2026

CVE-2025-68045

Publication date:
16/06/2026
Unauthenticated Broken Access Control in WP Event SOlution
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-8444

Publication date:
16/06/2026
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;curselrevs[]&amp;#39; parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST[&amp;#39;curselrevs&amp;#39;] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb-&gt;get_results() without $wpdb-&gt;prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-10093

Publication date:
16/06/2026
The File Sharing &amp; Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;fldr_ttl&amp;#39; parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2025-9912

Publication date:
16/06/2026
Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-46331

Publication date:
16/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: fix pedit partial COW leading to page cache corruption<br /> <br /> tcf_pedit_act() computes the COW range for skb_ensure_writable()<br /> once before the key loop using tcfp_off_max_hint, but the hint does<br /> not account for the runtime header offset added by typed keys. This<br /> can leave part of the write region un-COW&amp;#39;d.<br /> <br /> Fix by moving skb_ensure_writable() inside the per-key loop where<br /> the actual write offset is known, and add overflow checking on the<br /> offset arithmetic. For negative offsets (e.g. Ethernet header edits<br /> at ingress), use skb_cow() to COW the headroom instead. Guard<br /> offset_valid() against INT_MIN, where negation is undefined.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-10780

Publication date:
16/06/2026
The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied &amp;#39;id&amp;#39; attribute and outputting its post_content without verifying the post&amp;#39;s status (private, draft, pending) or the requesting user&amp;#39;s capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026