Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4609

Publication date:
13/05/2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add themselves or any registered user to any ProfileGrid group, including closed and paid groups, bypassing all authorization and payment gates.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-39806

Publication date:
13/05/2026
Loop with Unreachable Exit Condition (&amp;#39;Infinite Loop&amp;#39;) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.<br /> <br /> &amp;#39;Elixir.Bandit.HTTP1.Socket&amp;#39;:do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.<br /> <br /> A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.<br /> <br /> This issue affects bandit: from 1.6.1 before 1.11.1.
Severity CVSS v4.0: HIGH
Last modification:
21/05/2026

CVE-2026-39803

Publication date:
13/05/2026
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.<br /> <br /> The chunked clause of &amp;#39;Elixir.Bandit.HTTP1.Socket&amp;#39;:read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers&amp;#39; default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response.<br /> <br /> Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer.<br /> <br /> The content-length path in the same function correctly enforces the limit and is not affected.<br /> <br /> This issue affects bandit: from 1.4.0 before 1.11.1.
Severity CVSS v4.0: HIGH
Last modification:
21/05/2026

CVE-2026-37429

Publication date:
13/05/2026
qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users&amp;#39; Personally Identifiable Information (PII) via a crafted SQL statement.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-37430

Publication date:
13/05/2026
An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-37428

Publication date:
13/05/2026
qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users&amp;#39; Personally Identifiable Information (PII).
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-6177

Publication date:
13/05/2026
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin&amp;#39;s ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site&amp;#39;s feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-42948

Publication date:
13/05/2026
Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user&amp;#39;s web browser.
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-42950

Publication date:
13/05/2026
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user&amp;#39;s web browser may become broken.
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-42961

Publication date:
13/05/2026
ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-42062

Publication date:
13/05/2026
ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required.
Severity CVSS v4.0: CRITICAL
Last modification:
13/05/2026

CVE-2026-40621

Publication date:
13/05/2026
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.
Severity CVSS v4.0: CRITICAL
Last modification:
13/05/2026