Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45838

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: fix end-of-list detection in cgroup_storage_get_next_key()<br /> <br /> list_next_entry() never returns NULL -- when the current element is the<br /> last entry it wraps to the list head via container_of(). The subsequent<br /> NULL check is therefore dead code and get_next_key() never returns<br /> -ENOENT for the last element, instead reading storage-&gt;key from a bogus<br /> pointer that aliases internal map fields and copying the result to<br /> userspace.<br /> <br /> Replace it with list_entry_is_head() so the function correctly returns<br /> -ENOENT when there are no more entries.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2026-45837

Publication date:
27/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix use-after-free in arena_vm_close on fork<br /> <br /> arena_vm_open() only bumps vml-&gt;mmap_count but never registers the<br /> child VMA in arena-&gt;vma_list. The vml-&gt;vma always points at the<br /> parent VMA, so after parent munmap the pointer dangles. If the child<br /> then calls bpf_arena_free_pages(), zap_pages() reads the stale<br /> vml-&gt;vma triggering use-after-free.<br /> <br /> Fix this by preventing the arena VMA from being inherited across<br /> fork with VM_DONTCOPY, and preventing VMA splits via the may_split<br /> callback.<br /> <br /> Also reject mremap with a .mremap callback returning -EINVAL. A<br /> same-size mremap(MREMAP_FIXED) on the full arena VMA reaches<br /> copy_vma() through the following path:<br /> <br /> check_prep_vma() - returns 0 early: new_len == old_len<br /> skips VM_DONTEXPAND check<br /> prep_move_vma() - vm_start == old_addr and<br /> vm_end == old_addr + old_len<br /> so may_split is never called<br /> move_vma()<br /> copy_vma_and_data()<br /> copy_vma()<br /> vm_area_dup() - copies vm_private_data (vml pointer)<br /> vm_ops-&gt;open() - bumps vml-&gt;mmap_count<br /> vm_ops-&gt;mremap() - returns -EINVAL, rollback unmaps new VMA<br /> <br /> The refcount ensures the rollback&amp;#39;s arena_vm_close does not free<br /> the vml shared with the original VMA.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2026-42756

Publication date:
27/05/2026
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Ludwig You QuickWebP &amp;#8211; Compress / Optimize Images &amp;amp; Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP &amp;#8211; Compress / Optimize Images &amp;amp; Convert WebP | SEO Friendly: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42757

Publication date:
27/05/2026
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42758

Publication date:
27/05/2026
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42759

Publication date:
27/05/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42760

Publication date:
27/05/2026
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42761

Publication date:
27/05/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42762

Publication date:
27/05/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in e4jvikwp VikBooking Hotel Booking Engine &amp; PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine &amp; PMS: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42746

Publication date:
27/05/2026
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42747

Publication date:
27/05/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2026-42748

Publication date:
27/05/2026
Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026