Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42677

Publication date:
01/06/2026
Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects WP Document Revisions: from n/a before 4.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42678

Publication date:
01/06/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS.<br /> <br /> This issue affects GiveWP: from n/a through 4.14.5.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42679

Publication date:
01/06/2026
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Mamunur Rashid Classified Listing allows Path Traversal.<br /> <br /> This issue affects Classified Listing: from n/a through 5.3.8.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-38950

Publication date:
01/06/2026
An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42671

Publication date:
01/06/2026
Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects GeoDirectory: from n/a through 2.8.157.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42672

Publication date:
01/06/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection.<br /> <br /> This issue affects WP Directory Kit: from n/a through 1.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42673

Publication date:
01/06/2026
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data.<br /> <br /> This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42674

Publication date:
01/06/2026
Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding.<br /> <br /> This issue affects Advanced Access Manager: from n/a through 7.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-37223

Publication date:
01/06/2026
FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-37224

Publication date:
01/06/2026
FlexRIC v2.0.0 crashes when receiving a duplicate E2_SETUP_REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2_SETUP_REQUESTs with the same E2 node configuration, triggering SIGABRT.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-37225

Publication date:
01/06/2026
FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-37227

Publication date:
01/06/2026
FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026