Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-56054

Publication date:
25/06/2026
Subscriber Arbitrary File Deletion in JS Help Desk
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-56006

Publication date:
25/06/2026
Unauthenticated Cross Site Scripting (XSS) in H5P
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-56049

Publication date:
25/06/2026
Contributor Remote Code Execution (RCE) in Post Snippets
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-56050

Publication date:
25/06/2026
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects PPOM for WooCommerce: from n/a through 33.0.18.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-54848

Publication date:
25/06/2026
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data.<br /> <br /> This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-56005

Publication date:
25/06/2026
Subscriber Cross Site Scripting (XSS) in WP Activity Log
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-54842

Publication date:
25/06/2026
Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects Royal MCP: from n/a through 1.4.25.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-54843

Publication date:
25/06/2026
Unauthenticated SQL Injection in MDTF
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-54829

Publication date:
25/06/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection.<br /> <br /> This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-54828

Publication date:
25/06/2026
Unauthenticated Broken Access Control in Motors
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2026

CVE-2026-2815

Publication date:
25/06/2026
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys
Severity CVSS v4.0: HIGH
Last modification:
25/06/2026

CVE-2026-56091

Publication date:
25/06/2026
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass.<br /> This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module.<br /> <br /> This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context.<br /> <br /> Upgrade to version 3.0.0 or later, which fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
25/06/2026