Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-39574
Publication date:
16/06/2026
Unauthenticated SQL Injection in InPost Gallery
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-39581
Publication date:
16/06/2026
Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-40809
Publication date:
16/06/2026
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects Metro Magazine: from n/a through 1.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-49772
Publication date:
16/06/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.<br /> <br /> This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-49774
Publication date:
16/06/2026
Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.<br /> <br /> This issue affects RD Station: from n/a through 5.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-52711
Publication date:
16/06/2026
Unauthenticated Broken Access Control in WooCommerce POS
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-52712
Publication date:
16/06/2026
Subscriber SQL Injection in Attendance Manager
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-39437
Publication date:
16/06/2026
Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-2381
Publication date:
16/06/2026
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-10825
Publication date:
16/06/2026
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2026

CVE-2025-68045
Publication date:
16/06/2026
Unauthenticated Broken Access Control in WP Event SOlution
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-8444
Publication date:
16/06/2026
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;curselrevs[]&amp;#39; parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST[&amp;#39;curselrevs&amp;#39;] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb-&gt;get_results() without $wpdb-&gt;prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026
Subscribe to Vulnerabilities