Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-41123

Publication date:
03/07/2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in the RBAC. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to information tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-41124

Publication date:
03/07/2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Improper limitation of a pathname to a restricted directory ('path traversal') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-26355

Publication date:
03/07/2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-10055

Publication date:
03/07/2026
In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.<br /> <br /> <br /> <br /> <br /> Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.<br /> <br /> <br /> <br /> <br /> The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-13341

Publication date:
03/07/2026
A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-50238

Publication date:
03/07/2026
Rejected reason: Red Hat Product Security has concluded that this CVE is not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-10054

Publication date:
03/07/2026
In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication.<br /> <br /> <br /> <br /> <br /> WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.<br /> <br /> <br /> <br /> <br /> As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.<br /> <br /> <br /> <br /> <br /> A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-5137

Publication date:
03/07/2026
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the &amp;#39;template&amp;#39; parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-4321

Publication date:
03/07/2026
Improper neutralization of special elements used in an SQL command (&amp;#39;SQL injection&amp;#39;) vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows SQL Injection.<br /> <br /> This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was learned that the product is not supported.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-4322

Publication date:
03/07/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflected XSS.<br /> <br /> This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was learned that the product is not supported.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-4804

Publication date:
03/07/2026
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with &amp;#39;show_in_rest&amp;#39; =&gt; true and &amp;#39;auth_callback&amp;#39; =&gt; &amp;#39;__return_true&amp;#39;, but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-9756

Publication date:
03/07/2026
The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block &amp;#39;linkMetaFieldType&amp;#39; Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend &amp;#39;javascript:&amp;#39; via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026