Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-11579

Publication date:
15/07/2026
The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload files to the WordPress Media Library; the uploads are limited to WordPress's default-allowed MIME types, so this does not lead to code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-8919

Publication date:
15/07/2026
Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a request containing a UNC path to the application’s local service endpoint. This can result in information disclosure or data tampering, may cause GameSDK to become unavailable, and may also enable access to the victim’s information on other services.<br /> Refer to the &amp;#39; Security Update for ASUS GameSDK  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-8920

Publication date:
15/07/2026
Improper Restriction of Communication Channel to Intended Endpoints and External Control of File Name or Path in Aura Wallpaper Service allow a local user to perform file operations by sending crafted commands containing an arbitrary file path and bypassing the service’s path restrictions . On specific models , this can also cause a single feature to become unavailable .<br /> Refer to the &amp;#39; Security Update for Aura Wallpaper Service &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-15029

Publication date:
15/07/2026
Untrusted Pointer Dereference in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to perform arbitrary physical memory read and write operations via crafted IOCTL requests to the driver, bypassing OS-enforced memory protections.<br /> Refer to the &amp;#39; <br /> Security Update for ASUS System Control Interface  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-15030

Publication date:
15/07/2026
Out-of-bounds Read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to read memory regions beyond the intended firmware boundary by supplying a crafted IOCTL request that bypasses the validation.<br /> Refer to the &amp;#39; Security Update for ASUS System Control Interface  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-13385

Publication date:
15/07/2026
An Improper Validation of Integrity Check Value and Improper Certificate Validation in certain ASUS router models allows a remote man-in-the-middle(MITM) user to make the router download and execute arbitrary command via a spoofed server.<br /> Refer to the &amp;#39; <br /> Security Update for ASUS Router Firmware  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: CRITICAL
Last modification:
15/07/2026

CVE-2026-13585

Publication date:
15/07/2026
Allocation of Resources Without Limits and Throttling and Sensitive Information in Resource Not Removed Before Reuse in the ASUS System Control Interface driver and ASUS Business Manager allow a local administrator to disclose sensitive information via crafted IOCTL requests, which, in severe cases, may lead to a Denial of Service (DoS) on the system.<br /> Refer to the &amp;#39; <br /> Security Update for ASUS System Control Interface  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-11851

Publication date:
15/07/2026
Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") in the web management interface of certain ASUS router models allows a remote authenticated user to disclose confidential information via a crafted request that bypasses existing input validation<br /> Refer to the &amp;#39; <br /> Security Update for ASUS Router Firmware &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-9770

Publication date:
15/07/2026
Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem<br /> that is shared across devices.  An<br /> attacker with access to the firmware image can extract the embedded key.  <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation may allow an unauthenticated attacker on the same network to use<br /> this key in the web management service, compromising the confidentiality of<br /> encrypted communications. This may enable passive decryption of traffic or<br /> active man-in-the-middle (MITM) attacks
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-13230

Publication date:
15/07/2026
An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which exposes<br /> sensitive geolocation information without requiring authentication. This issue<br /> allows an attacker on the same local network to retrieve geolocation-related<br /> data through crafted responses.<br /> <br /> The<br /> vulnerability impacts confidentiality only, with no evidence of integrity of<br /> availability impact.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-5269

Publication date:
14/07/2026
In Ciena&amp;#39;s Navigator Network Control Suite (NCS) and Manage Control Plan (MCP), there are hidden system accounts used for internal software operations. Some of these accounts have default passwords that may be predictable. While these accounts have very limited permissions on their own, an attacker could combine an attack using one of these accounts with other potential weaknesses to launch a more significant attack, possibly leading to escalation of privilege on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-5270

Publication date:
14/07/2026
An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite (NCS), Manage Control Plan (MCP), and Blue Planet products. The issue is caused by improper handling of HTTP request paths and headers, which allows an unauthenticated attacker to manipulate requests in a manner that bypasses authentication and associated audit logging controls.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026