Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22095

Publication date:
13/07/2026
The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-22096

Publication date:
13/07/2026
The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-22097

Publication date:
13/07/2026
The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-22098

Publication date:
13/07/2026
Various sensitive information such as passwords and charging card UIDs are written to log files.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-22099

Publication date:
13/07/2026
The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.
Severity CVSS v4.0: HIGH
Last modification:
13/07/2026

CVE-2026-22100

Publication date:
13/07/2026
The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.
Severity CVSS v4.0: HIGH
Last modification:
13/07/2026

CVE-2026-22102

Publication date:
13/07/2026
A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification.<br /> This can be used to cause a denial of service by overwriting system files, or remote-code-execution by overwriting shell-scripts which execution can be triggered through other means.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-22103

Publication date:
13/07/2026
The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-15548

Publication date:
13/07/2026
A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. This vulnerability affects the function sub_407220 of the file /usr/sbin/httpd of the component DNS List Rendering. The manipulation leads to stack-based buffer overflow. The attack is possible to be carried out remotely. This project is superseded by FreshTomato.
Severity CVSS v4.0: HIGH
Last modification:
13/07/2026

CVE-2026-22093

Publication date:
13/07/2026
The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects EVbee Service: v1.4.101.00.
Severity CVSS v4.0: CRITICAL
Last modification:
13/07/2026

CVE-2026-14846

Publication date:
13/07/2026
In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.
Severity CVSS v4.0: MEDIUM
Last modification:
13/07/2026

CVE-2026-15557

Publication date:
13/07/2026
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
13/07/2026