Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22035
Publication date:
08/01/2026
Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2026-21859
Publication date:
08/01/2026
Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2026-21869
Publication date:
08/01/2026
llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2026-21875
Publication date:
08/01/2026
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2019-25291
Publication date:
08/01/2026
INIM Electronics Smartliving SmartLAN/G/SI
Severity CVSS v4.0: CRITICAL
Last modification:
08/01/2026

CVE-2025-15346
Publication date:
08/01/2026
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. <br /> <br /> Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. <br /> <br /> This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. <br /> <br /> The issue affects versions up to and including 5.8.2.
Severity CVSS v4.0: CRITICAL
Last modification:
08/01/2026

CVE-2026-21694
Publication date:
08/01/2026
Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users&amp;#39; time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2026-21695
Publication date:
08/01/2026
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2026-21858
Publication date:
08/01/2026
n8n is an open source workflow automation platform. Versions below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2019-25279
Publication date:
08/01/2026
FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device&amp;#39;s SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.
Severity CVSS v4.0: MEDIUM
Last modification:
08/01/2026

CVE-2019-25280
Publication date:
08/01/2026
Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the &amp;#39;speed&amp;#39; GET parameter. Attackers can inject malicious HTML code in the &amp;#39;speed&amp;#39; parameter of prober.php to trigger cross-site scripting in user browser sessions.
Severity CVSS v4.0: MEDIUM
Last modification:
08/01/2026

CVE-2019-25282
Publication date:
08/01/2026
V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the &amp;#39;parent&amp;#39; GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in the redirect mechanism.
Severity CVSS v4.0: MEDIUM
Last modification:
08/01/2026
Subscribe to Vulnerabilities