Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-30530
Publication date:
27/03/2026
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious SQL commands.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2023-7340
Publication date:
27/03/2026
Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulnerability to trigger a denial of service condition, resulting in low availability impact to the authentication daemon.
Severity CVSS v4.0: MEDIUM
Last modification:
31/03/2026

CVE-2026-5010
Publication date:
27/03/2026
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the endpoint “/user.php/”. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user’s behalf.
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026

CVE-2026-5022
Publication date:
27/03/2026
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
Severity CVSS v4.0: MEDIUM
Last modification:
20/04/2026

CVE-2026-5025
Publication date:
27/03/2026
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2026

CVE-2026-5026
Publication date:
27/03/2026
The &amp;#39;/api/v1/files/images/{flow_id}/{file_name}&amp;#39; endpoint serves SVG files with the &amp;#39;image/svg+xml&amp;#39; content type without sanitizing their content.<br /> <br /> Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens.
Severity CVSS v4.0: HIGH
Last modification:
20/04/2026

CVE-2026-5027
Publication date:
27/03/2026
The &amp;#39;POST /api/v2/files&amp;#39; endpoint does not sanitize the &amp;#39;filename&amp;#39; parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences (&amp;#39;../&amp;#39;).
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-4955
Publication date:
27/03/2026
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-4956
Publication date:
27/03/2026
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-4957
Publication date:
27/03/2026
A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-4984
Publication date:
27/03/2026
The Twilio integration webhook handler accepts any POST request without validating Twilio&amp;#39;s &amp;#39;X-Twilio-Signature&amp;#39;.<br /> <br /> When processing media messages, it fetches user-controlled URLs (&amp;#39;MediaUrlN&amp;#39; parameters) using HTTP requests that include the integration&amp;#39;s Twilio credentials in the &amp;#39;Authorization&amp;#39; header.<br /> <br /> An attacker can forge a webhook payload pointing to their own server and receive the victim&amp;#39;s &amp;#39;accountSID&amp;#39; and &amp;#39;authToken&amp;#39; in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2026

CVE-2026-4980
Publication date:
27/03/2026
A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026
Subscribe to Vulnerabilities