Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42100

Publication date:
19/05/2026
Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. <br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: HIGH
Last modification:
02/06/2026

CVE-2026-43633

Publication date:
19/05/2026
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
Severity CVSS v4.0: CRITICAL
Last modification:
14/07/2026

CVE-2026-42098

Publication date:
19/05/2026
Sparx Enterprise Architect software has a security feature that limits user&amp;#39;s actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: HIGH
Last modification:
19/05/2026

CVE-2026-42096

Publication date:
19/05/2026
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: HIGH
Last modification:
02/06/2026

CVE-2026-42097

Publication date:
19/05/2026
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: CRITICAL
Last modification:
02/06/2026

CVE-2026-42099

Publication date:
19/05/2026
Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: HIGH
Last modification:
02/06/2026

CVE-2026-23558

Publication date:
19/05/2026
The adjustments made for XSA-379 as well as those subsequently becoming<br /> XSA-387 still left a race window, when a HVM or PVH guest does a grant<br /> table version change from v2 to v1 in parallel with mapping the status<br /> page(s) via XENMEM_add_to_physmap. Some of the status pages may then be<br /> freed while mappings of them would still be inserted into the guest&amp;#39;s<br /> secondary (P2M) page tables.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2026-23557

Publication date:
19/05/2026
Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES<br /> command within a transaction due to an assert() triggering.<br /> <br /> In case xenstored was built with NDEBUG #defined nothing bad will<br /> happen, as assert() is doing nothing in this case. Note that the<br /> default is not to define NDEBUG for xenstored builds even in release<br /> builds of Xen.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2025-40903

Publication date:
19/05/2026
A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2025-40904

Publication date:
19/05/2026
A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2025-14575

Publication date:
19/05/2026
An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application&amp;#39;s working directory.
Severity CVSS v4.0: LOW
Last modification:
19/05/2026

CVE-2025-40900

Publication date:
19/05/2026
An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026