Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24851
Publication date:
06/02/2026
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22
Severity CVSS v4.0: MEDIUM
Last modification:
06/02/2026

CVE-2026-24903
Publication date:
06/02/2026
OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through malicious research topic inputs.
Severity CVSS v4.0: MEDIUM
Last modification:
06/02/2026

CVE-2026-24419
Publication date:
06/02/2026
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Severity CVSS v4.0: HIGH
Last modification:
06/02/2026

CVE-2026-24135
Publication date:
06/02/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Severity CVSS v4.0: HIGH
Last modification:
06/02/2026

CVE-2026-1769
Publication date:
06/02/2026
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6. <br /> <br /> Consider <br /> upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2026-23632
Publication date:
06/02/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2026-23633
Publication date:
06/02/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2026-22592
Publication date:
06/02/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2025-64175
Publication date:
06/02/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it&amp;#39;s enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Severity CVSS v4.0: HIGH
Last modification:
06/02/2026

CVE-2025-70963
Publication date:
06/02/2026
Gophish
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2026-2059
Publication date:
06/02/2026
A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
06/02/2026

CVE-2026-2103
Publication date:
06/02/2026
Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026
Subscribe to Vulnerabilities