Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-57267

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> <br /> #### snapshot command index-out-of-bound
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-57268

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> ### saveVideo command index-out-of-bound<br /> <br /> When sending the `saveVideo` command, the `index` field is extracted from the websocket message [1]. Then without checking the range of the index, it is used to trigger a CriticalSection ([2]) and releases it [3]. The release function call ([3]) is executed using a function pointer which will be read out of bounds potentially leading to code execution:<br /> <br /> <br /> <br /> <br /> <br /> v6 = get_entry(a2, "index");<br /> <br /> result = json_is_value_int(v6);<br /> <br /> if ( (_BYTE)result )<br /> <br /> {<br /> <br /> v8 = get_entry(a2, "index");<br /> <br /> index = json_value_to_int(&amp;v8-&gt;value); // [1]<br /> <br /> result = CCriticalSection::EnterCritSection(&amp;this-&gt;crit_sections[index]); //[2]<br /> <br /> if ( result )<br /> <br /> {<br /> <br /> if ( this-&gt;array_of_IPCams[index] )<br /> <br /> {<br /> <br /> if ( this-&gt;array_of_IPCams[index]-&gt;field_20 )<br /> <br /> do_PostMessageA((CViewer *)this-&gt;array_of_IPCams[index], 0x111u, 0x139Fu, v11);<br /> <br /> }<br /> <br /> return (*(int (__thiscall **)(CCriticalSection *))(this-&gt;crit_sections[index].vtbl + 20))(&amp;this-&gt;crit_sections[index]); //[3]<br /> <br /> }<br /> <br /> }
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-57269

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> <br /> #### disconnect command index-out-of-bound
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-13131

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> #### connectInfo command index-out-of-bound
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-13132

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> <br /> #### setStream command index-out-of-bound
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-57264

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> <br /> #### setPIP command index-out-of-bound
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-57265

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.<br /> <br /> <br /> #### audio command index-out-of-bound
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-13125

Publication date:
02/07/2026
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.<br /> <br /> In order to access the websocket server, no authentication is required. As such, any malicious website can attempt to open a connection to the server and potentially access sensitive APIs. In particular, it&amp;#39;s possible to call a combination of the `create` method and `getScreenCapture` to retrieve the content of the user&amp;#39;s screen.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-55794

Publication date:
02/07/2026
Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.
Severity CVSS v4.0: HIGH
Last modification:
02/07/2026

CVE-2026-50279

Publication date:
02/07/2026
Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.
Severity CVSS v4.0: HIGH
Last modification:
02/07/2026

CVE-2026-55792

Publication date:
02/07/2026
Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.
Severity CVSS v4.0: MEDIUM
Last modification:
02/07/2026

CVE-2026-50280

Publication date:
02/07/2026
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section-&gt;uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry&amp;#39;s sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.
Severity CVSS v4.0: MEDIUM
Last modification:
02/07/2026