Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-14031
Publication date:
31/03/2026
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.<br /> <br /> Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2024-14030
Publication date:
31/03/2026
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.<br /> <br /> Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-4400
Publication date:
31/03/2026
Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint &amp;#39;api.1millionbot.com/api/public/conversations/&amp;#39; and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user&amp;#39;s conversation ID.
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-4399
Publication date:
31/03/2026
Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question in such a way that, upon receiving an affirmative response (&amp;#39;true&amp;#39;), the model executes the injected instruction), causing it to return prohibited information and information outside its intended context. Successful exploitation of this vulnerability could allow a malicious remote attacker to abuse the service for purposes other than those originally intended, or even execute out-of-context tasks using 1millionbot&amp;#39;s resources and/or OpenAI&amp;#39;s API key. This allows the attacker to evade the containment mechanisms implemented during LLM model training and obtain responses or chat behaviors that were originally restricted.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-34887
Publication date:
31/03/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-15618
Publication date:
31/03/2026
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.<br /> <br /> Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.<br /> <br /> This key is intended for encrypting credit card transaction data.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-5197
Publication date:
31/03/2026
A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-4317
Publication date:
31/03/2026
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the &amp;#39;timezone&amp;#39; request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as &amp;#39;prisma.rawQuery&amp;#39;, &amp;#39;prisma.$queryRawUnsafe&amp;#39; or raw queries with &amp;#39;ClickHouse&amp;#39;). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
Severity CVSS v4.0: CRITICAL
Last modification:
19/05/2026

CVE-2026-5195
Publication date:
31/03/2026
A flaw has been found in code-projects Student Membership System 1.0. This issue affects some unknown processing of the component User Registration Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely.
Severity CVSS v4.0: MEDIUM
Last modification:
24/04/2026

CVE-2026-5196
Publication date:
31/03/2026
A vulnerability has been found in code-projects Student Membership System 1.0. Impacted is an unknown function of the file /delete_member.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5201
Publication date:
31/03/2026
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2025-41355
Publication date:
31/03/2026
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server <br /> v0.104. This vulnerability allows an attacker to execute JavaScript code<br /> in the victim&amp;#39;s browser by sending him/her a malicious URL. This <br /> vulnerability can be exploited to steal sensitive user data, such as <br /> session cookies, or to perform actions on behalf of the user. It affects <br /> &amp;#39;port&amp;#39; and &amp;#39;proxyPort&amp;#39; parameters in &amp;#39;/anon.php&amp;#39; endpoint.
Severity CVSS v4.0: MEDIUM
Last modification:
07/04/2026
Subscribe to Vulnerabilities