Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8063
Publication date:
07/05/2026
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.<br /> <br /> When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.<br /> <br /> This issue affects MongoDB Server 8.2 versions prior to 8.2.7.
Severity CVSS v4.0: HIGH
Last modification:
07/05/2026

CVE-2026-41641
Publication date:
07/05/2026
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-41143
Publication date:
07/05/2026
YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data[&amp;#39;id_fiche&amp;#39;] value (sourced from $_POST[&amp;#39;id_fiche&amp;#39;]) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-41586
Publication date:
07/05/2026
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Severity CVSS v4.0: CRITICAL
Last modification:
07/05/2026

CVE-2026-41413
Publication date:
07/05/2026
Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-41139
Publication date:
07/05/2026
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-6214
Publication date:
07/05/2026
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-44603
Publication date:
07/05/2026
Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-44602
Publication date:
07/05/2026
Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-44601
Publication date:
07/05/2026
Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-42194
Publication date:
07/05/2026
Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio&amp;#39;s fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-42216
Publication date:
07/05/2026
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
Severity CVSS v4.0: HIGH
Last modification:
08/05/2026
Subscribe to Vulnerabilities