Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-41250
Publication date:
11/05/2026
Taiga is a project management platform for startups and agile developers. Prior 6.9.1, Taiga front is vulnerable to stored XSS. This vulnerability is fixed in 6.9.1.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-38569
Publication date:
11/05/2026
HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-41256
Publication date:
11/05/2026
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-3048
Publication date:
11/05/2026
An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.
Severity CVSS v4.0: MEDIUM
Last modification:
11/05/2026

CVE-2026-40612
Publication date:
11/05/2026
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
Severity CVSS v4.0: MEDIUM
Last modification:
11/05/2026

CVE-2026-3609
Publication date:
11/05/2026
Wellbia&amp;#39;s XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS.<br /> Cross reference to KVE 2023-5589 (https://krcert.or.kr)
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-34095
Publication date:
11/05/2026
Vulnerability in Wikimedia Foundation MediaWiki.<br /> <br /> This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.<br /> <br /> <br /> <br /> This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity CVSS v4.0: NONE
Last modification:
12/05/2026

CVE-2026-38568
Publication date:
11/05/2026
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user&amp;#39;s candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-38566
Publication date:
11/05/2026
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add) are vulnerable to CSRF. An attacker who can trick an authenticated user into visiting a malicious page can silently change the victim&amp;#39;s password, delete records, or inject arbitrary data on their behalf. The SESSION_COOKIE_SAMESITE attribute is also not configured, removing the browser-level CSRF defense.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-38567
Publication date:
11/05/2026
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin&amp;#39;--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-34094
Publication date:
11/05/2026
Vulnerability in Wikimedia Foundation MediaWiki.<br /> <br /> This vulnerability is associated with program files includes/Page/Article.Php.<br /> <br /> <br /> <br /> This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity CVSS v4.0: LOW
Last modification:
12/05/2026

CVE-2026-36983
Publication date:
11/05/2026
D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026
Subscribe to Vulnerabilities