Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-2332
Publication date:
14/04/2026
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:<br /> * https://w4ke.info/2025/06/18/funky-chunks.html<br /> <br /> * https://w4ke.info/2025/10/29/funky-chunks-2.html<br /> <br /> <br /> Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.<br /> <br /> <br /> POST / HTTP/1.1<br /> Host: localhost<br /> Transfer-Encoding: chunked<br /> <br /> 1;ext="val<br /> X<br /> 0<br /> <br /> GET /smuggled HTTP/1.1<br /> ...<br /> <br /> <br /> <br /> <br /> <br /> Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-2449
Publication date:
14/04/2026
Improper neutralization of argument delimiters in a command (&amp;#39;argument injection&amp;#39;) vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.
Severity CVSS v4.0: CRITICAL
Last modification:
14/04/2026

CVE-2026-24069
Publication date:
14/04/2026
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2025-13822
Publication date:
14/04/2026
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2026-33892
Publication date:
14/04/2026
A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions &gt;= V1.7.6 = V2.0.0 = V2.2.0
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2026-33929
Publication date:
14/04/2026
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Apache PDFBox Examples.<br /> <br /> This issue affects the <br /> ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.<br /> <br /> <br /> Users are recommended to update to version 2.0.37 or 3.0.8 once <br /> available. Until then, they should apply the fix provided in GitHub PR <br /> 427.<br /> <br /> The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn&amp;#39;t consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".<br /> <br /> Users who have copied this example into their production code should apply the mentioned change. The example <br /> has been changed accordingly and is available in the project repository.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-4109
Publication date:
14/04/2026
The Eventin – Events Calendar, Event Booking, Ticket &amp; Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-25654
Publication date:
14/04/2026
A vulnerability has been identified in SINEC NMS (All versions
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-27668
Publication date:
14/04/2026
A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-31908
Publication date:
14/04/2026
Header injection vulnerability in Apache APISIX.<br /> <br /> The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers.<br /> This issue affects Apache APISIX: from 2.12.0 through 3.15.0.<br /> <br /> Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-31924
Publication date:
14/04/2026
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.<br /> <br /> tencent-cloud-cls log export uses plaintext HTTP<br /> This issue affects Apache APISIX: from 2.99.0 through 3.15.0.<br /> <br /> Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-31923
Publication date:
14/04/2026
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.<br /> <br /> This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.<br /> This issue affects Apache APISIX: from 0.7 through 3.15.0.<br /> <br /> Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026
Subscribe to Vulnerabilities