Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-39941
Publication date:
09/04/2026
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2026-39398
Publication date:
09/04/2026
Rejected reason: The affected product and advisory are not public.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-35041
Publication date:
09/04/2026
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-35040
Publication date:
09/04/2026
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-35204
Publication date:
09/04/2026
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-35205
Publication date:
09/04/2026
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-34020
Publication date:
09/04/2026
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.<br /> <br /> The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact<br /> <br /> <br /> This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.<br /> <br /> Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-33266
Publication date:
09/04/2026
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.<br /> <br /> The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn&amp;#39;t changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.<br /> <br /> <br /> This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.<br /> <br /> Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-33005
Publication date:
09/04/2026
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.<br /> <br /> Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.<br /> <br /> This issue affects Apache OpenMeetings: from 3.10 before 9.0.0.<br /> <br /> Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-15480
Publication date:
09/04/2026
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user&amp;#39;s password hash in the attached logs.
Severity CVSS v4.0: LOW
Last modification:
13/04/2026

CVE-2025-70365
Publication date:
09/04/2026
A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2025-70364
Publication date:
09/04/2026
An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026
Subscribe to Vulnerabilities