Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-43290
Publication date:
26/05/2026
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to modify protected parts of the file system.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026

CVE-2025-43306
Publication date:
26/05/2026
A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to gain root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026

CVE-2026-9580
Publication date:
26/05/2026
A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-9581
Publication date:
26/05/2026
A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended.
Severity CVSS v4.0: LOW
Last modification:
26/05/2026

CVE-2026-9582
Publication date:
26/05/2026
A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: LOW
Last modification:
26/05/2026

CVE-2026-9583
Publication date:
26/05/2026
A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: LOW
Last modification:
26/05/2026

CVE-2026-9642
Publication date:
26/05/2026
There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access) <br /> <br /> An unauthenticated remote attacker can access configured databases in a DIAView project.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026

CVE-2026-8676
Publication date:
26/05/2026
An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026

CVE-2026-9579
Publication date:
26/05/2026
A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded.
Severity CVSS v4.0: LOW
Last modification:
26/05/2026

CVE-2026-47672
Publication date:
26/05/2026
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient&amp;#39;s electronic health record accessible by the institution&amp;#39;s SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026

CVE-2026-48592
Publication date:
26/05/2026
Missing Authorization vulnerability in oban-bg oban_web (&amp;#39;Elixir.Oban.Web.Jobs.DetailComponent&amp;#39; modules) allows unauthorized job worker substitution.<br /> <br /> The handle_event("save-job", ...) handler in &amp;#39;Elixir.Oban.Web.Jobs.DetailComponent&amp;#39; does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller&amp;#39;s privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job&amp;#39;s worker field with any other existing Oban.Worker module in the application. On the job&amp;#39;s next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.<br /> <br /> This issue affects oban_web: from 2.12.0 before 2.12.5.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-48593
Publication date:
26/05/2026
Uncontrolled Resource Consumption vulnerability in oban-bg oban_web (&amp;#39;Elixir.Oban.Web.CronExpr&amp;#39; modules) allows memory exhaustion via unbounded cron range expansion.<br /> <br /> An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 * *". When a user with dashboard access views the cron job list, &amp;#39;Elixir.Oban.Web.CronExpr&amp;#39;:describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not.<br /> <br /> This issue affects oban_web: from 2.12.0 before 2.12.5.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026
Subscribe to Vulnerabilities