Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-40010
Publication date:
06/05/2026
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.<br /> <br /> This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.<br /> <br /> Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-42509
Publication date:
06/05/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Apache Wicket.<br /> <br /> This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.<br /> <br /> Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-43074
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eventpoll: defer struct eventpoll free to RCU grace period<br /> <br /> In certain situations, ep_free() in eventpoll.c will kfree the epi-&gt;ep<br /> eventpoll struct while it still being used by another concurrent thread.<br /> Defer the kfree() to an RCU callback to prevent UAF.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-43075
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix out-of-bounds write in ocfs2_write_end_inline<br /> <br /> KASAN reports a use-after-free write of 4086 bytes in<br /> ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a<br /> copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on<br /> a loop device. The actual bug is an out-of-bounds write past the inode<br /> block buffer, not a true use-after-free. The write overflows into an<br /> adjacent freed page, which KASAN reports as UAF.<br /> <br /> The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk<br /> id_count field to determine whether a write fits in inline data. On a<br /> corrupted filesystem, id_count can exceed the physical maximum inline data<br /> capacity, causing writes to overflow the inode block buffer.<br /> <br /> Call trace (crash path):<br /> <br /> vfs_copy_file_range (fs/read_write.c:1634)<br /> do_splice_direct<br /> splice_direct_to_actor<br /> iter_file_splice_write<br /> ocfs2_file_write_iter<br /> generic_perform_write<br /> ocfs2_write_end<br /> ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)<br /> ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)<br /> memcpy_from_folio
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-43076
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: validate inline data i_size during inode read<br /> <br /> When reading an inode from disk, ocfs2_validate_inode_block() performs<br /> various sanity checks but does not validate the size of inline data. If<br /> the filesystem is corrupted, an inode&amp;#39;s i_size can exceed the actual<br /> inline data capacity (id_count).<br /> <br /> This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data<br /> buffer, triggering a use-after-free when accessing directory entries from<br /> freed memory.<br /> <br /> In the syzbot report:<br /> - i_size was 1099511627576 bytes (~1TB)<br /> - Actual inline data capacity (id_count) is typically pos to jump out of bounds<br /> - This triggered a UAF in ocfs2_check_dir_entry()<br /> <br /> Fix by adding a validation check in ocfs2_validate_inode_block() to ensure<br /> inodes with inline data have i_size
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-43078
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl<br /> <br /> When page reassignment was added to af_alg_pull_tsgl the original<br /> loop wasn&amp;#39;t updated so it may try to reassign one more page than<br /> necessary.<br /> <br /> Add the check to the reassignment so that this does not happen.<br /> <br /> Also update the comment which still refers to the obsolete offset<br /> argument.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-35255
Publication date:
06/05/2026
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-40001
Publication date:
06/05/2026
There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-1719
Publication date:
06/05/2026
The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-7332
Publication date:
06/05/2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;booking_form_page_url&amp;#39; parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-7457
Publication date:
06/05/2026
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator&amp;#39;s or agent&amp;#39;s browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-7841
Publication date:
06/05/2026
A remote code execution vulnerability<br /> exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated<br /> user with System Setting permissions can execute arbitrary commands on the<br /> server by sending a crafted HTTP POST request to the ASWebCommon.srf backend<br /> endpoint to bypass the frontend restrictions.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026
Subscribe to Vulnerabilities