Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1695
Publication date:
26/02/2026
An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading content from another site upon unsuccessful user authentication on an unknown application (unknown client_id).<br /> <br /> This vulnerability only affects the error page of the OAuth server.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-1696
Publication date:
26/02/2026
Some HTTP security headers are not properly set by the web server when sending responses to the client application.
Severity CVSS v4.0: LOW
Last modification:
27/02/2026

CVE-2026-1697
Publication date:
26/02/2026
The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-1698
Publication date:
26/02/2026
A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior.<br /> <br /> This vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout<br /> of the WebClient and WebScheduler web apps.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-1692
Publication date:
26/02/2026
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.<br /> <br /> This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-1693
Publication date:
26/02/2026
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-1694
Publication date:
26/02/2026
HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It unnecessarily exposes sensitive information about the server configuration.
Severity CVSS v4.0: LOW
Last modification:
27/02/2026

CVE-2026-25191
Publication date:
26/02/2026
The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious DLL file and the installer to the same directory and execute the installer, arbitrary code may be executed with the installer&amp;#39;s execution privilege.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-23703
Publication date:
26/02/2026
The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-1311
Publication date:
26/02/2026
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-27975
Publication date:
26/02/2026
Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-2356
Publication date:
26/02/2026
The User Registration &amp; Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the &amp;#39;register_member&amp;#39; function, due to missing validation on the &amp;#39;member_id&amp;#39; user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the &amp;#39;urm_user_just_created&amp;#39; user meta set.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026
Subscribe to Vulnerabilities