Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24781
Publication date:
04/05/2026
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-24120
Publication date:
04/05/2026
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-24118
Publication date:
04/05/2026
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2026

CVE-2026-24082
Publication date:
04/05/2026
Memory Corruption when copying data from a freed source while executing performance counter deselect operation.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2025-47406
Publication date:
04/05/2026
Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-47405
Publication date:
04/05/2026
Memory corruption when processing camera sensor input/output control codes with invalid output buffers.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-47404
Publication date:
04/05/2026
Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-47403
Publication date:
04/05/2026
Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-47401
Publication date:
04/05/2026
Transient DOS when processing target power rate tables during channel configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-40563
Publication date:
04/05/2026
Description:<br /> Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Apache Atlas<br /> Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data<br /> <br /> <br /> <br /> <br /> Affect Version:<br /> This issue affects Apache Atlas: from 0.8 through 2.4.0.<br /> <br /> <br /> <br /> For the affect version &gt;= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.<br /> <br /> <br /> atlas.dsl.executor.traversal=false<br /> <br /> <br /> <br /> Mitigation:<br /> Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-36365
Publication date:
04/05/2026
An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-37458
Publication date:
04/05/2026
Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026
Subscribe to Vulnerabilities