Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-31680
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: flowlabel: defer exclusive option free until RCU teardown<br /> <br /> `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file<br /> RCU read-side lock and prints `fl-&gt;opt-&gt;opt_nflen` when an option block<br /> is present.<br /> <br /> Exclusive flowlabels currently free `fl-&gt;opt` as soon as `fl-&gt;users`<br /> drops to zero in `fl_release()`. However, the surrounding<br /> `struct ip6_flowlabel` remains visible in the global hash table until<br /> later garbage collection removes it and `fl_free_rcu()` finally tears it<br /> down.<br /> <br /> A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that<br /> early `kfree()` and dereference freed option state, triggering a crash<br /> in `ip6fl_seq_show()`.<br /> <br /> Fix this by keeping `fl-&gt;opt` alive until `fl_free_rcu()`. That matches<br /> the lifetime already required for the enclosing flowlabel while readers<br /> can still reach it under RCU.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2026

CVE-2026-31681
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: xt_multiport: validate range encoding in checkentry<br /> <br /> ports_match_v1() treats any non-zero pflags entry as the start of a<br /> port range and unconditionally consumes the next ports[] element as<br /> the range end.<br /> <br /> The checkentry path currently validates protocol, flags and count, but<br /> it does not validate the range encoding itself. As a result, malformed<br /> rules can mark the last slot as a range start or place two range starts<br /> back to back, leaving ports_match_v1() to step past the last valid<br /> ports[] element while interpreting the rule.<br /> <br /> Reject malformed multiport v1 rules in checkentry by validating that<br /> each range start has a following element and that the following element<br /> is not itself marked as another range start.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2026

CVE-2026-31682
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: br_nd_send: linearize skb before parsing ND options<br /> <br /> br_nd_send() parses neighbour discovery options from ns-&gt;opt[] and<br /> assumes that these options are in the linear part of request.<br /> <br /> Its callers only guarantee that the ICMPv6 header and target address<br /> are available, so the option area can still be non-linear. Parsing<br /> ns-&gt;opt[] in that case can access data past the linear buffer.<br /> <br /> Linearize request before option parsing and derive ns from the linear<br /> network header.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2026

CVE-2026-31673
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: read UNIX_DIAG_VFS data under unix_state_lock<br /> <br /> Exact UNIX diag lookups hold a reference to the socket, but not to<br /> u-&gt;path. Meanwhile, unix_release_sock() clears u-&gt;path under<br /> unix_state_lock() and drops the path reference after unlocking.<br /> <br /> Read the inode and device numbers for UNIX_DIAG_VFS while holding<br /> unix_state_lock(), then emit the netlink attribute after dropping the<br /> lock.<br /> <br /> This keeps the VFS data stable while the reply is being built.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2026

CVE-2026-31674
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()<br /> <br /> Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.<br /> <br /> rt_mt6() expects addrnr to stay within the bounds of rtinfo-&gt;addrs[].<br /> Validate addrnr during rule installation so malformed rules are rejected<br /> before the match logic can use an out-of-range value.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2026

CVE-2026-6951
Publication date:
25/04/2026
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Severity CVSS v4.0: CRITICAL
Last modification:
25/04/2026

CVE-2026-6175
Publication date:
24/04/2026
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-42171
Publication date:
24/04/2026
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-41473
Publication date:
24/04/2026
CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.
Severity CVSS v4.0: HIGH
Last modification:
24/04/2026

CVE-2026-41478
Publication date:
24/04/2026
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-41481
Publication date:
24/04/2026
LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters<br /> 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-41488
Publication date:
24/04/2026
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai&amp;#39;s _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026
Subscribe to Vulnerabilities