Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-49386
Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49372
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1,<br /> 2025.11.5 unauthenticated SSRF via build status was possible
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49373
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49374
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49375
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1, <br /> 2025.11.5 reflected XSS was possible on the repository download page
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49376
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49377
Publication date:
29/05/2026
In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49378
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49379
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49380
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-47744
Publication date:
29/05/2026
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-47745
Publication date:
29/05/2026
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026
Subscribe to Vulnerabilities