Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-14576
Publication date:
30/04/2026
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
Severity CVSS v4.0: HIGH
Last modification:
05/05/2026

CVE-2024-13971
Publication date:
30/04/2026
Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
Severity CVSS v4.0: HIGH
Last modification:
06/05/2026

CVE-2026-41882
Publication date:
30/04/2026
In JetBrains IntelliJ IDEA before 2024.3.7.1, <br /> 2025.1.7.1,<br /> 2025.2.6.2, <br /> 2025.3.4.1, <br /> 2026.1.1 reading arbitrary local files was possible via built-in web server
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2026-5080
Publication date:
30/04/2026
Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.<br /> <br /> The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.<br /> <br /> The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.<br /> <br /> The epoch time can be guessed by an attacker, and may be leaked in the HTTP header.<br /> <br /> The process id comes from a small set of numbers, and workers may have sequential process ids.<br /> <br /> The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.<br /> <br /> Predictable session ids could allow an attacker to gain access to systems.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2026-31693
Publication date:
30/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: some missing initializations on replay<br /> <br /> In several places in the code, we have a label to signify<br /> the start of the code where a request can be replayed if<br /> necessary. However, some of these places were missing the<br /> necessary reinitializations of certain local variables<br /> before replay.<br /> <br /> This change makes sure that these variables get initialized<br /> after the label.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-1493
Publication date:
30/04/2026
LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely<br /> processes the parameter on the client side, allowing an attacker to execute arbitrary<br /> JavaScript in the context of the victim&amp;#39;s browser.<br /> An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.<br /> <br /> This issue was fixed in version 1.3.4.
Severity CVSS v4.0: MEDIUM
Last modification:
05/05/2026

CVE-2026-31787
Publication date:
30/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen/privcmd: fix double free via VMA splitting<br /> <br /> privcmd_vm_ops defines .close (privcmd_close), but neither .may_split<br /> nor .open. When userspace does a partial munmap() on a privcmd mapping,<br /> the kernel splits the VMA via __split_vma(). Since may_split is NULL,<br /> the split is allowed. vm_area_dup() copies vm_private_data (a pages<br /> array allocated in alloc_empty_pages()) into the new VMA without any<br /> fixup, because there is no .open callback.<br /> <br /> Both VMAs now point to the same pages array. When the unmapped portion<br /> is closed, privcmd_close() calls:<br /> - xen_unmap_domain_gfn_range()<br /> - xen_free_unpopulated_pages()<br /> - kvfree(pages)<br /> <br /> The surviving VMA still holds the dangling pointer. When it is later<br /> destroyed, the same sequence runs again, which leads to a double free.<br /> <br /> Fix this issue by adding a .may_split callback denying the VMA split.<br /> <br /> This is XSA-487 / CVE-2026-31787
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31786
Publication date:
30/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Buffer overflow in drivers/xen/sys-hypervisor.c<br /> <br /> The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is<br /> neither NUL terminated nor a string.<br /> <br /> The first causes a buffer overflow as sprintf in buildid_show will<br /> read and copy till it finds a NUL.<br /> <br /> 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|<br /> 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|<br /> 00000017<br /> <br /> So use a memcpy instead of sprintf to have the correct value:<br /> <br /> 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|<br /> 00000010 b9 a8 01 42 |...B|<br /> 00000014<br /> <br /> (the above have a hack to embed a zero inside and check it&amp;#39;s<br /> returned correctly).<br /> <br /> This is XSA-485 / CVE-2026-31786
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31692
Publication date:
30/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtnetlink: add missing netlink_ns_capable() check for peer netns<br /> <br /> rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer<br /> network namespace when creating paired devices (veth, vxcan,<br /> netkit). This allows an unprivileged user with a user namespace<br /> to create interfaces in arbitrary network namespaces, including<br /> init_net.<br /> <br /> Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer<br /> namespace before allowing device creation to proceed.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-42800
Publication date:
30/04/2026
NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation.<br /> <br /> This vulnerability is associated with program files sip/utils/src/sipuri.c.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2026-41016
Publication date:
30/04/2026
Apache Airflow&amp;#39;s SMTP provider `SmtpHook` called Python&amp;#39;s `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS upgrade, and capture the SMTP credentials sent during the subsequent `login()` call. Users are advised to upgrade to the `apache-airflow-providers-smtp` version that contains the fix.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-39457
Publication date:
30/04/2026
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)&amp;#39;s file descriptor set size limit of FD_SETSIZE (1024).<br /> <br /> An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026
Subscribe to Vulnerabilities