Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22745
Publication date:
29/04/2026
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.<br /> <br /> <br /> More precisely, an application can be vulnerable when all the following are true:<br /> <br /> * the application is using Spring MVC or Spring WebFlux<br /> * the application is serving static resources from the file system<br /> * the application is running on a Windows platform<br /> <br /> <br /> When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-22741
Publication date:
29/04/2026
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.<br /> <br /> <br /> More precisely, an application can be vulnerable when all the following are true:<br /> <br /> * the application is using Spring MVC or Spring WebFlux<br /> * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled<br /> * the application adds support for encoded resources resolution<br /> * the resource cache must be empty when the attacker has access to the application<br /> <br /> <br /> When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-22740
Publication date:
29/04/2026
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.<br /> <br /> Older, unsupported versions are also affected.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-42518
Publication date:
29/04/2026
This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.<br /> <br /> Successful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
29/04/2026

CVE-2026-4019
Publication date:
29/04/2026
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2026-42513
Publication date:
29/04/2026
This vulnerability exists in e-Sushrut due to improper authentication logic that relies on client-side response parameters to determine authentication status. A remote attacker could exploit this vulnerability by intercepting and modifying the server response. <br /> <br /> Successful exploitation of this vulnerability could allow the attacker to bypass authentication and gain unauthorized access to user accounts on the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
29/04/2026

CVE-2026-42514
Publication date:
29/04/2026
This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs.<br /> <br /> Successful exploitation of this vulnerability could allow an attacker to impersonate the target user and gain unauthorized access to user accounts on the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
29/04/2026

CVE-2026-42515
Publication date:
29/04/2026
This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
29/04/2026

CVE-2026-42516
Publication date:
29/04/2026
This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
29/04/2026

CVE-2026-42517
Publication date:
29/04/2026
This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for protecting sensitive data. An authenticated attacker could exploit this vulnerability by decoding and manipulating Base64-encoded parameters in the request URL to gain unauthorized access to sensitive information on the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
29/04/2026

CVE-2026-42412
Publication date:
29/04/2026
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects WP User Frontend: from n/a through 4.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2025-10503
Publication date:
29/04/2026
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting.<br /> <br /> An attacker can leverage this vulnerability to redirect the user&amp;#39;s browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026
Subscribe to Vulnerabilities