Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6985
Publication date:
25/04/2026
A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-6984
Publication date:
25/04/2026
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-6983
Publication date:
25/04/2026
A vulnerability was identified in pagekit up to 1.0.18. Affected by this issue is some unknown functionality of the file /index.php/admin/system/update/download. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-6982
Publication date:
25/04/2026
A vulnerability was determined in star7th ShowDoc up to 2.10.10/3.6.2/3.8.0. Affected by this vulnerability is an unknown functionality of the file server/Application/Api/Controller/PageController.class.PHP of the component API Page Sort Endpoint. Executing a manipulation of the argument pages can lead to sql injection. The attack may be launched remotely. Upgrading to version 3.8.1 addresses this issue. It is suggested to upgrade the affected component. According to the researcher, "[t]he vendor explicitly stated they will not backport patches to the older affected versions."
Severity CVSS v4.0: MEDIUM
Last modification:
27/04/2026

CVE-2026-6981
Publication date:
25/04/2026
A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connect_stream_endpoint/sync_agents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-6980
Publication date:
25/04/2026
A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-6978
Publication date:
25/04/2026
A vulnerability was detected in JiZhiCMS up to 2.5.6. The impacted element is the function htmlspecialchars_decode of the file /index.php/admins/Sys/addcache.html. The manipulation of the argument sqls results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-6979
Publication date:
25/04/2026
A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-6977
Publication date:
25/04/2026
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-31685
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ip6t_eui64: reject invalid MAC header for all packets<br /> <br /> `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address<br /> and compares it with the low 64 bits of the IPv6 source address.<br /> <br /> The existing guard only rejects an invalid MAC header when<br /> `par-&gt;fragoff != 0`. For packets with `par-&gt;fragoff == 0`, `eui64_mt6()`<br /> can still reach `eth_hdr(skb)` even when the MAC header is not valid.<br /> <br /> Fix this by removing the `par-&gt;fragoff != 0` condition so that packets<br /> with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31684
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: act_csum: validate nested VLAN headers<br /> <br /> tcf_csum_act() walks nested VLAN headers directly from skb-&gt;data when an<br /> skb still carries in-payload VLAN tags. The current code reads<br /> vlan-&gt;h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without<br /> first ensuring that the full VLAN header is present in the linear area.<br /> <br /> If only part of an inner VLAN header is linearized, accessing<br /> h_vlan_encapsulated_proto reads past the linear area, and the following<br /> skb_pull(VLAN_HLEN) may violate skb invariants.<br /> <br /> Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and<br /> pulling each nested VLAN header. If the header still is not fully<br /> available, drop the packet through the existing error path.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-31683
Publication date:
25/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: avoid OGM aggregation when skb tailroom is insufficient<br /> <br /> When OGM aggregation state is toggled at runtime, an existing forwarded<br /> packet may have been allocated with only packet_len bytes, while a later<br /> packet can still be selected for aggregation. Appending in this case can<br /> hit skb_put overflow conditions.<br /> <br /> Reject aggregation when the target skb tailroom cannot accommodate the new<br /> packet. The caller then falls back to creating a new forward packet<br /> instead of appending.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026
Subscribe to Vulnerabilities