Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-41011
Publication date:
21/04/2026
HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.
Severity CVSS v4.0: MEDIUM
Last modification:
06/05/2026

CVE-2017-20230
Publication date:
21/04/2026
Storable versions before 3.05 for Perl has a stack overflow.<br /> <br /> The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-5789
Publication date:
21/04/2026
Vulnerability related to an unquoted search path in CivetWeb v1.16. This vulnerability allows a local attacker to execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is scanned before the intended application path (C:\Program Files\CivetWeb\CivetWeb.exe --), due to the absence of quotes in the service configuration.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2026-3298
Publication date:
21/04/2026
The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
Severity CVSS v4.0: HIGH
Last modification:
21/04/2026

CVE-2026-29644
Publication date:
21/04/2026
XiangShan (open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) has improper gating of its distributed CSR write-enable path, allowing illegal CSR write attempts to alter custom PMA (Physical Memory Attribute) CSR state. Though the RISC-V privileged specification requires an illegal-instruction exception for non-existent/illegal CSR accesses, affected XiangShan versions may still propagate such writes to replicated PMA configuration state. Local attackers able to execute code on the core (privilege context depends on system integration) can exploit this to tamper with memory-attribute enforcement, potentially leading to privilege escalation, information disclosure, or denial of service depending on how PMA enforces platform security and isolation boundaries.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-31019
Publication date:
21/04/2026
In the Website module of Dolibarr ERP &amp; CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-31018
Publication date:
21/04/2026
In Dolibarr ERP &amp; CRM
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-31014
Publication date:
21/04/2026
Dovestones Softwares AD Self Update
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-31013
Publication date:
21/04/2026
Dovestones Softwares ADPhonebook
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2025-31958
Publication date:
21/04/2026
HCL BigFix Service Management is susceptible to HTTP Request Smuggling.  HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2025-31981
Publication date:
21/04/2026
HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access.  An attacker with access to the network traffic can sniff packets from the connection and uncover the data.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-1089
Publication date:
21/04/2026
User‑Controlled HTTP Header in Fortra&amp;#39;s GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026
Subscribe to Vulnerabilities