Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-40980
Publication date:
28/04/2026
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.<br /> <br /> Affected versions:<br /> Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2026-40979
Publication date:
28/04/2026
In Spring AI, having access to a shared environment can expose the ONNX model used by the application.<br /> <br /> Affected versions:<br /> Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2026-40978
Publication date:
28/04/2026
SQL injection vulnerability in Spring AI&amp;#39;s `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.<br /> <br /> Affected versions:<br /> Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2025-10539
Publication date:
28/04/2026
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
Severity CVSS v4.0: Pending analysis
Last modification:
18/05/2026

CVE-2026-7240
Publication date:
28/04/2026
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
28/04/2026

CVE-2026-7235
Publication date:
28/04/2026
A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
28/04/2026

CVE-2026-7237
Publication date:
28/04/2026
A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/server/index.ts of the component write-to-file Tool. The manipulation of the argument file_path results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 1.1.0 can resolve this issue. The patch is identified as c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6. You should upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-7238
Publication date:
28/04/2026
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-4805
Publication date:
28/04/2026
The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2026-4911
Publication date:
28/04/2026
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST[&amp;#39;amount&amp;#39;] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2024-54012
Publication date:
28/04/2026
Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer&amp;#39;s report for details and workarounds.
Severity CVSS v4.0: HIGH
Last modification:
28/04/2026

CVE-2024-54013
Publication date:
28/04/2026
Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer&amp;#39;s report for details and workarounds
Severity CVSS v4.0: HIGH
Last modification:
28/04/2026
Subscribe to Vulnerabilities