Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35903
Publication date:
27/04/2026
MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2026-40970
Publication date:
27/04/2026
When configured to use an SSL bundle, Spring Boot&amp;#39;s Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server.<br /> <br /> Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-35902
Publication date:
27/04/2026
The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication failure state, preventing legitimate clients from authenticating and leading to a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2026-31255
Publication date:
27/04/2026
A command injection vulnerability exists in Tenda AC18 V15.03.05.05_multi. The vulnerability is located in the /goform/SetSambaCfg interface, where improper handling of the guestuser parameter allows attackers to execute arbitrary system commands.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2026-32655
Publication date:
27/04/2026
Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2026-35901
Publication date:
27/04/2026
A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2026-31256
Publication date:
27/04/2026
A null pointer dereference vulnerability exists in the RTSP service of the MERCURY MIPC252W 1.0.5 Build 230306 Rel.79931n. During the processing of a SETUP request for the path rtsp://:554/stream1/track2, the device fails to properly validate the Transport header field. When this header is improperly constructed, the RTSP service can dereference a NULL pointer during request parsing. Successful exploitation causes the device to crash and automatically reboot.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2026

CVE-2025-69428
Publication date:
27/04/2026
An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to directly access sensitive directory and its subdirectories.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2021-36438
Publication date:
27/04/2026
SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2026-7145
Publication date:
27/04/2026
A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
27/04/2026

CVE-2026-7143
Publication date:
27/04/2026
A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-7144
Publication date:
27/04/2026
A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026
Subscribe to Vulnerabilities