Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6912
Publication date:
24/04/2026
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.<br /> <br /> To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity CVSS v4.0: HIGH
Last modification:
24/04/2026

CVE-2026-41411
Publication date:
24/04/2026
Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim&amp;#39;s tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-41079
Publication date:
24/04/2026
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-41067
Publication date:
24/04/2026
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro&amp;#39;s server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing &gt;, allowing an attacker to bypass the sanitization with payloads like , , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-40897
Publication date:
24/04/2026
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-41066
Publication date:
24/04/2026
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=&amp;#39;internal&amp;#39; or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-39920
Publication date:
24/04/2026
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.
Severity CVSS v4.0: CRITICAL
Last modification:
24/04/2026

CVE-2026-40609
Publication date:
24/04/2026
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-30368
Publication date:
24/04/2026
A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2025-59308
Publication date:
24/04/2026
In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the &amp;#39;Site staff&amp;#39; role.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-67259
Publication date:
24/04/2026
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-42095
Publication date:
24/04/2026
bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026
Subscribe to Vulnerabilities