Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-44594
Publication date:
28/05/2026
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44358
Publication date:
28/05/2026
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026

CVE-2026-44672
Publication date:
28/05/2026
mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.
Severity CVSS v4.0: CRITICAL
Last modification:
28/05/2026

CVE-2026-41565
Publication date:
28/05/2026
CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers.<br /> <br /> The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three.<br /> <br /> Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-35675
Publication date:
28/05/2026
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access.
Severity CVSS v4.0: HIGH
Last modification:
29/05/2026

CVE-2026-35671
Publication date:
28/05/2026
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user&amp;#39;s password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request.
Severity CVSS v4.0: HIGH
Last modification:
30/05/2026

CVE-2026-35672
Publication date:
28/05/2026
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question.
Severity CVSS v4.0: HIGH
Last modification:
28/05/2026

CVE-2026-35676
Publication date:
28/05/2026
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials.
Severity CVSS v4.0: HIGH
Last modification:
28/05/2026

CVE-2026-9828
Publication date:
28/05/2026
Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.<br /> <br /> More precisely, an attacker able to influence serialized data sent to <br /> SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from<br /> classes in the java.lang and java.util packages that are not explicitly<br /> blocked.<br /> <br /> Although deserialization is heavily restricted by HardenedObjectInputStream and no <br /> practical way to achieve remote code execution or significant privilege <br /> escalation has been identified, this issue constitutes a bypass of the <br /> intended security restrictions.<br /> <br /> <br /> <br /> This issue affects logback: through 1.5.32 inclusive.
Severity CVSS v4.0: LOW
Last modification:
29/05/2026

CVE-2026-8980
Publication date:
28/05/2026
The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer accounts via crafted POST requests.
Severity CVSS v4.0: CRITICAL
Last modification:
28/05/2026

CVE-2026-8990
Publication date:
28/05/2026
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner&amp;#39;s account by interacting with application&amp;#39;s push notification.<br /> <br /> This issue was fixed in version 4.4.3
Severity CVSS v4.0: MEDIUM
Last modification:
28/05/2026

CVE-2026-8979
Publication date:
28/05/2026
The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint.
Severity CVSS v4.0: CRITICAL
Last modification:
28/05/2026
Subscribe to Vulnerabilities