Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-49237
Publication date:
28/05/2026
An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026

CVE-2026-49238
Publication date:
28/05/2026
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026

CVE-2026-37266
Publication date:
28/05/2026
An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-42250
Publication date:
28/05/2026
bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service).<br /> <br /> This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
Severity CVSS v4.0: MEDIUM
Last modification:
28/05/2026

CVE-2026-37579
Publication date:
28/05/2026
An issue in SMSGate sms-core
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-9658
Publication date:
28/05/2026
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.<br /> <br /> The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,<br /> <br /> GET /path\r\nHTTP/1.1\r\nHost: secret.example.com<br /> <br /> Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-9818
Publication date:
28/05/2026
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026

CVE-2026-40914
Publication date:
28/05/2026
A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn&amp;#39;t have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn&amp;#39;t have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission.<br /> <br /> <br /> <br /> This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.<br /> <br /> Users are recommended to upgrade to version 2.54.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-9813
Publication date:
28/05/2026
FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server&amp;#39;s network context.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-47074
Publication date:
28/05/2026
Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.<br /> <br /> This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines &amp;#39;Elixir.ExAws.SNS&amp;#39;:verify_message/1, &amp;#39;Elixir.ExAws.SNS.PublicKeyCache&amp;#39;:get/1.<br /> <br /> &amp;#39;Elixir.ExAws.SNS&amp;#39;:verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.<br /> <br /> This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.
Severity CVSS v4.0: HIGH
Last modification:
29/05/2026

CVE-2026-46234
Publication date:
28/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: fix buffer size clamping order<br /> <br /> In vsock_update_buffer_size(), the buffer size was being clamped to the<br /> maximum first, and then to the minimum. If a user sets a minimum buffer<br /> size larger than the maximum, the minimum check overrides the maximum<br /> check, inverting the constraint.<br /> <br /> This breaks the intended socket memory boundaries by allowing the<br /> vsk-&gt;buffer_size to grow beyond the configured vsk-&gt;buffer_max_size.<br /> <br /> Fix this by checking the minimum first, and then the maximum. This<br /> ensures the buffer size never exceeds the buffer_max_size.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026

CVE-2026-46235
Publication date:
28/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: saa7164: add ioremap return checks and cleanups<br /> <br /> Add checks for ioremap return values in saa7164_dev_setup(). If<br /> ioremap for BAR0 or BAR2 fails, release the already allocated PCI<br /> memory regions, remove the device from the global list, decrement<br /> the device count, and return -ENODEV.<br /> <br /> This prevents potential null pointer dereferences and ensures proper<br /> cleanup on memory mapping failures.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026
Subscribe to Vulnerabilities