Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33689
Publication date:
17/04/2026
xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger this flaw by sending a specially crafted sequence of packets during the initial connection phase. This vulnerability results from insufficient validation of input buffer lengths before processing dynamic channel communication. Successful exploitation can lead to a denial-of-service (DoS) condition via a process crash or potential disclosure of sensitive information from the service's memory space. This issue has been fixed in version 0.10.6.
Severity CVSS v4.0: HIGH
Last modification:
27/04/2026

CVE-2026-33436
Publication date:
17/04/2026
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft a file with a malicious filename containing JavaScript that executes in the uploading user's browser context, resulting in reflected XSS. The issue affects numerous upload endpoints across the application. The issue has been fixed in version 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-23500
Publication date:
17/04/2026
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Severity CVSS v4.0: CRITICAL
Last modification:
01/05/2026

CVE-2026-40461
Publication date:
17/04/2026
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug <br /> settings (e.g., enabling SSH), allowing unauthorized state changes that <br /> can facilitate later compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-40434
Publication date:
17/04/2026
Anviz CrossChex Standard<br /> lacks source verification in the client/server channel, enabling TCP <br /> packet injection by an attacker on the same network to alter or disrupt <br /> application traffic.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-40342
Publication date:
17/04/2026
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library&amp;#39;s initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server&amp;#39;s OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-35215
Publication date:
17/04/2026
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-40283
Publication date:
17/04/2026
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-40066
Publication date:
17/04/2026
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The <br /> device unpacks and executes a script resulting in unauthenticated remote<br /> code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-35682
Publication date:
17/04/2026
Anviz CX2 Lite is vulnerable to an authenticated command injection via a <br /> filename parameter that enables arbitrary command execution (e.g., <br /> starting telnetd), resulting in root‑level access.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-35546
Publication date:
17/04/2026
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted <br /> archives to be accepted, enabling attackers to plant and execute code <br /> and obtain a reverse shell.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026

CVE-2026-35061
Publication date:
17/04/2026
Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be <br /> retrieved without authentication, revealing sensitive operational <br /> imagery.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2026
Subscribe to Vulnerabilities