Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-36236
Publication date:
10/04/2026
SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-36232
Publication date:
10/04/2026
A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-36233
Publication date:
10/04/2026
A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-36234
Publication date:
10/04/2026
itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-31262
Publication date:
10/04/2026
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-23782
Publication date:
10/04/2026
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-23780
Publication date:
10/04/2026
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-29861
Publication date:
10/04/2026
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2025-44560
Publication date:
10/04/2026
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-6069
Publication date:
10/04/2026
NASM’s disasm() function contains a stack based buffer overflow when formatting disassembly output, allowing an attacker triggered out-of-bounds write when `slen` exceeds the buffer capacity.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-6067
Publication date:
10/04/2026
A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-6068
Publication date:
10/04/2026
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026
Subscribe to Vulnerabilities