Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-23780
Publication date:
10/04/2026
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-29861
Publication date:
10/04/2026
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2025-44560
Publication date:
10/04/2026
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-6069
Publication date:
10/04/2026
NASM’s disasm() function contains a stack based buffer overflow when formatting disassembly output, allowing an attacker triggered out-of-bounds write when `slen` exceeds the buffer capacity.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-6067
Publication date:
10/04/2026
A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-6068
Publication date:
10/04/2026
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-40217
Publication date:
10/04/2026
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-33092
Publication date:
10/04/2026
Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2025-58913
Publication date:
10/04/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-58920
Publication date:
10/04/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato cerato allows Reflected XSS.This issue affects Cerato: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-5804
Publication date:
10/04/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User case-theme-user allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-5774
Publication date:
10/04/2026
Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2026
Subscribe to Vulnerabilities