Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-28387
Publication date:
07/04/2026
Issue summary: An uncommon configuration of clients performing DANE TLSA-based<br /> server authentication, when paired with uncommon server DANE TLSA records, may<br /> result in a use-after-free and/or double-free on the client side.<br /> <br /> Impact summary: A use after free can have a range of potential consequences<br /> such as the corruption of valid data, crashes or execution of arbitrary code.<br /> <br /> However, the issue only affects clients that make use of TLSA records with both<br /> the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate<br /> usage.<br /> <br /> By far the most common deployment of DANE is in SMTP MTAs for which RFC7672<br /> recommends that clients treat as &amp;#39;unusable&amp;#39; any TLSA records that have the PKIX<br /> certificate usages. These SMTP (or other similar) clients are not vulnerable<br /> to this issue. Conversely, any clients that support only the PKIX usages, and<br /> ignore the DANE-TA(2) usage are also not vulnerable.<br /> <br /> The client would also need to be communicating with a server that publishes a<br /> TLSA RRset with both types of TLSA records.<br /> <br /> No FIPS modules are affected by this issue, the problem code is outside the<br /> FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-28388
Publication date:
07/04/2026
Issue summary: When a delta CRL that contains a Delta CRL Indicator extension<br /> is processed a NULL pointer dereference might happen if the required CRL<br /> Number extension is missing.<br /> <br /> Impact summary: A NULL pointer dereference can trigger a crash which<br /> leads to a Denial of Service for an application.<br /> <br /> When CRL processing and delta CRL processing is enabled during X.509<br /> certificate verification, the delta CRL processing does not check<br /> whether the CRL Number extension is NULL before dereferencing it.<br /> When a malformed delta CRL file is being processed, this parameter<br /> can be NULL, causing a NULL pointer dereference.<br /> <br /> Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in<br /> the verification context, the certificate being verified to contain a<br /> freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and<br /> an attacker to provide a malformed CRL to an application that processes it.<br /> <br /> The vulnerability is limited to Denial of Service and cannot be escalated to<br /> achieve code execution or memory disclosure. For that reason the issue was<br /> assessed as Low severity according to our Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-39401
Publication date:
07/04/2026
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event&amp;#39;s stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2026-39400
Publication date:
07/04/2026
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2026-39397
Publication date:
07/04/2026
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload&amp;#39;s local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-35533
Publication date:
07/04/2026
mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-34045
Publication date:
07/04/2026
Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-33439
Publication date:
07/04/2026
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2026-34080
Publication date:
07/04/2026
xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop =&amp;#39;true&amp;#39; (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.
Severity CVSS v4.0: MEDIUM
Last modification:
21/04/2026

CVE-2026-29181
Publication date:
07/04/2026
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-32712
Publication date:
07/04/2026
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer&amp;#39;s first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-27949
Publication date:
07/04/2026
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane&amp;#39;s authentication flow where a user&amp;#39;s email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026
Subscribe to Vulnerabilities