Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-31408
Publication date:
06/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold<br /> <br /> sco_recv_frame() reads conn-&gt;sk under sco_conn_lock() but immediately<br /> releases the lock without holding a reference to the socket. A concurrent<br /> close() can free the socket between the lock release and the subsequent<br /> sk-&gt;sk_state access, resulting in a use-after-free.<br /> <br /> Other functions in the same file (sco_sock_timeout(), sco_conn_del())<br /> correctly use sco_sock_hold() to safely hold a reference under the lock.<br /> <br /> Fix by using sco_sock_hold() to take a reference before releasing the<br /> lock, and adding sock_put() on all exit paths.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-31409
Publication date:
06/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: unset conn-&gt;binding on failed binding request<br /> <br /> When a multichannel SMB2_SESSION_SETUP request with<br /> SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn-&gt;binding = true<br /> but never clears it on the error path. This leaves the connection in<br /> a binding state where all subsequent ksmbd_session_lookup_all() calls<br /> fall back to the global sessions table. This fix it by clearing<br /> conn-&gt;binding = false in the error path.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-5632
Publication date:
06/04/2026
A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-5630
Publication date:
06/04/2026
A flaw has been found in assafelovic gpt-researcher up to 3.4.3. The impacted element is an unknown function of the file backend/server/app.py of the component Report API. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5631
Publication date:
06/04/2026
A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extract_command_data of the file backend/server/server_utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-5628
Publication date:
06/04/2026
A security vulnerability has been detected in Belkin F9K1015 1.00.10. Impacted is the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. The manipulation of the argument webpage leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: HIGH
Last modification:
07/04/2026

CVE-2026-5629
Publication date:
06/04/2026
A vulnerability was detected in Belkin F9K1015 1.00.10. The affected element is the function formSetFirewall of the file /goform/formSetFirewall. The manipulation of the argument webpage results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: HIGH
Last modification:
07/04/2026

CVE-2026-5624
Publication date:
06/04/2026
A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version r2029 is able to resolve this issue. The patch is named 2c0d25824ab571b6c219ac1a188ad9350149661b. You should upgrade the affected component.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5625
Publication date:
06/04/2026
A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gpt_researcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5623
Publication date:
06/04/2026
A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affects an unknown part of the file server/front/src/index.ts of the component Import Endpoint. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5620
Publication date:
06/04/2026
A vulnerability has been found in itsourcecode Construction Management System 1.0. Affected is an unknown function of the file /borrowed_equip_report.php of the component Parameter Handler. The manipulation of the argument Home leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5621
Publication date:
06/04/2026
A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config_path results in os command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026
Subscribe to Vulnerabilities