Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-2737
Publication date:
02/04/2026
A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
Severity CVSS v4.0: HIGH
Last modification:
21/04/2026

CVE-2026-29782
Publication date:
02/04/2026
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2026

CVE-2026-2699
Publication date:
02/04/2026
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-2701
Publication date:
02/04/2026
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-28805
Publication date:
02/04/2026
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2026

CVE-2026-26928
Publication date:
02/04/2026
SzafirHost downloads necessary files in the context of the initiating web page. When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn&amp;#39;t verify hash or vendor&amp;#39;s digital signature of uploaded DLL, SO, JNILIB or DYLIB file. The attacker can provide malicious file which will be saved in users /temp folder and executed by the application.<br /> <br /> This issue was fixed in version 1.1.0.
Severity CVSS v4.0: HIGH
Last modification:
27/04/2026

CVE-2026-26927
Publication date:
02/04/2026
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.<br /> In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker&amp;#39;s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won&amp;#39;t be shown and the application will be called in the context of URL provided by the attacker without any interaction.<br /> <br /> This issue was fixed in version 0.0.17.4.
Severity CVSS v4.0: MEDIUM
Last modification:
27/04/2026

CVE-2026-4636
Publication date:
02/04/2026
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-4634
Publication date:
02/04/2026
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-5328
Publication date:
02/04/2026
A weakness has been identified in shsuishang modulithshop up to 829bac71f507e84684c782b9b062b8bf3b5585d6. The impacted element is the function listItem of the file src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.java of the component ProductItemDao Interface. Executing a manipulation of the argument sidx/sort can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This patch is called 42bcb9463425d1be906c3b290cf29885eb5a2324. A patch should be applied to remediate this issue.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-5330
Publication date:
02/04/2026
A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access controls. The attack may be initiated remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-5331
Publication date:
02/04/2026
A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026
Subscribe to Vulnerabilities