Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35094
Publication date:
01/04/2026
A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2026

CVE-2026-35093
Publication date:
01/04/2026
A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2026

CVE-2026-35092
Publication date:
01/04/2026
A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-35091
Publication date:
01/04/2026
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-34999
Publication date:
01/04/2026
OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.
Severity CVSS v4.0: MEDIUM
Last modification:
07/04/2026

CVE-2026-34430
Publication date:
01/04/2026
ByteDance DeerFlow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.
Severity CVSS v4.0: HIGH
Last modification:
12/05/2026

CVE-2026-30522
Publication date:
01/04/2026
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the "Monthly Overdue Penalty" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2026-30287
Publication date:
01/04/2026
An arbitrary file overwrite vulnerability in Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-30289
Publication date:
01/04/2026
An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-0522
Publication date:
01/04/2026
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file&amp;#39;s path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application&amp;#39;s ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue affects VertiGIS FM: 10.5.00119 (0d29d428).
Severity CVSS v4.0: HIGH
Last modification:
07/04/2026

CVE-2026-29014
Publication date:
01/04/2026
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Severity CVSS v4.0: CRITICAL
Last modification:
07/04/2026

CVE-2026-22768
Publication date:
01/04/2026
Dell AppSync, version(s) 4.6.0, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026
Subscribe to Vulnerabilities