Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-34079
Publication date:
07/04/2026
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Severity CVSS v4.0: HIGH
Last modification:
10/04/2026

CVE-2026-31789
Publication date:
07/04/2026
Issue summary: Converting an excessively large OCTET STRING value to<br /> a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.<br /> <br /> Impact summary: A heap buffer overflow may lead to a crash or possibly<br /> an attacker controlled code execution or other undefined behavior.<br /> <br /> If an attacker can supply a crafted X.509 certificate with an excessively<br /> large OCTET STRING value in extensions such as the Subject Key Identifier<br /> (SKID) or Authority Key Identifier (AKID) which are being converted to hex,<br /> the size of the buffer needed for the result is calculated as multiplication<br /> of the input length by 3. On 32 bit platforms, this multiplication may overflow<br /> resulting in the allocation of a smaller buffer and a heap buffer overflow.<br /> <br /> Applications and services that print or log contents of untrusted X.509<br /> certificates are vulnerable to this issue. As the certificates would have<br /> to have sizes of over 1 Gigabyte, printing or logging such certificates<br /> is a fairly unlikely operation and only 32 bit platforms are affected,<br /> this issue was assigned Low severity.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-31790
Publication date:
07/04/2026
Issue summary: Applications using RSASVE key encapsulation to establish<br /> a secret encryption key can send contents of an uninitialized memory buffer to<br /> a malicious peer.<br /> <br /> Impact summary: The uninitialized buffer might contain sensitive data from the<br /> previous execution of the application process which leads to sensitive data<br /> leakage to an attacker.<br /> <br /> RSA_public_encrypt() returns the number of bytes written on success and -1<br /> on error. The affected code tests only whether the return value is non-zero.<br /> As a result, if RSA encryption fails, encapsulation can still return success to<br /> the caller, set the output lengths, and leave the caller to use the contents of<br /> the ciphertext buffer as if a valid KEM ciphertext had been produced.<br /> <br /> If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an<br /> attacker-supplied invalid RSA public key without first validating that key,<br /> then this may cause stale or uninitialized contents of the caller-provided<br /> ciphertext buffer to be disclosed to the attacker in place of the KEM<br /> ciphertext.<br /> <br /> As a workaround calling EVP_PKEY_public_check() or<br /> EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate<br /> the issue.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-28389
Publication date:
07/04/2026
Issue summary: During processing of a crafted CMS EnvelopedData message<br /> with KeyAgreeRecipientInfo a NULL pointer dereference can happen.<br /> <br /> Impact summary: Applications that process attacker-controlled CMS data may<br /> crash before authentication or cryptographic operations occur resulting in<br /> Denial of Service.<br /> <br /> When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is<br /> processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier<br /> is examined without checking for its presence. This results in a NULL<br /> pointer dereference if the field is missing.<br /> <br /> Applications and services that call CMS_decrypt() on untrusted input<br /> (e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2026

CVE-2026-28390
Publication date:
07/04/2026
Issue summary: During processing of a crafted CMS EnvelopedData message<br /> with KeyTransportRecipientInfo a NULL pointer dereference can happen.<br /> <br /> Impact summary: Applications that process attacker-controlled CMS data may<br /> crash before authentication or cryptographic operations occur resulting in<br /> Denial of Service.<br /> <br /> When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with<br /> RSA-OAEP encryption is processed, the optional parameters field of<br /> RSA-OAEP SourceFunc algorithm identifier is examined without checking<br /> for its presence. This results in a NULL pointer dereference if the field<br /> is missing.<br /> <br /> Applications and services that call CMS_decrypt() on untrusted input<br /> (e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2026

CVE-2026-34078
Publication date:
07/04/2026
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Severity CVSS v4.0: CRITICAL
Last modification:
11/04/2026

CVE-2026-28387
Publication date:
07/04/2026
Issue summary: An uncommon configuration of clients performing DANE TLSA-based<br /> server authentication, when paired with uncommon server DANE TLSA records, may<br /> result in a use-after-free and/or double-free on the client side.<br /> <br /> Impact summary: A use after free can have a range of potential consequences<br /> such as the corruption of valid data, crashes or execution of arbitrary code.<br /> <br /> However, the issue only affects clients that make use of TLSA records with both<br /> the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate<br /> usage.<br /> <br /> By far the most common deployment of DANE is in SMTP MTAs for which RFC7672<br /> recommends that clients treat as &amp;#39;unusable&amp;#39; any TLSA records that have the PKIX<br /> certificate usages. These SMTP (or other similar) clients are not vulnerable<br /> to this issue. Conversely, any clients that support only the PKIX usages, and<br /> ignore the DANE-TA(2) usage are also not vulnerable.<br /> <br /> The client would also need to be communicating with a server that publishes a<br /> TLSA RRset with both types of TLSA records.<br /> <br /> No FIPS modules are affected by this issue, the problem code is outside the<br /> FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-28386
Publication date:
07/04/2026
Issue summary: Applications using AES-CFB128 encryption or decryption on<br /> systems with AVX-512 and VAES support can trigger an out-of-bounds read<br /> of up to 15 bytes when processing partial cipher blocks.<br /> <br /> Impact summary: This out-of-bounds read may trigger a crash which leads to<br /> Denial of Service for an application if the input buffer ends at a memory<br /> page boundary and the following page is unmapped. There is no information<br /> disclosure as the over-read bytes are not written to output.<br /> <br /> The vulnerable code path is only reached when processing partial blocks<br /> (when a previous call left an incomplete block and the current call provides<br /> fewer bytes than needed to complete it). Additionally, the input buffer<br /> must be positioned at a page boundary with the following page unmapped.<br /> CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or<br /> ChaCha20-Poly1305 instead. For these reasons the issue was assessed as<br /> Low severity according to our Security Policy.<br /> <br /> Only x86-64 systems with AVX-512 and VAES instruction support are affected.<br /> Other architectures and systems without VAES support use different code<br /> paths that are not affected.<br /> <br /> OpenSSL FIPS module in 3.6 version is affected by this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2026

CVE-2026-28388
Publication date:
07/04/2026
Issue summary: When a delta CRL that contains a Delta CRL Indicator extension<br /> is processed a NULL pointer dereference might happen if the required CRL<br /> Number extension is missing.<br /> <br /> Impact summary: A NULL pointer dereference can trigger a crash which<br /> leads to a Denial of Service for an application.<br /> <br /> When CRL processing and delta CRL processing is enabled during X.509<br /> certificate verification, the delta CRL processing does not check<br /> whether the CRL Number extension is NULL before dereferencing it.<br /> When a malformed delta CRL file is being processed, this parameter<br /> can be NULL, causing a NULL pointer dereference.<br /> <br /> Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in<br /> the verification context, the certificate being verified to contain a<br /> freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and<br /> an attacker to provide a malformed CRL to an application that processes it.<br /> <br /> The vulnerability is limited to Denial of Service and cannot be escalated to<br /> achieve code execution or memory disclosure. For that reason the issue was<br /> assessed as Low severity according to our Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2026

CVE-2026-39397
Publication date:
07/04/2026
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload&amp;#39;s local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-39400
Publication date:
07/04/2026
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.
Severity CVSS v4.0: MEDIUM
Last modification:
08/04/2026

CVE-2026-39401
Publication date:
07/04/2026
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event&amp;#39;s stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.
Severity CVSS v4.0: MEDIUM
Last modification:
08/04/2026
Subscribe to Vulnerabilities