Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-39847
Publication date:
07/04/2026
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-34781
Publication date:
07/04/2026
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-35406
Publication date:
07/04/2026
Aardvark-dns is an authoritative dns server for A/AAAA container records. From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU. This vulnerability is fixed in 1.17.1.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-35568
Publication date:
07/04/2026
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent. This allows an attacker to make any tool call to the server as if they were a locally running MCP connected AI agent. This vulnerability is fixed in 1.0.0.
Severity CVSS v4.0: HIGH
Last modification:
08/04/2026

CVE-2026-39933
Publication date:
07/04/2026
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS). The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.
Severity CVSS v4.0: MEDIUM
Last modification:
08/04/2026

CVE-2026-34371
Publication date:
07/04/2026
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-34580
Publication date:
07/04/2026
Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1.
Severity CVSS v4.0: CRITICAL
Last modification:
08/04/2026

CVE-2026-34582
Publication date:
07/04/2026
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.
Severity CVSS v4.0: HIGH
Last modification:
08/04/2026

CVE-2026-34765
Publication date:
07/04/2026
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-34079
Publication date:
07/04/2026
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Severity CVSS v4.0: HIGH
Last modification:
10/04/2026

CVE-2026-31789
Publication date:
07/04/2026
Issue summary: Converting an excessively large OCTET STRING value to<br /> a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.<br /> <br /> Impact summary: A heap buffer overflow may lead to a crash or possibly<br /> an attacker controlled code execution or other undefined behavior.<br /> <br /> If an attacker can supply a crafted X.509 certificate with an excessively<br /> large OCTET STRING value in extensions such as the Subject Key Identifier<br /> (SKID) or Authority Key Identifier (AKID) which are being converted to hex,<br /> the size of the buffer needed for the result is calculated as multiplication<br /> of the input length by 3. On 32 bit platforms, this multiplication may overflow<br /> resulting in the allocation of a smaller buffer and a heap buffer overflow.<br /> <br /> Applications and services that print or log contents of untrusted X.509<br /> certificates are vulnerable to this issue. As the certificates would have<br /> to have sizes of over 1 Gigabyte, printing or logging such certificates<br /> is a fairly unlikely operation and only 32 bit platforms are affected,<br /> this issue was assigned Low severity.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-31790
Publication date:
07/04/2026
Issue summary: Applications using RSASVE key encapsulation to establish<br /> a secret encryption key can send contents of an uninitialized memory buffer to<br /> a malicious peer.<br /> <br /> Impact summary: The uninitialized buffer might contain sensitive data from the<br /> previous execution of the application process which leads to sensitive data<br /> leakage to an attacker.<br /> <br /> RSA_public_encrypt() returns the number of bytes written on success and -1<br /> on error. The affected code tests only whether the return value is non-zero.<br /> As a result, if RSA encryption fails, encapsulation can still return success to<br /> the caller, set the output lengths, and leave the caller to use the contents of<br /> the ciphertext buffer as if a valid KEM ciphertext had been produced.<br /> <br /> If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an<br /> attacker-supplied invalid RSA public key without first validating that key,<br /> then this may cause stale or uninitialized contents of the caller-provided<br /> ciphertext buffer to be disclosed to the attacker in place of the KEM<br /> ciphertext.<br /> <br /> As a workaround calling EVP_PKEY_public_check() or<br /> EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate<br /> the issue.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026
Subscribe to Vulnerabilities