Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35040
Publication date:
09/04/2026
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-35204
Publication date:
09/04/2026
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-35205
Publication date:
09/04/2026
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-35041
Publication date:
09/04/2026
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-33005
Publication date:
09/04/2026
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.<br /> <br /> Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.<br /> <br /> This issue affects Apache OpenMeetings: from 3.10 before 9.0.0.<br /> <br /> Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-33266
Publication date:
09/04/2026
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.<br /> <br /> The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn&amp;#39;t changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.<br /> <br /> <br /> This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.<br /> <br /> Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2025-15480
Publication date:
09/04/2026
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user&amp;#39;s password hash in the attached logs.
Severity CVSS v4.0: LOW
Last modification:
13/04/2026

CVE-2025-70365
Publication date:
09/04/2026
A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2025-70364
Publication date:
09/04/2026
An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2025-14551
Publication date:
09/04/2026
In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user&amp;#39;s plaintext Wi-Fi password, in the attached logs.
Severity CVSS v4.0: LOW
Last modification:
13/04/2026

CVE-2026-5959
Publication date:
09/04/2026
A security flaw has been discovered in GL.iNet GL-RM1, GL-RM10, GL-RM10RC and GL-RM1PE 1.8.1. Affected by this issue is some unknown functionality of the component Factory Reset Handler. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 1.8.2 can resolve this issue. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-5445
Publication date:
09/04/2026
An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026
Subscribe to Vulnerabilities