Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8644
Publication date:
01/06/2026
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-9311
Publication date:
01/06/2026
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-9319
Publication date:
01/06/2026
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-9330
Publication date:
01/06/2026
IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-9614
Publication date:
01/06/2026
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49121
Publication date:
01/06/2026
AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker.
Severity CVSS v4.0: CRITICAL
Last modification:
01/06/2026

CVE-2026-7770
Publication date:
01/06/2026
IBM i Access Family 1.1.5.0 through 1.1.9.12 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-45727
Publication date:
01/06/2026
CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28.
Severity CVSS v4.0: HIGH
Last modification:
01/06/2026

CVE-2026-45729
Publication date:
01/06/2026
Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-45810
Publication date:
01/06/2026
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-47294
Publication date:
01/06/2026
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-45545
Publication date:
01/06/2026
Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026
Subscribe to Vulnerabilities