Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-11362
Publication date:
05/06/2026
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.<br /> <br /> DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.<br /> <br /> The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-48101
Publication date:
05/06/2026
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-48102
Publication date:
05/06/2026
7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler&amp;#39;s File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-9270
Publication date:
05/06/2026
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.<br /> <br /> DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.<br /> <br /> The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.<br /> <br /> The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.<br /> <br /> The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.<br /> <br /> Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-11336
Publication date:
05/06/2026
A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
05/06/2026

CVE-2026-6207
Publication date:
05/06/2026
Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting.<br /> <br /> This issue affects Geographic Tracking System: before v0.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-6208
Publication date:
05/06/2026
Authorization bypass through User-Controlled key vulnerability in HAVELSAN Inc. Geographic Tracking System allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects Geographic Tracking System: before v0.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-6209
Publication date:
05/06/2026
Improper Access Control, Missing Authorization vulnerability in HAVELSAN Inc. Geographic Tracking System allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects Geographic Tracking System: before v0.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-48092
Publication date:
05/06/2026
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-48095
Publication date:
05/06/2026
7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-38579
Publication date:
05/06/2026
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2026

CVE-2026-11333
Publication date:
05/06/2026
A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboard_page/forms/upload_student_data.php of the component Student Data Upload Endpoint. Such manipulation of the argument Student-Data-CSV leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
05/06/2026
Subscribe to Vulnerabilities