Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6866
Publication date:
12/05/2026
CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.
Severity CVSS v4.0: HIGH
Last modification:
12/05/2026

CVE-2026-7431
Publication date:
12/05/2026
An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-5061
Publication date:
12/05/2026
The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-43937
Publication date:
12/05/2026
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-43938
Publication date:
12/05/2026
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. This vulnerability is fixed in 4.0.5 and 3.2.12.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-43939
Publication date:
12/05/2026
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. This vulnerability is fixed in 4.0.5 and 3.2.12.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-43983
Publication date:
12/05/2026
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2026

CVE-2026-42260
Publication date:
12/05/2026
Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF with the response body returned to the caller. This vulnerability is fixed in 2.1.7.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2025-70842
Publication date:
12/05/2026
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-32687
Publication date:
12/05/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in elixir-ecto postgrex (&amp;#39;Elixir.Postgrex.Notifications&amp;#39; module) allows SQL Injection.<br /> <br /> The channel argument passed to &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:listen/3 and &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.<br /> <br /> This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:listen/3, &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:unlisten/3, &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:handle_connect/1.<br /> <br /> This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2026

CVE-2026-8391
Publication date:
12/05/2026
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-8390
Publication date:
12/05/2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026
Subscribe to Vulnerabilities