Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-34258
Publication date:
12/05/2026
SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-34259
Publication date:
12/05/2026
Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-34260
Publication date:
12/05/2026
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40129
Publication date:
12/05/2026
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40131
Publication date:
12/05/2026
SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-34263
Publication date:
12/05/2026
Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026

CVE-2026-0502
Publication date:
12/05/2026
Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-45391
Publication date:
12/05/2026
Reserved. Details will be published at disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026

CVE-2026-45392
Publication date:
12/05/2026
Reserved. Details will be published at disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026

CVE-2026-45393
Publication date:
12/05/2026
Reserved. Details will be published at disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2026

CVE-2026-45362
Publication date:
12/05/2026
Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-45321
Publication date:
12/05/2026
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026
Subscribe to Vulnerabilities