Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-44287
Publication date:
29/05/2026
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44640
Publication date:
29/05/2026
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-42500
Publication date:
29/05/2026
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-34127
Publication date:
29/05/2026
A stored<br /> cross-site scripting (XSS) vulnerability has been identified in the web<br /> management interface of TP-Link&amp;#39;s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM<br /> configuration parameter during configuration file import. An attacker with<br /> administrator access can inject malicious script into the device configuration,<br /> which may be stored and executed in the administrator’s browser when the<br /> affected interface is viewed.    <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation may allow session cookie theft, unauthorized configuration<br /> changes, or access to sensitive information exposed through the management<br /> interface.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-9051
Publication date:
29/05/2026
There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure.  Successful exploitation requires an attacker to send a specially crafted HTTP request.  This vulnerability affects NI SystemLink Enterprise 2026-04 and prior versions.
Severity CVSS v4.0: CRITICAL
Last modification:
29/05/2026

CVE-2026-49381
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49382
Publication date:
29/05/2026
In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49383
Publication date:
29/05/2026
In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49384
Publication date:
29/05/2026
In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49385
Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49386
Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49372
Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1,<br /> 2025.11.5 unauthenticated SSRF via build status was possible
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026
Subscribe to Vulnerabilities