Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-52718
Publication date:
15/06/2026
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-52719
Publication date:
15/06/2026
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-52720
Publication date:
15/06/2026
A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-52721
Publication date:
15/06/2026
Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-52722
Publication date:
15/06/2026
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-50890
Publication date:
15/06/2026
Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-50891
Publication date:
15/06/2026
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-50892
Publication date:
15/06/2026
Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-50882
Publication date:
15/06/2026
An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-50883
Publication date:
15/06/2026
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-50885
Publication date:
15/06/2026
Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-50886
Publication date:
15/06/2026
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026
Subscribe to Vulnerabilities