Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-49294
Publication date:
15/06/2026
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-20262
Publication date:
15/06/2026
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.<br /> <br /> This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-9862
Publication date:
15/06/2026
Fortra&amp;#39;s <br /> Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-9863
Publication date:
15/06/2026
Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-9595
Publication date:
15/06/2026
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server&amp;#39;s own HMR WebSocket and forwards it to the proxy target. This leaks the browser&amp;#39;s cookies and Origin header to the backend, bypasses the dev server&amp;#39;s Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).<br /> <br /> Patches: Fixed in webpack-dev-server@5.2.5.<br /> <br /> Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-5038
Publication date:
15/06/2026
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to <br /> the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.<br /> <br /> Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.<br /> <br /> Workarounds: None.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-8683
Publication date:
15/06/2026
Mattermost Desktop App versions
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2025-15659
Publication date:
15/06/2026
Contributor Cross Site Scripting (XSS) in Elizaibots
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-10634
Publication date:
15/06/2026
Zephyr&amp;#39;s native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection&amp;#39;s reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory — a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the &amp;#39;net conn&amp;#39; network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2025-15658
Publication date:
15/06/2026
Administrator Cross Site Scripting (XSS) in WP Emmet
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-5230
Publication date:
15/06/2026
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-5233
Publication date:
15/06/2026
Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding.<br /> <br /> This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026
Subscribe to Vulnerabilities