Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-32687
Publication date:
12/05/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in elixir-ecto postgrex (&amp;#39;Elixir.Postgrex.Notifications&amp;#39; module) allows SQL Injection.<br /> <br /> The channel argument passed to &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:listen/3 and &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.<br /> <br /> This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:listen/3, &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:unlisten/3, &amp;#39;Elixir.Postgrex.Notifications&amp;#39;:handle_connect/1.<br /> <br /> This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2026

CVE-2025-70842
Publication date:
12/05/2026
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-8391
Publication date:
12/05/2026
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-8390
Publication date:
12/05/2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-8388
Publication date:
12/05/2026
Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-8389
Publication date:
12/05/2026
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-6865
Publication date:
12/05/2026
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Severity CVSS v4.0: HIGH
Last modification:
12/05/2026

CVE-2026-43930
Publication date:
12/05/2026
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim&amp;#39;s password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Severity CVSS v4.0: LOW
Last modification:
13/05/2026

CVE-2026-43916
Publication date:
12/05/2026
pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peer_lookup_tcp (src/peer_lookup.c:134, prior to the fix) allowed a crafted NETLINK_SOCK_DIAG reply to slip past the message-size check, then dereference past the end of the allocation. This vulnerability is fixed in 0.2.0-alpha.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2026

CVE-2026-45091
Publication date:
12/05/2026
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator&amp;#39;s literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-42006
Publication date:
12/05/2026
An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40638
Publication date:
12/05/2026
Dell PowerScale InsightIQ, versions 5.0.0 through 6.2.0, contains an execution with unnecessary privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026
Subscribe to Vulnerabilities