Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45171
Publication date:
11/06/2026
Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18
Severity CVSS v4.0: CRITICAL
Last modification:
11/06/2026

CVE-2026-45172
Publication date:
11/06/2026
Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-45173
Publication date:
11/06/2026
Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could potentially allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session. CyberArk Security Bulletin: CA26-21
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-45174
Publication date:
11/06/2026
Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-49060
Publication date:
11/06/2026
Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation.<br /> <br /> This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-6250
Publication date:
11/06/2026
An<br /> authenticated format string vulnerability exists in the ONVIF service of Tapo<br /> C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as<br /> a format string, which can be used to manipulate stack memory, including<br /> control flow data such as return addresses.<br /> <br /> <br /> <br /> <br /> <br /> A remote<br /> authenticated attacker may redirect execution flow to existing internal<br /> functions, triggering an unauthorized factory reset, leading to loss of<br /> configuration, deletion of stored credentials and service disruption.
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-12035
Publication date:
11/06/2026
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-39494
Publication date:
11/06/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection.<br /> <br /> This issue affects Product Filter by WBW: from n/a through 3.1.2.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-42647
Publication date:
11/06/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Beardev JoomSport allows Blind SQL Injection.<br /> <br /> This issue affects JoomSport: from n/a through 5.7.7.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-42653
Publication date:
11/06/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in iova.Mihai SliceWP allows Stored XSS.<br /> <br /> This issue affects SliceWP: from n/a through 1.2.6.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44249
Publication date:
11/06/2026
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44250
Publication date:
11/06/2026
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026
Subscribe to Vulnerabilities