Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45566
Publication date:
10/06/2026
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-45567
Publication date:
10/06/2026
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-25700
Publication date:
10/06/2026
Improper Restriction of Security Token Assignment vulnerability in Apache Answer.<br /> <br /> This issue affects Apache Answer: through 2.0.0.<br /> <br /> Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.<br /> Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-9045
Publication date:
10/06/2026
During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-6090
Publication date:
10/06/2026
A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-7516
Publication date:
10/06/2026
A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-8637
Publication date:
10/06/2026
A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-8335
Publication date:
10/06/2026
A missing authentication check on the Aix‑DB "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints.<br /> All releases up to 1.2.4 are considered vulnerable. Status of next releases is unknown as the vulnerability has not been addressed by any patch.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-53689
Publication date:
10/06/2026
libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-53475
Publication date:
10/06/2026
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-53476
Publication date:
10/06/2026
A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-53469
Publication date:
10/06/2026
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026
Subscribe to Vulnerabilities