Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-44206

Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-44207

Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-44208

Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-40677

Publication date:
12/06/2026
The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-44967

Publication date:
12/06/2026
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-6211

Publication date:
12/06/2026
Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects WEOLL: from 2.0.9 before 3.2.45.33.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-6853

Publication date:
12/06/2026
Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass.<br /> <br /> This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-7368

Publication date:
12/06/2026
The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot&amp;#39;s command topic using only the robot&amp;#39;s serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-8694

Publication date:
12/06/2026
Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-53787

Publication date:
12/06/2026
Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store&amp;#39;s media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.
Severity CVSS v4.0: CRITICAL
Last modification:
12/06/2026

CVE-2026-53722

Publication date:
12/06/2026
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application&amp;#39;s origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component&amp;#39;s custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity CVSS v4.0: MEDIUM
Last modification:
15/06/2026

CVE-2026-53721

Publication date:
12/06/2026
Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026