Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-26096
Publication date:
20/02/2026
Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-26095
Publication date:
20/02/2026
Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-26093
Publication date:
20/02/2026
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-25715
Publication date:
20/02/2026
The web management interface of the device allows the administrator <br /> username and password to be set to blank values. Once applied, the <br /> device permits authentication with empty credentials over the web <br /> management interface and Telnet service. This effectively disables <br /> authentication across all critical management channels, allowing any <br /> network-adjacent attacker to gain full administrative control without <br /> credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-26048
Publication date:
20/02/2026
The Wi-Fi router is vulnerable to de-authentication attacks due to the <br /> absence of management frame protection, allowing forged deauthentication<br /> and disassociation frames to be broadcast without authentication or <br /> encryption. An attacker can use this to cause unauthorized disruptions <br /> and create a denial-of-service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-26049
Publication date:
20/02/2026
The web management interface of the device renders the passwords in a <br /> plaintext input field. The current password is directly visible to <br /> anyone with access to the UI, potentially exposing administrator <br /> credentials to unauthorized observation via shoulder surfing, <br /> screenshots, or browser form caching.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-24455
Publication date:
20/02/2026
The embedded web interface of the device does not support HTTPS/TLS for <br /> authentication and uses HTTP Basic Authentication. Traffic is encoded <br /> but not encrypted, exposing user credentials to passive interception by <br /> attackers on the same network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2026-24790
Publication date:
20/02/2026
The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-70833
Publication date:
20/02/2026
An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2026-1842
Publication date:
20/02/2026
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-15582
Publication date:
20/02/2026
A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2025-15583
Publication date:
20/02/2026
A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026
Subscribe to Vulnerabilities