Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-36962
Publication date:
11/05/2026
SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-38568
Publication date:
11/05/2026
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authorized role. Any authenticated user can access any other user's candidate profiles and interview notes by iterating the integer ID in the URL path, constituting a horizontal privilege escalation and full data breach of all records in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-38566
Publication date:
11/05/2026
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add) are vulnerable to CSRF. An attacker who can trick an authenticated user into visiting a malicious page can silently change the victim's password, delete records, or inject arbitrary data on their behalf. The SESSION_COOKIE_SAMESITE attribute is also not configured, removing the browser-level CSRF defense.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-38567
Publication date:
11/05/2026
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-36983
Publication date:
11/05/2026
D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-34095
Publication date:
11/05/2026
Vulnerability in Wikimedia Foundation MediaWiki.<br /> <br /> This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.<br /> <br /> <br /> <br /> This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity CVSS v4.0: NONE
Last modification:
13/05/2026

CVE-2026-34093
Publication date:
11/05/2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.<br /> <br /> This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php.<br /> <br /> <br /> <br /> This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity CVSS v4.0: LOW
Last modification:
12/05/2026

CVE-2026-2291
Publication date:
11/05/2026
dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-30635
Publication date:
11/05/2026
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE_BASE_URL.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-2393
Publication date:
11/05/2026
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2026-42845
Publication date:
11/05/2026
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions (`md`, `yaml`, `yml`, `json`, `twig`, `ini`) regardless of the configurable dangerous-extensions list. A permissive `accept` policy combined with the default `destination: self@` could otherwise let an attacker overwrite the page&amp;#39;s own `.md` and pivot to super-admin via a `process: save` action. This vulnerability is fixed in 9.1.0.
Severity CVSS v4.0: HIGH
Last modification:
12/05/2026

CVE-2026-42843
Publication date:
11/05/2026
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site&amp;#39;s content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026
Subscribe to Vulnerabilities