Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42396
Publication date:
21/05/2026
Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-39461
Publication date:
21/05/2026
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)&amp;#39;s descriptor set size limit of FD_SETSIZE (1024).<br /> <br /> An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-28764
Publication date:
21/05/2026
MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-7837
Publication date:
21/05/2026
A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-9157
Publication date:
21/05/2026
Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion.<br /> <br /> This issue affects Web Fax: from 3.0 before 3.1.
Severity CVSS v4.0: HIGH
Last modification:
21/05/2026

CVE-2026-5433
Publication date:
21/05/2026
Honeywell Control<br /> Network Module (CNM) contains command injection vulnerability<br /> in the web interface. An attacker could exploit this vulnerability via command<br /> delimiters, potentially resulting in Remote Code Execution (RCE).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-5434
Publication date:
21/05/2026
Honeywell Control<br /> Network Module (CNM) contains<br /> insertion of sensitive information into an unintended directory. An attacker could exploit this vulnerability through probing<br /> system files, potentially resulting in unintended<br /> access to protected data.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-4858
Publication date:
21/05/2026
Mattermost versions 11.6.x
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-45250
Publication date:
21/05/2026
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.<br /> <br /> Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2026

CVE-2026-44071
Publication date:
21/05/2026
Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by runtime protection.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-44074
Publication date:
21/05/2026
Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker to cause a minor service disruption via conditions that trigger incorrect error-handling paths.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-44075
Publication date:
21/05/2026
A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI session options.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026
Subscribe to Vulnerabilities