Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42612
Publication date:
11/05/2026
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attributes. This vulnerability is fixed in 2.0.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-42611
Publication date:
11/05/2026
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-42610
Publication date:
11/05/2026
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-42608
Publication date:
11/05/2026
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2026

CVE-2026-42609
Publication date:
11/05/2026
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-42607
Publication date:
11/05/2026
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-3320
Publication date:
11/05/2026
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-34089
Publication date:
11/05/2026
Vulnerability in Wikimedia Foundation Scribunto.<br /> <br /> This issue affects Scribunto: from 1.45.0 before 1.45.2.
Severity CVSS v4.0: LOW
Last modification:
12/05/2026

CVE-2026-3319
Publication date:
11/05/2026
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
Severity CVSS v4.0: MEDIUM
Last modification:
13/05/2026

CVE-2026-34092
Publication date:
11/05/2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.<br /> <br /> This vulnerability is associated with program files includes/Skin/Skin.Php.<br /> <br /> <br /> <br /> This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity CVSS v4.0: LOW
Last modification:
14/05/2026

CVE-2026-34091
Publication date:
11/05/2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.<br /> <br /> This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2026

CVE-2026-34090
Publication date:
11/05/2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser.<br /> <br /> This issue affects CheckUser: from 1.45.0 before 1.45.2.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2026
Subscribe to Vulnerabilities