Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-34088

Publication date:

11/05/2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

Severity CVSS v4.0: LOW

Last modification:

14/05/2026

CVE-2026-34087

Publication date:

11/05/2026

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.

Severity CVSS v4.0: MEDIUM

Last modification:

14/05/2026

CVE-2026-34086

Publication date:

11/05/2026

Vulnerability in Wikimedia Foundation AbuseFilter. This issue affects AbuseFilter: from * before 1.43.7, 1.44.4, 1.45.2.

Severity CVSS v4.0: LOW

Last modification:

12/05/2026

CVE-2025-65416

Publication date:

11/05/2026

docuFORM Managed Print Service Client 11.11c is vulnerable to arbitrary file upload via pmupdate.php.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2026

CVE-2025-65417

Publication date:

11/05/2026

docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2026

CVE-2025-65418

Publication date:

11/05/2026

docuFORM Managed Print Service Client 11.11c is vulnerable to a directory traversal allowing attackers to read arbitrary files via crafted url.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2026

CVE-2026-31246

Publication date:

11/05/2026

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.

Severity CVSS v4.0: Pending analysis

Last modification:

13/05/2026

CVE-2026-31247

Publication date:

11/05/2026

Docling&#39;s JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

Severity CVSS v4.0: Pending analysis

Last modification:

13/05/2026

CVE-2025-63750

Publication date:

11/05/2026

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2026-21709. Reason: This record is a duplicate of CVE-2026-21709. Notes: All CVE users should reference CVE-2026-21709 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

Severity CVSS v4.0: Pending analysis

Last modification:

11/05/2026

CVE-2025-61308

Publication date:

11/05/2026

A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user&#39;s browser via injecting a crafted payload into an unfiltered variable value.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2026

CVE-2025-61309

Publication date:

11/05/2026

A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_departments.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user&#39;s browser via injecting a crafted payload into an unfiltered variable value.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2026

CVE-2025-61310

Publication date:

11/05/2026

A reflected cross-site scripted (XSS) vulnerability in the acc-menu_billings.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user&#39;s browser via injecting a crafted payload into an unfiltered variable value.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2026

Subscribe to Vulnerabilities