Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8095
Publication date:
14/04/2026
The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.
Severity CVSS v4.0: CRITICAL
Last modification:
14/04/2026

CVE-2025-7389
Publication date:
14/04/2026
A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server<br /> through the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile()<br /> methods exposed through the RMI interface.  Misuse was limited only by OS-level authority of the AdminServer&amp;#39;s elevated <br /> privileges granted and the user&amp;#39;s access to these methods enabled through RMI.  The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-2450
Publication date:
14/04/2026
.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-5307
Publication date:
14/04/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2024-9168
Publication date:
14/04/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-2332
Publication date:
14/04/2026
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:<br /> * https://w4ke.info/2025/06/18/funky-chunks.html<br /> <br /> * https://w4ke.info/2025/10/29/funky-chunks-2.html<br /> <br /> <br /> Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.<br /> <br /> <br /> POST / HTTP/1.1<br /> Host: localhost<br /> Transfer-Encoding: chunked<br /> <br /> 1;ext="val<br /> X<br /> 0<br /> <br /> GET /smuggled HTTP/1.1<br /> ...<br /> <br /> <br /> <br /> <br /> <br /> Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-2449
Publication date:
14/04/2026
Improper neutralization of argument delimiters in a command (&amp;#39;argument injection&amp;#39;) vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.
Severity CVSS v4.0: CRITICAL
Last modification:
14/04/2026

CVE-2026-24069
Publication date:
14/04/2026
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2025-13822
Publication date:
14/04/2026
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2026-33892
Publication date:
14/04/2026
A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions &gt;= V1.7.6 = V2.0.0 = V2.2.0
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2026-4109
Publication date:
14/04/2026
The Eventin – Events Calendar, Event Booking, Ticket &amp; Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-33929
Publication date:
14/04/2026
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Apache PDFBox Examples.<br /> <br /> This issue affects the <br /> ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.<br /> <br /> <br /> Users are recommended to update to version 2.0.37 or 3.0.8 once <br /> available. Until then, they should apply the fix provided in GitHub PR <br /> 427.<br /> <br /> The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn&amp;#39;t consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".<br /> <br /> Users who have copied this example into their production code should apply the mentioned change. The example <br /> has been changed accordingly and is available in the project repository.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026
Subscribe to Vulnerabilities