Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-31984
Publication date:
06/05/2026
HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-31976
Publication date:
06/05/2026
HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-31978
Publication date:
06/05/2026
HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-31982
Publication date:
06/05/2026
HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-31957
Publication date:
06/05/2026
HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-31959
Publication date:
06/05/2026
HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-31975
Publication date:
06/05/2026
HCL BigFix Service Management (SM) is affected by an Information Disclosure – Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-36358
Publication date:
06/05/2026
Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-8026
Publication date:
06/05/2026
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
07/05/2026

CVE-2026-40562
Publication date:
06/05/2026
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.<br /> <br /> Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.<br /> <br /> An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2026

CVE-2026-5081
Publication date:
06/05/2026
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.<br /> <br /> Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation.<br /> <br /> The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header).<br /> <br /> The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-6210
Publication date:
06/05/2026
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.<br /> <br /> <br /> <br /> When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,<br /> followed by an endless recursion that bypasses the marker recursion <br /> guard through incorrect virtual dispatch. The result is an application <br /> crash (denial of service).<br /> <br /> <br /> <br /> This issue affects Qt SVG: <br /> from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
Severity CVSS v4.0: HIGH
Last modification:
07/05/2026
Subscribe to Vulnerabilities