Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-38743
Publication date:
24/04/2026
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because HITL prompts and TaskInstance fields routinely carry operator parameters and free-form context attached to a task, the leak widens visibility of DAG-run data beyond the intended per-DAG RBAC boundary for every authenticated user.<br /> <br /> Users are recommended to upgrade to version 3.2.1 , which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-40690
Publication date:
24/04/2026
The asset dependency graph did not restrict nodes by the viewer&amp;#39;s DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.<br /> <br /> Users are recommended to upgrade to version 3.2.1, which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-5367
Publication date:
24/04/2026
A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker&amp;#39;s virtual machine port.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2026-5265
Publication date:
24/04/2026
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header&amp;#39;s self-declared total length (ip_tot_len for IPv4, ip6_plen for IPv6) without validating it against the actual packet buffer size. A VM can send a short packet with an inflated IP length field that triggers an ICMP error (e.g., by hitting a reject ACL), causing ovn-controller to read heap memory beyond the valid packet data and include it in the ICMP response sent back to the VM.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2026

CVE-2026-21515
Publication date:
24/04/2026
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-6043
Publication date:
24/04/2026
P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in &amp;#39;remote&amp;#39; user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations
Severity CVSS v4.0: HIGH
Last modification:
28/04/2026

CVE-2026-4313
Publication date:
24/04/2026
AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim&amp;#39;s browser.<br /> Critically, this may allow the attacker to obtain the administrator authentication token and perform arbitrary actions with administrative privileges, which could lead to further compromise.<br /> <br /> This issue occurs in versions released before December 2025.
Severity CVSS v4.0: LOW
Last modification:
27/04/2026

CVE-2026-23902
Publication date:
24/04/2026
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login permissions to use tenants that are not defined on the platform during workflow execution.<br /> <br /> This issue affects Apache DolphinScheduler versions prior to 3.4.1. <br /> <br /> Users are recommended to upgrade to version 3.4.1, which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-40466
Publication date:
24/04/2026
Improper Input Validation, Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.<br /> <br /> <br /> <br /> An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath.<br /> A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport&amp;#39;s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.<br /> Because Spring&amp;#39;s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker&amp;#39;s JVM through bean factory methods such as Runtime.exec().<br /> <br /> <br /> This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.<br /> <br /> Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-41044
Publication date:
24/04/2026
Improper Input Validation, Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.<br /> <br /> An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application.<br /> The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file.<br /> <br /> <br /> Because Spring&amp;#39;s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker&amp;#39;s JVM through bean factory methods such as Runtime.exec().<br /> <br /> This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.<br /> <br /> Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-41043
Publication date:
24/04/2026
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.<br /> <br /> An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.<br /> <br /> This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.<br /> <br /> Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2025-62233
Publication date:
24/04/2026
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.<br /> <br /> This issue affects Apache DolphinScheduler: <br /> <br /> Version &gt;= 3.2.0 and
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026
Subscribe to Vulnerabilities