Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-26067
Publication date:
21/04/2026
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-24176
Publication date:
21/04/2026
NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-24177
Publication date:
21/04/2026
NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-24189
Publication date:
21/04/2026
NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-21571
Publication date:
21/04/2026
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0,<br /> 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.<br />  <br /> This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of<br /> CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands<br /> on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability,<br /> and requires no user interaction.<br />  <br /> Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade<br /> your instance to one of the specified supported fixed versions:<br /> Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25<br /> Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 <br /> Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6<br /> <br /> See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
Severity CVSS v4.0: CRITICAL
Last modification:
22/04/2026

CVE-2019-25714
Publication date:
21/04/2026
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
Severity CVSS v4.0: CRITICAL
Last modification:
22/04/2026

CVE-2026-37748
Publication date:
21/04/2026
Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-40565
Publication date:
21/04/2026
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout&amp;#39;s linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-40498
Publication date:
21/04/2026
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . &amp;#39;web_cron_hash&amp;#39;). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2025-15638
Publication date:
21/04/2026
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.<br /> <br /> Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2025-41011
Publication date:
21/04/2026
HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim&amp;#39;s browser due to a lack of proper validation of user input by sending a request to &amp;#39;/reports/generate/specific_customer&amp;#39;, ussing &amp;#39;start_date_formatted&amp;#39; y &amp;#39;end_date_formatted&amp;#39; parameters.
Severity CVSS v4.0: MEDIUM
Last modification:
21/04/2026

CVE-2025-41029
Publication date:
21/04/2026
SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter &amp;#39;phonenumber&amp;#39; in &amp;#39;/private/continue-upload.php&amp;#39;.
Severity CVSS v4.0: CRITICAL
Last modification:
21/04/2026
Subscribe to Vulnerabilities