Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-12806

Publication date:
21/06/2026
A vulnerability has been found in Edimax BR-6478AC V2 1.23. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: HIGH
Last modification:
23/06/2026

CVE-2026-12804

Publication date:
21/06/2026
A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue. The vendor confirms, that "it has been fixed some days ago and will be available in 2.23.1. CDC is quite never used, so the impact is very low."
Severity CVSS v4.0: LOW
Last modification:
22/06/2026

CVE-2026-56411

Publication date:
21/06/2026
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56412

Publication date:
21/06/2026
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56410

Publication date:
21/06/2026
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56409

Publication date:
21/06/2026
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56408

Publication date:
21/06/2026
libexpat before 2.8.2 has an integer overflow in copyString.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56407

Publication date:
21/06/2026
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56406

Publication date:
21/06/2026
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56405

Publication date:
21/06/2026
libexpat before 2.8.2 has an integer overflow in getAttributeId.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56404

Publication date:
21/06/2026
libexpat before 2.8.2 has an integer overflow in addBinding.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-56403

Publication date:
21/06/2026
libexpat before 2.8.2 has an integer overflow in storeAtts.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026