Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6068
Publication date:
10/04/2026
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or unexpected behavior.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-6067
Publication date:
10/04/2026
A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-40217
Publication date:
10/04/2026
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2026

CVE-2026-33092
Publication date:
10/04/2026
Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2025-58913
Publication date:
10/04/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-58920
Publication date:
10/04/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato cerato allows Reflected XSS.This issue affects Cerato: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2025-5804
Publication date:
10/04/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User case-theme-user allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2026

CVE-2026-5774
Publication date:
10/04/2026
Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2026

CVE-2026-5412
Publication date:
10/04/2026
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-5777
Publication date:
10/04/2026
This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-39304
Publication date:
10/04/2026
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.<br /> <br /> ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.<br /> <br /> Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.<br /> This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.<br /> <br /> Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2026

CVE-2026-31412
Publication date:
10/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()<br /> <br /> The `check_command_size_in_blocks()` function calculates the data size<br /> in bytes by left shifting `common-&gt;data_size_from_cmnd` by the block<br /> size (`common-&gt;curlun-&gt;blkbits`). However, it does not validate whether<br /> this shift operation will cause an integer overflow.<br /> <br /> Initially, the block size is set up in `fsg_lun_open()` , and the<br /> `common-&gt;data_size_from_cmnd` is set up in `do_scsi_command()`. During<br /> initialization, there is no integer overflow check for the interaction<br /> between two variables.<br /> <br /> So if a malicious USB host sends a SCSI READ or WRITE command<br /> requesting a large amount of data (`common-&gt;data_size_from_cmnd`), the<br /> left shift operation can wrap around. This results in a truncated data<br /> size, which can bypass boundary checks and potentially lead to memory<br /> corruption or out-of-bounds accesses.<br /> <br /> Fix this by using the check_shl_overflow() macro to safely perform the<br /> shift and catch any overflows.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026
Subscribe to Vulnerabilities