Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-46440

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-46441

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-46442

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: CRITICAL
Last modification:
11/06/2026

CVE-2026-46443

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-46444

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-46475

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-46476

Publication date:
08/06/2026
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2026-43951

Publication date:
08/06/2026
Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages.<br /> <br /> This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44119

Publication date:
08/06/2026
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.<br /> <br /> This issue affects Apache HTTP Server: from through 2.4.67.<br /> <br /> Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44186

Publication date:
08/06/2026
Loop with Unreachable Exit Condition (&amp;#39;Infinite Loop&amp;#39;) vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server.<br /> <br /> This issue affects undefined: from 2.4.0 through 2.4.67.<br /> <br /> Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44631

Publication date:
08/06/2026
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.<br /> <br /> This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.<br /> <br /> Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44185

Publication date:
08/06/2026
Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server<br /> <br /> This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.<br /> <br /> Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026