Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-53982
Publication date:
12/06/2026
Cap-go Console
Severity CVSS v4.0: HIGH
Last modification:
15/06/2026

CVE-2026-6046
Publication date:
12/06/2026
Mattermost versions 11.6.x
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-47222
Publication date:
12/06/2026
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-47224
Publication date:
12/06/2026
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler). The vulnerability is triggered when opening a crafted LVM disk image. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-3433
Publication date:
12/06/2026
Mattermost versions 11.6.x
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-3840
Publication date:
12/06/2026
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to escape the intended versioned dataset directory and access files outside the expected path. The issue is also reachable through the CLI via the `--load-versions` parameter, as `_split_load_versions()` in `kedro/framework/cli/utils.py` does not validate the version string. This vulnerability can lead to unauthorized file reads, data poisoning, cross-project or cross-tenant data access, and broader downstream impacts in environments where Kedro is used with automation or orchestration layers.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-9641
Publication date:
12/06/2026
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations.<br /> <br /> The default algorithm is HMAC-SHA1, which should only be used for legacy systems.<br /> <br /> These versions default to using 1000 iterations.<br /> <br /> Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.
Severity CVSS v4.0: Pending analysis
Last modification:
14/06/2026

CVE-2026-5792
Publication date:
12/06/2026
Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force.<br /> <br /> This issue affects Related Marketing Cloud (RMC): through 12052026.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-8828
Publication date:
12/06/2026
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant&amp;#39;s collection regardless of which tenant they belong to.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-9638
Publication date:
12/06/2026
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts.<br /> <br /> These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-53568
Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-50085
Publication date:
12/06/2026
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom&amp;#39;s HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026
Subscribe to Vulnerabilities