Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52611

Publication date:
04/06/2026
HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2026-10843

Publication date:
04/06/2026
A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-10840

Publication date:
04/06/2026
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2025-52609

Publication date:
04/06/2026
HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2025-52608

Publication date:
04/06/2026
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2025-52606

Publication date:
04/06/2026
HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2025-12694

Publication date:
04/06/2026
A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior.
Severity CVSS v4.0: HIGH
Last modification:
30/06/2026

CVE-2026-49077

Publication date:
04/06/2026
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data.<br /> <br /> This issue affects WP eMember: from n/a through v10.2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2026-10801

Publication date:
04/06/2026
A security vulnerability has been detected in modelscope ms-swift up to 4.2.0. This affects the function Template._save_pil_image of the file swift/template/base.py of the component PIL Image Cache Key Handler. The manipulation leads to use of weak hash. An attack has to be approached locally. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
Severity CVSS v4.0: LOW
Last modification:
04/06/2026

CVE-2026-50226

Publication date:
04/06/2026
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.
Severity CVSS v4.0: MEDIUM
Last modification:
08/06/2026

CVE-2026-50225

Publication date:
04/06/2026
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
Severity CVSS v4.0: HIGH
Last modification:
08/06/2026

CVE-2026-50224

Publication date:
04/06/2026
The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
Severity CVSS v4.0: MEDIUM
Last modification:
08/06/2026