Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-10268

Publication date:
01/06/2026
A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal_one_fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d9b1d711ea1fde52ac73a82088b512a3e17bad0d. A patch should be applied to remediate this issue.
Severity CVSS v4.0: LOW
Last modification:
01/06/2026

CVE-2026-10118

Publication date:
01/06/2026
A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2022-4991

Publication date:
01/06/2026
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-8931

Publication date:
01/06/2026
A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3.
Severity CVSS v4.0: CRITICAL
Last modification:
01/06/2026

CVE-2026-48839

Publication date:
01/06/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.<br /> <br /> This issue affects WP Statistics: from n/a through 14.16.6.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-48865

Publication date:
01/06/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in ThimPress LearnPress allows Reflected XSS.<br /> <br /> This issue affects LearnPress: from n/a through 4.3.6.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-48866

Publication date:
01/06/2026
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal.<br /> <br /> This issue affects Gravity Forms: from n/a through 2.10.0.1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-48879

Publication date:
01/06/2026
Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation.<br /> <br /> This issue affects AIWU: from n/a through 1.4.17.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-48559

Publication date:
01/06/2026
Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim&amp;#39;s library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp.
Severity CVSS v4.0: MEDIUM
Last modification:
01/06/2026

CVE-2026-42682

Publication date:
01/06/2026
Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects wpForo Forum: from n/a through 3.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42683

Publication date:
01/06/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in e4jvikwp VikBooking Hotel Booking Engine &amp; PMS allows DOM-Based XSS.<br /> <br /> This issue affects VikBooking Hotel Booking Engine &amp; PMS: from n/a through 1.8.8.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-42251

Publication date:
01/06/2026
Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application&amp;#39;s update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.<br /> <br /> This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026<br /> <br /> Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only.
Severity CVSS v4.0: HIGH
Last modification:
01/06/2026