Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-10250

Publication date:
01/06/2026
A security flaw has been discovered in itsourcecode Online Blood Bank Management System 1.0. The affected element is an unknown function of the file /admin/campsdetails.php. Performing a manipulation of the argument hospital results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
01/06/2026

CVE-2026-25599

Publication date:
01/06/2026
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an <br /> unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an<br /> attacker to impersonate a legitimate device and inject malicious <br /> payloads. This enables the insertion of harmful code directly<br /> into the Orca user portal, potentially compromising user accounts, <br /> exposing sensitive information, and allowing further unauthorized <br /> actions within the portal.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-25600

Publication date:
01/06/2026
The PDBM application relies on a static, hard‑coded secret embedded <br /> in the PDBM.exe executable. This secret is used by the application’s <br /> encryption routines, including the function responsible for decrypting <br /> credentials stored in the product’s configuration file. Because the <br /> secret is constant across installations, any attacker with sufficient <br /> local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored <br /> password and authenticate as the user defined in the configuration file.<br /> In the affected version, this user account is configured with <br /> administrative privileges, granting full access to PDBM’s management <br /> interface and its underlying operational functions.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-10244

Publication date:
01/06/2026
A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function create_medicine_name of the file /ShowForm/create_medicine_name/main. Performing a manipulation of the argument medicine_name results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used.
Severity CVSS v4.0: LOW
Last modification:
01/06/2026

CVE-2026-10245

Publication date:
01/06/2026
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used.
Severity CVSS v4.0: LOW
Last modification:
01/06/2026

CVE-2026-10246

Publication date:
01/06/2026
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function create_medicine_presentation of the file /ShowForm/create_medicine_presentation/main. The manipulation of the argument medicine_presentation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
01/06/2026

CVE-2026-10247

Publication date:
01/06/2026
A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This vulnerability affects the function create_generic_name of the file /ShowForm/create_generic_name/main. The manipulation of the argument generic_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: LOW
Last modification:
01/06/2026

CVE-2026-8474

Publication date:
01/06/2026
A vulnerability was discovered on Stormshield Network Security <br /> <br /> <br /> <br /> <br /> <br /> * 4.3.0 to 4.3.41, <br /> * 4.8.0 to 4.8.15, <br /> * 5.0.0 to 5.0.5<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim&amp;#39;s machine. The risks include the theft of cookies or other sensitive data, as well as the modification of page behavior, for example, by redirecting the victim to malicious websites.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-9024

Publication date:
01/06/2026
A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user&amp;#39;s browser session.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-48827

Publication date:
01/06/2026
Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory.<br /> <br /> <br /> <br /> <br /> Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected.<br /> <br /> <br /> <br /> <br /> Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue.<br /> <br /> <br /> <br /> <br /> The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4.<br /> <br /> <br /> <br /> <br /> We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49270

Publication date:
01/06/2026
Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.<br /> <br /> Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated.<br /> This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6.<br /> <br /> Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49157

Publication date:
01/06/2026
Incorrect Default Permissions vulnerability in Apache ActiveMQ.<br /> <br /> This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.<br /> <br /> The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.<br /> <br /> Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026