Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45151

Publication date:
29/05/2026
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not return before locking c->mtx.
Severity CVSS v4.0: LOW
Last modification:
01/06/2026

CVE-2026-45294

Publication date:
29/05/2026
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-44640

Publication date:
29/05/2026
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44287

Publication date:
29/05/2026
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-44285

Publication date:
29/05/2026
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-44420

Publication date:
29/05/2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-44421

Publication date:
29/05/2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-44422

Publication date:
29/05/2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-42500

Publication date:
29/05/2026
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-34127

Publication date:
29/05/2026
A stored<br /> cross-site scripting (XSS) vulnerability has been identified in the web<br /> management interface of TP-Link&amp;#39;s TL-SG108PE v5 switch due to improper sanitation of the SYSNAM<br /> configuration parameter during configuration file import. An attacker with<br /> administrator access can inject malicious script into the device configuration,<br /> which may be stored and executed in the administrator’s browser when the<br /> affected interface is viewed.    <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation may allow session cookie theft, unauthorized configuration<br /> changes, or access to sensitive information exposed through the management<br /> interface.
Severity CVSS v4.0: MEDIUM
Last modification:
01/06/2026

CVE-2026-49386

Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49385

Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026