Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-44975
Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-44976
Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-45832
Publication date:
12/06/2026
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2026

CVE-2026-45831
Publication date:
12/06/2026
The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2026

CVE-2026-45830
Publication date:
12/06/2026
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2026

CVE-2026-44206
Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-44207
Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-44208
Publication date:
12/06/2026
Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.
Severity CVSS v4.0: MEDIUM
Last modification:
12/06/2026

CVE-2026-40677
Publication date:
12/06/2026
The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-44967
Publication date:
12/06/2026
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-6211
Publication date:
12/06/2026
Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects WEOLL: from 2.0.9 before 3.2.45.33.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-6853
Publication date:
12/06/2026
Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass.<br /> <br /> This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026
Subscribe to Vulnerabilities