Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-49374

Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-49373

Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-47744

Publication date:
29/05/2026
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-47745

Publication date:
29/05/2026
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-49370

Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49369

Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49368

Publication date:
29/05/2026
In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49367

Publication date:
29/05/2026
In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49366

Publication date:
29/05/2026
In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2026-49371

Publication date:
29/05/2026
In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-44652

Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-46372

Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026