Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22886
Publication date:
03/03/2026
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires<br /> authentication. However, the product ships with a default administrative account (admin/<br /> admin) and does not enforce a mandatory password change on first use. After the first<br /> successful login, the server continues to accept the default password indefinitely without<br /> warning or enforcement.<br /> <br /> <br /> In real-world deployments, this service is often left enabled without changing the default<br /> credentials. As a result, a remote attacker with access to the service port could authenticate<br /> as an administrator and gain full control of the protocol’s administrative features.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2025-15598
Publication date:
03/03/2026
A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made public and could be used. A comment in the source code warns users about using this feature. The vendor was contacted early about this disclosure.
Severity CVSS v4.0: MEDIUM
Last modification:
05/03/2026

CVE-2026-1876
Publication date:
03/03/2026
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.
Severity CVSS v4.0: HIGH
Last modification:
04/03/2026

CVE-2026-1874
Publication date:
03/03/2026
Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.
Severity CVSS v4.0: HIGH
Last modification:
04/03/2026

CVE-2026-1875
Publication date:
03/03/2026
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.
Severity CVSS v4.0: HIGH
Last modification:
04/03/2026

CVE-2025-12345
Publication date:
03/03/2026
A security vulnerability has been detected in LLM-Claw 0.1.0/0.1.1/0.1.1a/0.1.1a-p1. The affected element is the function agent_deploy_init of the file /agents/deploy/initiate.c of the component Agent Deployment. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. A patch should be applied to remediate this issue.
Severity CVSS v4.0: HIGH
Last modification:
03/03/2026

CVE-2025-15595
Publication date:
03/03/2026
Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.
Severity CVSS v4.0: MEDIUM
Last modification:
13/03/2026

CVE-2026-3449
Publication date:
03/03/2026
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Severity CVSS v4.0: MEDIUM
Last modification:
03/03/2026

CVE-2026-3455
Publication date:
03/03/2026
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
Severity CVSS v4.0: MEDIUM
Last modification:
13/03/2026

CVE-2026-1492
Publication date:
03/03/2026
The User Registration &amp; Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction &amp; Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2025-47147
Publication date:
03/03/2026
Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator&amp;#39;s mobile device to extract the session token and exploit access for a limited duration. <br /> <br /> <br /> <br /> This issue affects Command Centre Mobile Client versions prior to 9.40.123.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2026-20801
Publication date:
03/03/2026
Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. <br /> <br /> <br /> <br /> This issue affects all versions of Gallagher NxWitness VMS integration prior to 9.10.017 and Gallagher Hanwha VMS integration prior to 9.10.025.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026
Subscribe to Vulnerabilities