Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3005
Publication date:
09/04/2026
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-2519
Publication date:
09/04/2026
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-24661
Publication date:
09/04/2026
Mattermost Plugins versions
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-21388
Publication date:
09/04/2026
Mattermost Plugins versions
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2024-1490
Publication date:
09/04/2026
An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-34184
Publication date:
09/04/2026
Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5
Severity CVSS v4.0: HIGH
Last modification:
09/04/2026

CVE-2026-34185
Publication date:
09/04/2026
Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5
Severity CVSS v4.0: HIGH
Last modification:
09/04/2026

CVE-2026-4901
Publication date:
09/04/2026
Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5
Severity CVSS v4.0: MEDIUM
Last modification:
09/04/2026

CVE-2026-34178
Publication date:
09/04/2026
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-34179
Publication date:
09/04/2026
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2026-34177
Publication date:
09/04/2026
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026

CVE-2025-62188
Publication date:
09/04/2026
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.<br /> <br /> This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.<br /> <br /> <br /> This issue affects Apache DolphinScheduler versions 3.1.*.<br /> <br /> <br /> Users are recommended to upgrade to:<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> * version ≥ 3.2.0 if using 3.1.x<br /> <br /> <br /> <br /> <br /> <br /> <br /> As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:<br /> <br /> <br /> ```<br /> MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus<br /> ```<br /> <br /> Alternatively, add the following configuration to the application.yaml file:<br /> <br /> <br /> ```<br /> management:<br />    endpoints:<br />      web:<br />         exposure:<br />           include: health,metrics,prometheus<br /> ```<br /> <br /> This issue has been reported as CVE-2023-48796:<br /> <br /> https://cveprocess.apache.org/cve5/CVE-2023-48796
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2026
Subscribe to Vulnerabilities