Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8085

Publication date:
14/07/2026
A security issue exists within Arena® Simulation due to a memory corruption vulnerability in the model.exe (Siman) component. The vulnerability stems from improper validation of user-supplied data, which can result in an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process by convincing a user to open a malicious file.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-15692

Publication date:
14/07/2026
A weakness has been identified in Tenda BE12 Pro 16.03.66.23. This vulnerability affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-15691

Publication date:
14/07/2026
A security flaw has been discovered in Tenda BE12 Pro 16.03.66.23. This affects the function fromSafeClientFilter of the file /goform/SafeClientFilter. Performing a manipulation of the argument page results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-9341

Publication date:
14/07/2026
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15690

Publication date:
14/07/2026
A vulnerability was identified in open62541 up to 1.5.5. Affected by this issue is the function responseReadNamespacesArray of the file src/client/ua_client_connect.c of the component Shared Client Library. Such manipulation of the argument Server_NamespaceArray leads to null pointer dereference. The attack can be executed remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit is publicly available and might be used. The project closed the issue report, stating that this is not the official way to report a security vulnerability.
Severity CVSS v4.0: LOW
Last modification:
14/07/2026

CVE-2026-15389

Publication date:
14/07/2026
A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier (USID) as the sole validation mechanism, without verifying whether that identifier legitimately belongs to the user making the request. As a result, an attacker who obtains a valid USID can impersonate a victim’s session and access their confidential information, including emails, user IDs, roles and corporate data. This vulnerability is exacerbated by poor session lifecycle management: new logins generate additional USIDs without revoking the previous ones, allowing multiple active sessions to coexist and thereby expanding the attack surface.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-62422

Publication date:
14/07/2026
In JetBrains YouTrack before 2026.1.13757,<br /> 2025.3.148033,<br /> 2025.2.148048,<br /> 2025.1.148120,<br /> 2024.3.148430,<br /> 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-58319

Publication date:
14/07/2026
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to cluster instability or denial of service. <br /> <br /> This issue affects Apache Doris versions prior to 3.1.0. Users are advised to upgrade to Apache Doris 3.1.0 or later.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-56451

Publication date:
14/07/2026
A vulnerability has been identified in Opcenter X (All versions
Severity CVSS v4.0: CRITICAL
Last modification:
14/07/2026

CVE-2026-54429

Publication date:
14/07/2026
A vulnerability has been identified in SIMATIC S7-PLCSIM Advanced (All versions). Affected devices do not properly handle high-volume multicast network traffic, which can exhaust available memory resources in the affected application. This could allow an unauthenticated attacker on the local network segment to cause a denial-of-service condition of the affected application. The affected application becomes inaccessible and requires a manual restart; no project data is lost. Successful exploitation requires a specific project configuration to be already active on the targeted instance.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-3014

Publication date:
14/07/2026
Milestone<br /> has released a new version of XProtect® (and several cumulative patch updates)<br /> which fix security vulnerability in Management Server API. <br /> <br /> <br /> <br /> The vulnerability<br /> causes users with edit permissions to the Management Server to be able to<br /> execute arbitrary code in context of the Management Server Service.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-15043

Publication date:
14/07/2026
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted = SQL operators on text.<br /> <br /> DBI::SQL::Nano, DBI&amp;#39;s built-in mini-SQL engine, evaluated WHERE predicates incorrectly in some cases. In the non-numeric string branch of the is_matched method, = was evaluated using Perl&amp;#39;s le operator.<br /> <br /> SQL::Nano is the fallback query engine for DBI&amp;#39;s file-backed drivers (DBD::File, DBD::DBM, CSV-style drivers) whenever SQL::Statement is not installed, and is forced whenever DBI_SQL_NANO=1. Queries over such tables use these predicates directly.<br /> <br /> The impact depends on the context. Where an application relies on a WHERE clause to filter file-backed data for policy or authorization, an inverted = comparison silently returns the wrong rows.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026