Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4634
Publication date:
02/04/2026
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-4636
Publication date:
02/04/2026
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-5328
Publication date:
02/04/2026
A weakness has been identified in shsuishang modulithshop up to 829bac71f507e84684c782b9b062b8bf3b5585d6. The impacted element is the function listItem of the file src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.java of the component ProductItemDao Interface. Executing a manipulation of the argument sidx/sort can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This patch is called 42bcb9463425d1be906c3b290cf29885eb5a2324. A patch should be applied to remediate this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
02/04/2026

CVE-2026-5330
Publication date:
02/04/2026
A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access controls. The attack may be initiated remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: MEDIUM
Last modification:
02/04/2026

CVE-2026-5331
Publication date:
02/04/2026
A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
02/04/2026

CVE-2026-34890
Publication date:
02/04/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-3872
Publication date:
02/04/2026
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-4282
Publication date:
02/04/2026
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-4325
Publication date:
02/04/2026
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-23417
Publication date:
02/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix constant blinding for PROBE_MEM32 stores<br /> <br /> BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by<br /> bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to<br /> survive unblinded into JIT-compiled native code when bpf_jit_harden &gt;= 1.<br /> <br /> The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM<br /> to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,<br /> before bpf_jit_blind_constants() runs during JIT compilation. The<br /> blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not<br /> BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through<br /> unblinded.<br /> <br /> Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the<br /> existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:<br /> load the blinded immediate into BPF_REG_AX via mov+xor, then convert<br /> the immediate store to a register store (BPF_STX).<br /> <br /> The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so<br /> the architecture JIT emits the correct arena addressing (R12-based on<br /> x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes<br /> BPF_MEM mode; construct the instruction directly instead.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-5327
Publication date:
02/04/2026
A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
02/04/2026

CVE-2026-23412
Publication date:
02/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: bpf: defer hook memory release until rcu readers are done<br /> <br /> Yiming Qian reports UaF when concurrent process is dumping hooks via<br /> nfnetlink_hooks:<br /> <br /> BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0<br /> Read of size 8 at addr ffff888003edbf88 by task poc/79<br /> Call Trace:<br /> <br /> nfnl_hook_dump_one.isra.0+0xe71/0x10f0<br /> netlink_dump+0x554/0x12b0<br /> nfnl_hook_get+0x176/0x230<br /> [..]<br /> <br /> Defer release until after concurrent readers have completed.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026
Subscribe to Vulnerabilities