Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-50205
Publication date:
04/06/2026
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2026-50206
Publication date:
04/06/2026
Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2026-49191
Publication date:
04/06/2026
The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.
Severity CVSS v4.0: CRITICAL
Last modification:
04/06/2026

CVE-2026-49192
Publication date:
04/06/2026
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
Severity CVSS v4.0: MEDIUM
Last modification:
04/06/2026

CVE-2026-49193
Publication date:
04/06/2026
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2026-49194
Publication date:
04/06/2026
The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.
Severity CVSS v4.0: CRITICAL
Last modification:
04/06/2026

CVE-2026-49202
Publication date:
04/06/2026
Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2026-49203
Publication date:
04/06/2026
Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2026-49204
Publication date:
04/06/2026
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation.
Severity CVSS v4.0: MEDIUM
Last modification:
04/06/2026

CVE-2026-49190
Publication date:
04/06/2026
The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.
Severity CVSS v4.0: CRITICAL
Last modification:
04/06/2026

CVE-2026-50219
Publication date:
04/06/2026
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2026-49187
Publication date:
04/06/2026
The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026
Subscribe to Vulnerabilities