Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-7255
Publication date:
12/05/2026
** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to brute-force the password and bypass authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-7256
Publication date:
12/05/2026
** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending a crafted HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-7257
Publication date:
12/05/2026
** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow a local attacker with administrator privileges to download and decrypt a backup configuration file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-7287
Publication date:
12/05/2026
** UNSUPPORTED WHEN ASSIGNED ** A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100-N customized firmware version 1.00(AACE.1)C0 could allow an attacker to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to a vulnerable device.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-45430
Publication date:
12/05/2026
The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40132
Publication date:
12/05/2026
Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the application�s availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40133
Publication date:
12/05/2026
Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40134
Publication date:
12/05/2026
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40135
Publication date:
12/05/2026
An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40136
Publication date:
12/05/2026
SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-40137
Publication date:
12/05/2026
SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2026-27682
Publication date:
12/05/2026
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026
Subscribe to Vulnerabilities