Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-68851
Publication date:
15/06/2026
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2025-68872
Publication date:
15/06/2026
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2025-69332
Publication date:
15/06/2026
Subscriber Broken Access Control in Bookify
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2025-59133
Publication date:
15/06/2026
Custom role Insecure Direct Object References (IDOR) in Projectopia
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-54444
Publication date:
15/06/2026
Rejected reason: ]** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-49489. Reason: This candidate is a duplicate of CVE-2026-49489. Notes: All CVE users should reference CVE-2026-49489 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-54292
Publication date:
15/06/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12074. Reason: This candidate is a duplicate of CVE-2026-12074. Notes: All CVE users should reference CVE-2026-12074 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-54294
Publication date:
15/06/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12072. Reason: This candidate is a duplicate of CVE-2026-12072. Notes: All CVE users should reference CVE-2026-12072 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-54295
Publication date:
15/06/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12061. Reason: This candidate is a duplicate of CVE-2026-12061. Notes: All CVE users should reference CVE-2026-12061 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-54296
Publication date:
15/06/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12075. Reason: This candidate is a duplicate of CVE-2026-12075. Notes: All CVE users should reference CVE-2026-12075 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-53703
Publication date:
15/06/2026
A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-53704
Publication date:
15/06/2026
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026

CVE-2026-53705
Publication date:
15/06/2026
A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2026
Subscribe to Vulnerabilities