Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42669
Publication date:
02/06/2026
Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects EventPrime: from n/a through 4.3.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-42684
Publication date:
02/06/2026
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Ahmad WP Job Portal allows Blind SQL Injection.<br /> <br /> This issue affects WP Job Portal: from n/a through 2.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-42685
Publication date:
02/06/2026
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Ahmad WP Job Portal allows Reflected XSS.<br /> <br /> This issue affects WP Job Portal: from n/a through 2.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-42670
Publication date:
02/06/2026
Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2025-53440
Publication date:
02/06/2026
Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion.<br /> <br /> This issue affects Confidant: from n/a through 1.4.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2025-58024
Publication date:
02/06/2026
Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in UnboundStudio Accordion FAQ allows PHP Local File Inclusion.<br /> <br /> This issue affects Accordion FAQ: from n/a through 2.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2025-58705
Publication date:
02/06/2026
Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion.<br /> <br /> This issue affects Crafti: from n/a through 1.12.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-5191
Publication date:
02/06/2026
The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the &amp;#39;data-image-title&amp;#39; parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-5422
Publication date:
02/06/2026
A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_path() function within jupyter_server/services/contents/fileio.py. The check uses startswith(root) without appending a trailing path separator, allowing sibling directories with names starting with the same prefix as root_dir to bypass the check. Additionally, the to_os_path() function in utils.py does not strip ".." from path parts, enabling traversal sequences to bypass the vulnerable check. This vulnerability can lead to unauthorized read/write access to files in sibling directories, potentially exposing sensitive data in shared hosting environments.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-41115
Publication date:
02/06/2026
An improper authorization vulnerability has been identified in Apache Kafka.<br /> <br /> The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata.<br /> <br /> The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-46718
Publication date:
02/06/2026
Use of Externally-Controlled Input to Select Classes or Code (&amp;#39;Unsafe Reflection&amp;#39;) vulnerability in Apache Calcite.<br /> <br /> This issue affects Apache Calcite: from 1.5.0 before 1.42.<br /> <br /> Users are recommended to upgrade to version 1.42, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-34907
Publication date:
02/06/2026
Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser.<br /> <br /> <br /> This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545
Severity CVSS v4.0: MEDIUM
Last modification:
02/06/2026
Subscribe to Vulnerabilities