Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45444
Publication date:
20/05/2026
Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files.<br /> <br /> This issue affects Gift Cards For WooCommerce Pro: from n/a through 4.2.6.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-35016
Publication date:
20/05/2026
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE attribute. Attackers can craft a malicious request containing a JavaScript payload in the frm_query parameter that executes in the victim&amp;#39;s browser when submitted.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2026

CVE-2026-39310
Publication date:
20/05/2026
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment. When Trilium detects an Electron environment, it explicitly disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes to the network with no password, API token, or CSRF protection. An attacker on a shared network (for example, a corporate LAN or public Wi-Fi) can scan for open high-range ports using a tool like nmap, since Trilium often binds to ports such as 37840. Once a candidate port is found, an unauthenticated request to the Clipper handshake endpoint, which also bypasses authentication, confirms a Trilium instance by returning the application name and protocol version. This facilitates unauthorized data access, phishing, and local system compromise. The issue has been fixed in version 0.102.2.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-39311
Publication date:
20/05/2026
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy (CSP) and a publicly reachable backend execution API results in an unauthenticated Remote Code Execution (RCE). The vulnerability arises from an insecure-by-design architecture: Trilium serves SVG attachments with the image/svg+xml MIME type without any sanitization, and it explicitly disables Helmet&amp;#39;s Content Security Policy middleware, removing the primary defense against script execution in served assets. Because the malicious SVG runs under the Same-Origin Policy, it can issue a fetch(&amp;#39;/&amp;#39;) to extract the csrfToken from the document body. With that token, it can send a signed request to /api/script/exec to execute arbitrary Node.js code on the server. An attacker can compromise the entire server instance simply by tricking an authenticated user into viewing a shared SVG attachment. The issue has been fixed in version 0.102.2.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-39352
Publication date:
20/05/2026
Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above.
Severity CVSS v4.0: HIGH
Last modification:
21/05/2026

CVE-2026-39405
Publication date:
20/05/2026
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.
Severity CVSS v4.0: CRITICAL
Last modification:
21/05/2026

CVE-2026-39850
Publication date:
20/05/2026
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-35009
Publication date:
20/05/2026
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim&amp;#39;s browser when the URL is visited.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2026

CVE-2026-35010
Publication date:
20/05/2026
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_JF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a JavaScript variable assignment. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim&amp;#39;s browser when the URL is visited.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2026

CVE-2026-35011
Publication date:
20/05/2026
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in opena.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_call GET parameter directly into page output. Attackers can craft a malicious URL containing a JavaScript payload in the frm_call parameter that executes in the victim&amp;#39;s browser when the URL is visited.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2026

CVE-2026-35012
Publication date:
20/05/2026
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim&amp;#39;s browser when the URL is visited.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2026

CVE-2026-35013
Publication date:
20/05/2026
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim&amp;#39;s browser when the URL is visited.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2026
Subscribe to Vulnerabilities