Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-38834
Publication date:
21/04/2026
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-29179
Publication date:
21/04/2026
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-30452
Publication date:
21/04/2026
Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-27937
Publication date:
21/04/2026
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-26274
Publication date:
21/04/2026
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-25542
Publication date:
21/04/2026
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-26067
Publication date:
21/04/2026
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-24176
Publication date:
21/04/2026
NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-24177
Publication date:
21/04/2026
NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-24189
Publication date:
21/04/2026
NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-21571
Publication date:
21/04/2026
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0,<br /> 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.<br />  <br /> This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of<br /> CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands<br /> on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability,<br /> and requires no user interaction.<br />  <br /> Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade<br /> your instance to one of the specified supported fixed versions:<br /> Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25<br /> Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 <br /> Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6<br /> <br /> See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
Severity CVSS v4.0: CRITICAL
Last modification:
21/04/2026

CVE-2019-25714
Publication date:
21/04/2026
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
Severity CVSS v4.0: CRITICAL
Last modification:
21/04/2026
Subscribe to Vulnerabilities