Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-40998
Publication date:
11/06/2026
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK&amp;#39;s default DocumentBuilderFactory behavior instead of Spring&amp;#39;s hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks.<br /> <br /> Affected versions:<br /> Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-40999
Publication date:
11/06/2026
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.<br /> <br /> Affected versions:<br /> Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-10795
Publication date:
11/06/2026
The UpdraftPlus: WP Backup &amp; Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-40986
Publication date:
11/06/2026
Spring Web Flow&amp;#39;s JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user&amp;#39;s browser if the error response from the server contains error details with input reflected from an attacker.<br /> <br /> Affected versions:<br /> Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-40985
Publication date:
11/06/2026
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.<br /> <br /> Affected versions:<br /> Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-35273
Publication date:
11/06/2026
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-2827
Publication date:
11/06/2026
The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;oum_location_notification&amp;#39; parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-52726
Publication date:
10/06/2026
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository&amp;#39;s `.git` directory) causes the attacker&amp;#39;s submodule tree contents to be written directly into the victim&amp;#39;s `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich&amp;#39;s separately implemented submodule porcelain. Version 1.2.5 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-53465
Publication date:
10/06/2026
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, a crafted multi-frame can result in a heap buffer over-write when encoding it with the SF3 encoder. This issue has been patched in version 7.1.2-25.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-53464
Publication date:
10/06/2026
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-53463
Publication date:
10/06/2026
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when passing incorrect arguments in the distort operation a null pointer deference will occur. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-53462
Publication date:
10/06/2026
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when an allocation fails in CheckPrimitiveExtent this can result in a heap-use-after-free and result in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026
Subscribe to Vulnerabilities