Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8467
Publication date:
20/05/2026
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.<br /> <br /> The psb-assign WebSocket event handler in &amp;#39;Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive&amp;#39;:handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to &amp;#39;Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers&amp;#39;:handle_set_variation_assign/3, which stores them verbatim. When rendering, &amp;#39;Elixir.PhoenixStorybook.Rendering.ComponentRenderer&amp;#39;:attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.<br /> <br /> This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Severity CVSS v4.0: CRITICAL
Last modification:
21/05/2026

CVE-2026-8469
Publication date:
20/05/2026
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.<br /> <br /> Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: &amp;#39;Elixir.PhoenixStorybook.ExtraAssignsHelpers&amp;#39;:handle_set_variation_assign/3 interns every key of the psb-assign params map; &amp;#39;Elixir.PhoenixStorybook.ExtraAssignsHelpers&amp;#39;:handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; &amp;#39;Elixir.PhoenixStorybook.ExtraAssignsHelpers&amp;#39;:to_variation_id/2 interns elements of "variation_id"; and &amp;#39;Elixir.PhoenixStorybook.ExtraAssignsHelpers&amp;#39;:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.<br /> <br /> This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
Severity CVSS v4.0: HIGH
Last modification:
21/05/2026

CVE-2026-47068
Publication date:
20/05/2026
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.<br /> <br /> &amp;#39;Elixir.PhoenixStorybook.Story.ComponentIframeLive&amp;#39;:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/?topic= causes their iframe process pid to be announced on the victim&amp;#39;s topic. The victim&amp;#39;s playground then addresses its private messages to the attacker&amp;#39;s iframe process.<br /> <br /> This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Severity CVSS v4.0: LOW
Last modification:
21/05/2026

CVE-2026-24425
Publication date:
20/05/2026
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally.
Severity CVSS v4.0: HIGH
Last modification:
20/05/2026

CVE-2026-22554
Publication date:
20/05/2026
MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-21836
Publication date:
20/05/2026
The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-5946
Publication date:
20/05/2026
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.<br /> This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-5947
Publication date:
20/05/2026
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message.<br /> This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.<br /> BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-5950
Publication date:
20/05/2026
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions.<br /> This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-45584
Publication date:
20/05/2026
Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-45498
Publication date:
20/05/2026
Microsoft Defender Denial of Service Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026

CVE-2026-45443
Publication date:
20/05/2026
Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2026
Subscribe to Vulnerabilities