Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-12693

Publication date:
17/07/2026
Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-12694

Publication date:
17/07/2026
Missing Authorization vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-9537

Publication date:
17/07/2026
Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison.<br /> <br /> The decode() method compares the supplied signature to the recomputed HMAC with Perl&amp;#39;s eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes.<br /> <br /> A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-63099

Publication date:
17/07/2026
TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing organization-scoped authorization check in AttachmentSrv.visible, which is implemented as a pass-through traversal, to download arbitrary attachments.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-63100

Publication date:
17/07/2026
Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator&amp;#39;s Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-58149

Publication date:
17/07/2026
The Joomla extension Events Booking is vulnerable to an unauthenticated user enumeration that allows to retrieve account usernames and email addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-60024

Publication date:
17/07/2026
The Joomla extension Events Booking prior version 5.8.0 did by default allow unauthenticated users to upload media assets.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-60025

Publication date:
17/07/2026
The Joomla extension Events Booking prior version 5.8.0 had an frontend file upload endpoint that lacked CSRF protection.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-63095

Publication date:
17/07/2026
Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint without ownership verification. Attackers can exploit the unverified Forget3PID handler to remove a victim&amp;#39;s email or MSISDN binding and subsequently rebind the address through an identity server to hijack the victim&amp;#39;s password reset flow.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-63097

Publication date:
17/07/2026
Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint (syncapi/routing/context.go) that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership fields. Attackers who have left a room can call the rooms context API endpoint for a previously permitted event and receive unfiltered current room state that the /messages and /sync endpoints correctly withhold.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-63098

Publication date:
17/07/2026
TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-63096

Publication date:
17/07/2026
Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers can exploit distinguishable error response classes and leaked internal IP addresses in error messages to perform blind port scanning and enumerate internal network topology.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026