Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24545
Publication date:
25/05/2026
Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects QR Redirector: from n/a through 2.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026

CVE-2026-24574
Publication date:
25/05/2026
Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery.<br /> <br /> This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026

CVE-2026-24597
Publication date:
25/05/2026
Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery.<br /> <br /> This issue affects Organization chart: from n/a through 1.7.5.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026

CVE-2026-43827
Publication date:
25/05/2026
Default configurations of Apache Shiro have a session fixation vulnerability.<br /> <br /> This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.<br /> <br /> Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.<br /> <br /> In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Severity CVSS v4.0: MEDIUM
Last modification:
25/05/2026

CVE-2026-43828
Publication date:
25/05/2026
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without &amp;#39;Secure&amp;#39; attribute.<br /> <br /> <br /> <br /> This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.<br /> <br /> Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.<br /> <br /> In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without &amp;#39;secure&amp;#39; attribute by default.
Severity CVSS v4.0: MEDIUM
Last modification:
25/05/2026

CVE-2026-44598
Publication date:
25/05/2026
With valid login credentials, URL Redirection to Untrusted Site (&amp;#39;Open Redirect&amp;#39;), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.<br /> <br /> <br /> <br /> <br /> This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.<br /> <br /> Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.<br /> <br /> After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.<br /> This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
Severity CVSS v4.0: MEDIUM
Last modification:
25/05/2026

CVE-2026-9497
Publication date:
25/05/2026
A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
25/05/2026

CVE-2026-9498
Publication date:
25/05/2026
A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: LOW
Last modification:
25/05/2026

CVE-2026-48845
Publication date:
25/05/2026
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026

CVE-2026-48846
Publication date:
25/05/2026
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026

CVE-2026-48847
Publication date:
25/05/2026
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026

CVE-2026-48848
Publication date:
25/05/2026
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2026
Subscribe to Vulnerabilities