Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-47742
Publication date:
29/05/2026
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-42951
Publication date:
29/05/2026
An authenticated<br /> user can download a backup of the Danelec MacGregor Voyage Data Recorder<br /> <br /> <br /> device which includes account data and password hashes.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-44518
Publication date:
29/05/2026
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a signature buffer shorter than the expected signature size for the given parameter set, the implementation does not validate the caller-supplied length and proceeds to read past the end of the buffer. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44611
Publication date:
29/05/2026
Danelec MacGregor Voyage Data Recorder<br /> passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-44648
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44649
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44650
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44651
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends:<br /> res.status(500).send(&amp;#39;Error occurred while trying to proxy to: &amp;#39; + url + &amp;#39; &amp;#39; + error). The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-40425
Publication date:
29/05/2026
The administrator account for the<br /> <br /> Danelec MacGregor Voyage Data Recorder<br /> web interface can directly edit sensitive files related to authentication, potentially changing the root password.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-42929
Publication date:
29/05/2026
Danelec MacGregor Voyage Data Recorder<br /> includes default accounts with hard-coded credentials.
Severity CVSS v4.0: HIGH
Last modification:
29/05/2026

CVE-2026-42941
Publication date:
29/05/2026
The Danelec MacGregor Voyage Data Recorder<br /> <br /> device includes a default username and password, with no enforced password change.
Severity CVSS v4.0: HIGH
Last modification:
29/05/2026

CVE-2026-6824
Publication date:
29/05/2026
A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026
Subscribe to Vulnerabilities