Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-11815
Publication date:
10/06/2026
An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-29114
Publication date:
10/06/2026
A vulnerability has been found in some Dahua products. An attacker<br /> may obtain the device’s CA root certificate. If that CA is installed and<br /> trusted on client systems, the attacker could issue fraudulent certificates<br /> trusted by those clients and undermine the certificate trust chain.
Severity CVSS v4.0: LOW
Last modification:
10/06/2026

CVE-2026-10846
Publication date:
10/06/2026
NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-26241
Publication date:
10/06/2026
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> File Station 5 5.5.6.5243 and later
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-11837
Publication date:
10/06/2026
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module&amp;#39;s keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-26240
Publication date:
10/06/2026
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> File Station 5 5.5.6.5243 and later
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2025-8444
Publication date:
10/06/2026
The Animation Addons for Elementor – GSAP Powered Elementor Addons &amp; Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-26239
Publication date:
10/06/2026
A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> File Station 5 5.5.6.5208 and later
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-26237
Publication date:
10/06/2026
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuMagie 2.9.0 and later
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-24719
Publication date:
10/06/2026
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.9.3492 build 20260507 and later<br /> QuTS hero h5.2.9.3499 build 20260514 and later
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-24720
Publication date:
10/06/2026
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> File Station 5 5.5.6.5243 and later
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-24724
Publication date:
10/06/2026
An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> File Station 5 5.5.6.5243 and later
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026
Subscribe to Vulnerabilities