Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42099
Publication date:
19/05/2026
Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: HIGH
Last modification:
19/05/2026

CVE-2026-23558
Publication date:
19/05/2026
The adjustments made for XSA-379 as well as those subsequently becoming<br /> XSA-387 still left a race window, when a HVM or PVH guest does a grant<br /> table version change from v2 to v1 in parallel with mapping the status<br /> page(s) via XENMEM_add_to_physmap. Some of the status pages may then be<br /> freed while mappings of them would still be inserted into the guest&amp;#39;s<br /> secondary (P2M) page tables.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2026-23557
Publication date:
19/05/2026
Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES<br /> command within a transaction due to an assert() triggering.<br /> <br /> In case xenstored was built with NDEBUG #defined nothing bad will<br /> happen, as assert() is doing nothing in this case. Note that the<br /> default is not to define NDEBUG for xenstored builds even in release<br /> builds of Xen.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2025-40904
Publication date:
19/05/2026
A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026

CVE-2025-40903
Publication date:
19/05/2026
A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026

CVE-2025-40900
Publication date:
19/05/2026
An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026

CVE-2025-14575
Publication date:
19/05/2026
An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application&amp;#39;s working directory.
Severity CVSS v4.0: LOW
Last modification:
19/05/2026

CVE-2025-40902
Publication date:
19/05/2026
A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026

CVE-2025-40901
Publication date:
19/05/2026
A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Severity CVSS v4.0: MEDIUM
Last modification:
19/05/2026

CVE-2026-8912
Publication date:
19/05/2026
The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;form_input&amp;#39; parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated &amp;#39;post_cg_gallery_form_upload&amp;#39; AJAX action (specifically the &amp;#39;cb&amp;#39; branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into &amp;#39;SELECT Field_Content FROM ... WHERE id = $f_input_id&amp;#39;). The endpoint is gated only by a public frontend nonce (&amp;#39;cg1l_action&amp;#39; / &amp;#39;cg_nonce&amp;#39;) that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2026-4883
Publication date:
19/05/2026
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the &amp;#39;piotnetforms_ajax_form_builder&amp;#39; function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026

CVE-2026-43493
Publication date:
19/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: pcrypt - Fix handling of MAY_BACKLOG requests<br /> <br /> MAY_BACKLOG requests can return EBUSY. Handle them by checking<br /> for that value and filtering out EINPROGRESS notifications.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2026
Subscribe to Vulnerabilities