Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4490
Publication date:
20/03/2026
A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. This manipulation causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-4491
Publication date:
20/03/2026
A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-29828
Publication date:
20/03/2026
DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/ page via the input field projectDesc.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2026

CVE-2026-22897
Publication date:
20/03/2026
A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.4.0415 and later
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-22898
Publication date:
20/03/2026
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QVR Pro 2.7.4.14 and later
Severity CVSS v4.0: CRITICAL
Last modification:
20/03/2026

CVE-2026-22900
Publication date:
20/03/2026
A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.5.0906 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2026-22901
Publication date:
20/03/2026
A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.5.0906 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2026-22902
Publication date:
20/03/2026
A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.5.0906 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2025-62846
Publication date:
20/03/2026
An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.2.007 and later
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-22895
Publication date:
20/03/2026
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QuFTP Service 1.4.3 and later<br /> QuFTP Service 1.5.2 and later<br /> QuFTP Service 1.6.2 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-59383
Publication date:
20/03/2026
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> Media Streaming Add-on 500.1.1 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-62843
Publication date:
20/03/2026
An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.3.009 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026
Subscribe to Vulnerabilities