Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33369
Publication date:
20/03/2026
Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated attacker can exploit this issue by sending a crafted SOAP request that manipulates the LDAP query, allowing retrieval of sensitive directory attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2026-4485
Publication date:
20/03/2026
A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search_student.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-33368
Publication date:
20/03/2026
Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2026-31382
Publication date:
20/03/2026
The error_description parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-31381
Publication date:
20/03/2026
An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2024-44722
Publication date:
20/03/2026
SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2026

CVE-2026-4434
Publication date:
20/03/2026
Improper certificate validation in the PAM propagation WinRM connections<br /> allows a network attacker to perform a man-in-the-middle attack via <br /> disabled TLS certificate verification.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-33136
Publication date:
20/03/2026
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inject arbitrary JavaScript or HTML tags into the sccd GET parameter, which is then directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/listar_memorandos_ativos.php handles dynamic success messages to users using query string parameters. Similar to other endpoints in the Memorando module, it checks if $_GET[&amp;#39;msg&amp;#39;] equals &amp;#39;success&amp;#39;. If this condition is met, it directly concatenates and reflects $_GET[&amp;#39;sccd&amp;#39;] into an HTML alert . This issue is resolved in version 3.6.7.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2026

CVE-2026-33135
Publication date:
20/03/2026
WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbitrary JavaScript into the sccs GET parameter, which is directly echoed into the HTML response without any sanitization or encoding. The script /html/memorando/novo_memorandoo.php reads HTTP GET parameters to display dynamic success messages to the user. At approximately line 273, the code checks if $_GET[&amp;#39;msg&amp;#39;] equals &amp;#39;success&amp;#39;. If true, it directly concatenates $_GET[&amp;#39;sccs&amp;#39;] into an HTML alert and outputs it to the browser. This issue has been fixed in version 3.6.7.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2026

CVE-2026-33134
Publication date:
20/03/2026
WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the id_produto GET parameter, leading to full database compromise. In the script /html/matPat/restaurar_produto.php, the application retrieves the id_produto parameter directly from the $_GET global array and interpolates it directly into two SQL query strings without any sanitization, type-casting (e.g., (int)), or using parameterized (prepare/execute) statements. This issue has been fixed in version 3.6.6.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2026

CVE-2026-33133
Publication date:
20/03/2026
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator accounts, modify existing passwords, or execute any database operation. This was introduced in commit 370104c. This issue was patched in version 3.6.7.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-33131
Publication date:
20/03/2026
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3&amp;#39;s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2026
Subscribe to Vulnerabilities