Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3112
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-3113
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-3114
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-3115
Publication date:
26/03/2026
Mattermost versions 11.2.x
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-3116
Publication date:
26/03/2026
Mattermost Plugins versions
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-4867
Publication date:
26/03/2026
Impact:<br /> <br /> A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.<br /> <br /> Patches:<br /> <br /> Upgrade to path-to-regexp@0.1.13<br /> <br /> Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.<br /> <br /> Workarounds:<br /> <br /> All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).<br /> <br /> If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-33468
Publication date:
26/03/2026
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely&amp;#39;s `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`&amp;#39;` → `&amp;#39;&amp;#39;`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-33469
Publication date:
26/03/2026
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-33636
Publication date:
26/03/2026
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng&amp;#39;s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-34071
Publication date:
26/03/2026
Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a malicious email to a Stirling-PDF user can achieve JavaScript execution when that user exports the email using the "Download HTML intermediate file" feature. Version 2.8.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-3108
Publication date:
26/03/2026
Mattermost versions 11.2.x
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-3109
Publication date:
26/03/2026
Mattermost Plugins versions
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026
Subscribe to Vulnerabilities