Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3817
Publication date:
09/03/2026
A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0. This issue affects some unknown processing of the file /patient-search.php. The manipulation results in improper authorization. The attack can be launched remotely. The exploit is now public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/03/2026

CVE-2025-15576
Publication date:
09/03/2026
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one.<br /> <br /> In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other.<br /> <br /> When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues.<br /> <br /> In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process&amp;#39; jail root. This enables full filesystem access for a jailed process, breaking the chroot.<br /> <br /> Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2025-15547
Publication date:
09/03/2026
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.<br /> <br /> If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel&amp;#39;s path lookup logic allows that user to escape the jail&amp;#39;s chroot, yielding access to the full filesystem of the host or parent jail.<br /> <br /> In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail&amp;#39;s filesystem root.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2025-14769
Publication date:
09/03/2026
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.<br /> <br /> Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2025-14558
Publication date:
09/03/2026
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified.<br /> <br /> resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3815
Publication date:
09/03/2026
A weakness has been identified in UTT HiPER 810G up to 1.7.7-1711. This affects the function strcpy of the file /goform/formApMail. Executing a manipulation can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
10/03/2026

CVE-2026-25604
Publication date:
09/03/2026
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. <br /> This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.<br /> <br /> You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2026

CVE-2026-3816
Publication date:
09/03/2026
A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.56.0 is able to resolve this issue. The identifier of the patch is e8f1e5131535b8fd80a7b1b3085d676295fdcd41. Upgrading the affected component is recommended.
Severity CVSS v4.0: MEDIUM
Last modification:
10/03/2026

CVE-2025-69219
Publication date:
09/03/2026
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.<br /> <br /> You should upgrade to version 6.0.0 of the provider to avoid even that risk.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2026

CVE-2026-3814
Publication date:
09/03/2026
A security flaw has been discovered in UTT HiPER 810G up to 1.7.7-1711. Affected by this issue is the function strcpy of the file /goform/getOneApConfTempEntry. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
10/03/2026

CVE-2026-3813
Publication date:
09/03/2026
A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
10/03/2026

CVE-2025-40639
Publication date:
09/03/2026
A SQL injection vulnerability has been found in Eventobot. This vulnerability allows an attacker to retrieve, create, update and delete databases through the &amp;#39;promo_send&amp;#39; parameter in the &amp;#39;/assets/php/calculate_discount.php&amp;#39;.
Severity CVSS v4.0: HIGH
Last modification:
10/03/2026
Subscribe to Vulnerabilities