Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-32286
Publication date:
26/03/2026
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-32284
Publication date:
26/03/2026
The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-32287
Publication date:
26/03/2026
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-32285
Publication date:
26/03/2026
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-2436
Publication date:
26/03/2026
A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2023-7338
Publication date:
26/03/2026
Ruckus Unleashed contains a remote code execution vulnerability in the web-based management interface that allows authenticated remote attackers to execute arbitrary code on the system when gateway mode is enabled. Attackers can exploit this vulnerability by sending specially crafted requests through the management interface to achieve arbitrary code execution on affected systems.
Severity CVSS v4.0: HIGH
Last modification:
30/03/2026

CVE-2021-4474
Publication date:
26/03/2026
Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive information including configuration files, credentials, and system data stored on the device.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-4923
Publication date:
26/03/2026
Impact:<br /> <br /> When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.<br /> <br /> Unsafe examples:<br /> <br /> /*foo-*bar-:baz<br /> /*a-:b-*c-:d<br /> /x/*a-:b/*c/y<br /> <br /> Safe examples:<br /> <br /> /*foo-:bar<br /> /*foo-:bar-*baz<br /> <br /> Patches:<br /> <br /> Upgrade to version 8.4.0.<br /> <br /> Workarounds:<br /> <br /> If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-4926
Publication date:
26/03/2026
Impact:<br /> <br /> A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.<br /> <br /> Patches:<br /> <br /> Fixed in version 8.4.0.<br /> <br /> Workarounds:<br /> <br /> Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2026-3121
Publication date:
26/03/2026
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-3190
Publication date:
26/03/2026
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-33506
Publication date:
26/03/2026
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis&amp;#39;s login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2026
Subscribe to Vulnerabilities