Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-23980
Publication date:
24/02/2026
Improper Neutralization of Special Elements used in a SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.<br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
25/02/2026

CVE-2026-1773
Publication date:
24/02/2026
IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-23969
Publication date:
24/02/2026
Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.<br /> <br /> This issue affects Apache Superset: before 4.1.2.<br /> <br /> Users are recommended to upgrade to version 4.1.2, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
26/02/2026

CVE-2026-23982
Publication date:
24/02/2026
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.<br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
25/02/2026

CVE-2025-14577
Publication date:
24/02/2026
Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint.<br /> <br /> <br /> This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2026-2664
Publication date:
24/02/2026
An out of bounds read vulnerability in the grpcfuse kernel module present in the Linux VM in Docker Desktop for Windows, Linux and macOS up to version 4.61.0 could allow a local attacker to cause an unspecified impact by writing to /proc/docker entries. The issue has been fixed in Docker Desktop 4.62.0 .
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2024-56373
Publication date:
24/02/2026
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information.<br /> <br /> The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026

CVE-2025-27555
Publication date:
24/02/2026
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378
Severity CVSS v4.0: Pending analysis
Last modification:
11/03/2026

CVE-2025-11165
Publication date:
24/02/2026
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.<br /> <br /> By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.<br /> <br /> Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).
Severity CVSS v4.0: CRITICAL
Last modification:
03/03/2026

CVE-2024-1524
Publication date:
24/02/2026
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user&amp;#39;s information may be replaced during the account provisioning process in cases where federated users share the same username as local users. <br /> <br /> There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.<br /> <br /> The Deployment should have: <br /> -An IDP configured for federated authentication with Silent JIT provisioning enabled.<br /> <br /> The malicious actor should have:<br /> -A fresh valid user account in the federated IDP that has not been used earlier.<br /> -Knowledge of the username of a valid user in the local IDP. <br /> -An account at the federated IDP matching the targeted local username.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2026-1229
Publication date:
24/02/2026
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.<br /> ECDH and ECDSA signing relying on this curve are not affected.<br /> <br /> The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
Severity CVSS v4.0: LOW
Last modification:
03/03/2026

CVE-2025-40540
Publication date:
24/02/2026
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.<br /> <br /> This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026
Subscribe to Vulnerabilities