Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4285
Publication date:
17/03/2026
A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. Impacted is the function recognizeMarkdown of the file yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/Pdf2MdUtil.java. Such manipulation of the argument fileUrl leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
17/03/2026

CVE-2026-4287
Publication date:
17/03/2026
A security flaw has been discovered in Tiandy Easy7 Integrated Management Platform 7.17.0. The affected element is an unknown function of the file /rest/devStatus/queryResources of the component Endpoint. Performing a manipulation of the argument areaId results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
17/03/2026

CVE-2026-4288
Publication date:
17/03/2026
A weakness has been identified in Tiandy Easy7 Integrated Management Platform 7.17.0. The impacted element is an unknown function of the file /rest/devStatus/getDevDetailedInfo of the component Endpoint. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
17/03/2026

CVE-2026-4289
Publication date:
17/03/2026
A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
17/03/2026

CVE-2026-4284
Publication date:
16/03/2026
A vulnerability was determined in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. This issue affects the function downloadFile of the file - yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/PPTUtil.java of the component PPT File Handler. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
17/03/2026

CVE-2026-4177
Publication date:
16/03/2026
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.<br /> <br /> The heap overflow occurs when class names exceed the initial 512-byte allocation.<br /> <br /> The base64 decoder could read past the buffer end on trailing newlines.<br /> <br /> strtok mutated n-&gt;type_id in place, corrupting shared node data.<br /> <br /> A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string &amp;#39;a&amp;#39; was leaked on early return.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-21991
Publication date:
16/03/2026
A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-2454
Publication date:
16/03/2026
Mattermost versions 11.3.x
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2026

CVE-2026-26230
Publication date:
16/03/2026
Mattermost versions 10.11.x
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2026

CVE-2026-29522
Publication date:
16/03/2026
ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to access arbitrary files on the server, leading to information disclosure of sensitive system files.
Severity CVSS v4.0: HIGH
Last modification:
17/03/2026

CVE-2026-1629
Publication date:
16/03/2026
Mattermost versions 10.11.x
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2026

CVE-2025-69902
Publication date:
16/03/2026
A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026
Subscribe to Vulnerabilities