Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-60948
Publication date:
23/03/2026
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
Severity CVSS v4.0: MEDIUM
Last modification:
25/03/2026

CVE-2025-60947
Publication date:
23/03/2026
Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.
Severity CVSS v4.0: HIGH
Last modification:
25/03/2026

CVE-2025-60946
Publication date:
23/03/2026
Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.
Severity CVSS v4.0: HIGH
Last modification:
26/03/2026

CVE-2026-4368
Publication date:
23/03/2026
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup
Severity CVSS v4.0: HIGH
Last modification:
24/03/2026

CVE-2026-4597
Publication date:
23/03/2026
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. Impacted is the function selectAll of the file src/main/java/com/genersoft/iot/vmp/streamProxy/dao/provider/StreamProxyProvider.java of the component Stream Proxy Query Handler. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Severity CVSS v4.0: MEDIUM
Last modification:
24/03/2026

CVE-2026-3055
Publication date:
23/03/2026
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
Severity CVSS v4.0: CRITICAL
Last modification:
31/03/2026

CVE-2026-23882
Publication date:
23/03/2026
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
Severity CVSS v4.0: HIGH
Last modification:
24/03/2026

CVE-2026-23488
Publication date:
23/03/2026
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.
Severity CVSS v4.0: MEDIUM
Last modification:
24/03/2026

CVE-2026-23487
Publication date:
23/03/2026
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.
Severity CVSS v4.0: MEDIUM
Last modification:
24/03/2026

CVE-2026-23486
Publication date:
23/03/2026
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
Severity CVSS v4.0: MEDIUM
Last modification:
24/03/2026

CVE-2026-23485
Publication date:
23/03/2026
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.
Severity CVSS v4.0: MEDIUM
Last modification:
24/03/2026

CVE-2026-23483
Publication date:
23/03/2026
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.
Severity CVSS v4.0: MEDIUM
Last modification:
24/03/2026
Subscribe to Vulnerabilities