Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4835
Publication date:
26/03/2026
A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /my_account/add_costumer.php of the component Web Application Interface. Such manipulation of the argument costumer_name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-4836
Publication date:
26/03/2026
A vulnerability was detected in code-projects Accounting System 1.0. The affected element is an unknown function of the file /my_account/delete.php. Performing a manipulation of the argument cos_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2025-15101
Publication date:
26/03/2026
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with the existing privileges of an authenticated user on the affected device, including the ability to execute system commands through unintended mechanisms.<br /> Refer to the &amp;#39;Security Update for ASUS Router Firmware&amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
26/03/2026

CVE-2014-125112
Publication date:
26/03/2026
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.<br /> <br /> Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-4831
Publication date:
26/03/2026
A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected Share Handler. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-4833
Publication date:
26/03/2026
A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled recursion. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project maintainer confirms: "[I]f you feed it an infinitely deep blockquote input it will crash. (...) [T]his is a duplicate of an old bug that I&amp;#39;ve been working on."
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-4484
Publication date:
26/03/2026
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the &amp;#39;InstructorsController::prepare_object_for_database&amp;#39; function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-4830
Publication date:
26/03/2026
A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipulation leads to unrestricted upload. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-33942
Publication date:
26/03/2026
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP&amp;#39;s unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes =&gt; true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.
Severity CVSS v4.0: HIGH
Last modification:
26/03/2026

CVE-2026-33287
Publication date:
26/03/2026
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript&amp;#39;s `String.prototype.replace()` which interprets `$&amp;` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-33285
Publication date:
26/03/2026
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS&amp;#39;s `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-33183
Publication date:
26/03/2026
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
Severity CVSS v4.0: HIGH
Last modification:
30/03/2026
Subscribe to Vulnerabilities