Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24030

Publication date:

31/03/2026

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

Severity CVSS v4.0: Pending analysis

Last modification:

14/04/2026

CVE-2026-24029

Publication date:

31/03/2026

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

Severity CVSS v4.0: Pending analysis

Last modification:

14/04/2026

CVE-2026-24028

Publication date:

31/03/2026

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

14/04/2026

CVE-2026-0397

Publication date:

31/03/2026

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

Severity CVSS v4.0: Pending analysis

Last modification:

14/04/2026

CVE-2025-14213

Publication date:

31/03/2026

Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) to execute arbitrary operating system commands as the root user on the Socket’s internal system.

Severity CVSS v4.0: HIGH

Last modification:

01/04/2026

CVE-2024-14031

Publication date:

31/03/2026

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

Severity CVSS v4.0: Pending analysis

Last modification:

13/04/2026

CVE-2024-14030

Publication date:

31/03/2026

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

Severity CVSS v4.0: Pending analysis

Last modification:

13/04/2026

CVE-2026-4400

Publication date:

31/03/2026

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint &#39;api.1millionbot.com/api/public/conversations/&#39; and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user&#39;s conversation ID.

Severity CVSS v4.0: HIGH

Last modification:

14/04/2026

CVE-2026-4399

Publication date:

31/03/2026

Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question in such a way that, upon receiving an affirmative response (&#39;true&#39;), the model executes the injected instruction), causing it to return prohibited information and information outside its intended context. Successful exploitation of this vulnerability could allow a malicious remote attacker to abuse the service for purposes other than those originally intended, or even execute out-of-context tasks using 1millionbot&#39;s resources and/or OpenAI&#39;s API key. This allows the attacker to evade the containment mechanisms implemented during LLM model training and obtain responses or chat behaviors that were originally restricted.

Severity CVSS v4.0: HIGH

Last modification:

13/04/2026

CVE-2026-34887

Publication date:

31/03/2026

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2026

CVE-2025-15618

Publication date:

31/03/2026

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use. This key is intended for encrypting credit card transaction data.

Severity CVSS v4.0: Pending analysis

Last modification:

13/04/2026

CVE-2026-4317

Publication date:

31/03/2026

SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the &#39;timezone&#39; request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as &#39;prisma.rawQuery&#39;, &#39;prisma.$queryRawUnsafe&#39; or raw queries with &#39;ClickHouse&#39;). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.

Severity CVSS v4.0: CRITICAL

Last modification:

01/04/2026

Subscribe to Vulnerabilities