Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-27321
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-27322
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-27323
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-27324
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-27325
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-27317
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-27318
Publication date:
20/02/2026
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-2821
Publication date:
20/02/2026
A weakness has been identified in Fujian Smart Integrated Management Platform System up to 7.5. Impacted is an unknown function of the file /Module/CRXT/Controller/XCamera.ashx. This manipulation of the argument ChannelName causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2026-27017
Publication date:
20/02/2026
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cipher suite in the outer ClientHello and for ECH, it does so consistently based on hardware support—for example, if it prefers AES for the outer cipher suite, it also uses AES for ECH. However, the Chrome parrot in uTLS hardcodes AES preference for outer cipher suites but selects the ECH cipher suite randomly between AES and ChaCha20. This creates a 50% chance of selecting ChaCha20 for ECH while using AES for the outer cipher suite, a combination impossible in Chrome. This issue only affects GREASE ECH; in real ECH, Chrome selects the first valid cipher suite when AES is preferred, which uTLS handles correctly. This issue has been fixed in version 1.8.1.
Severity CVSS v4.0: LOW
Last modification:
20/02/2026

CVE-2026-26994
Publication date:
20/02/2026
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a uTLS client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because uTLS did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint uTLS connections. This issue has been fixed in version 1.7.0.
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-26995
Publication date:
20/02/2026
Rejected reason: Further research determined the issue is an external dependency vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-26993
Publication date:
20/02/2026
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026
Subscribe to Vulnerabilities