Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-30405

Publication date:

16/03/2026

An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-54758

Publication date:

16/03/2026

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2025. Notes: none.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-65734

Publication date:

16/03/2026

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-53517

Publication date:

16/03/2026

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-53815

Publication date:

16/03/2026

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2026-4250

Publication date:

16/03/2026

A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity CVSS v4.0: LOW

Last modification:

16/03/2026

CVE-2026-4276

Publication date:

16/03/2026

LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2026-32583

Publication date:

16/03/2026

Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2026-32587

Publication date:

16/03/2026

Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through 4.2.11.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-62319

Publication date:

16/03/2026

Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-69783

Publication date:

16/03/2026

A local attacker can bypass OpenEDR&#39;s 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR&#39;s trust model and enables further exploitation leading to full local privilege escalation.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

CVE-2025-69784

Publication date:

16/03/2026

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2026

Subscribe to Vulnerabilities