Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-25590
Publication date:
03/03/2026
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-2590
Publication date:
03/03/2026
Improper<br /> enforcement of the Disable password saving in vaults setting in the <br /> connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, <br /> potentially exposing sensitive information to other users, by creating <br /> or editing certain connection types while password saving is disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-3204
Publication date:
03/03/2026
Improper<br /> input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-3224
Publication date:
03/03/2026
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-3487
Publication date:
03/03/2026
A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: MEDIUM
Last modification:
04/03/2026

CVE-2026-3130
Publication date:
03/03/2026
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-24415
Publication date:
03/03/2026
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET[&amp;#39;righe&amp;#39;] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
Severity CVSS v4.0: MEDIUM
Last modification:
04/03/2026

CVE-2026-27012
Publication date:
03/03/2026
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user&amp;#39;s group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-25146
Publication date:
03/03/2026
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-24898
Publication date:
03/03/2026
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice&amp;#39;s MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST[&amp;#39;callback_key&amp;#39;] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2026

CVE-2026-24848
Publication date:
03/03/2026
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.
Severity CVSS v4.0: HIGH
Last modification:
04/03/2026

CVE-2026-1775
Publication date:
03/03/2026
The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially crafted packets are sent to the device.
Severity CVSS v4.0: HIGH
Last modification:
04/03/2026
Subscribe to Vulnerabilities