Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-26931

Publication date:

19/03/2026

Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2026

CVE-2026-30403

Publication date:

19/03/2026

There is an arbitrary file read vulnerability in the test connection function of backend database management in wgcloud v3.6.3 and before, which can be used to read any file on the victim&#39;s server.

Severity CVSS v4.0: Pending analysis

Last modification:

02/04/2026

CVE-2026-0819

Publication date:

19/03/2026

A stack buffer overflow vulnerability exists in wolfSSL&#39;s PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.

Severity CVSS v4.0: LOW

Last modification:

20/03/2026

CVE-2026-1005

Publication date:

19/03/2026

Integer underflow in wolfSSL packet sniffer

Severity CVSS v4.0: LOW

Last modification:

20/03/2026

CVE-2026-32869

Publication date:

19/03/2026

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim&#39;s session when they visit the case information page.

Severity CVSS v4.0: MEDIUM

Last modification:

30/03/2026

CVE-2026-3029

Publication date:

19/03/2026

A path traversal and arbitrary file write vulnerability exist in the embedded get function in &#39;_main_.py&#39; in PyMuPDF version, 1.26.5.

Severity CVSS v4.0: Pending analysis

Last modification:

24/03/2026

CVE-2026-32868

Publication date:

19/03/2026

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the &#39;My Information&#39; screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim&#39;s session.

Severity CVSS v4.0: MEDIUM

Last modification:

30/03/2026

CVE-2026-32867

Publication date:

19/03/2026

OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via &#39;Portal/EEOC/DocumentUploadPub.aspx&#39;. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.

Severity CVSS v4.0: MEDIUM

Last modification:

30/03/2026

CVE-2026-32866

Publication date:

19/03/2026

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user&#39;s full name is rendered. The attacker can run script in the context of a victim&#39;s session.

Severity CVSS v4.0: MEDIUM

Last modification:

30/03/2026

CVE-2026-32865

Publication date:

19/03/2026

OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via &#39;ForcePasswordReset.aspx&#39;. An attacker who knows an existing user&#39;s email address can reset the user&#39;s password and security questions. Existing security questions are not asked during the process.

Severity CVSS v4.0: CRITICAL

Last modification:

30/03/2026

CVE-2026-30404

Publication date:

19/03/2026

The backend database management connection test feature in wgcloud v3.6.3 has a server-side request forgery (SSRF) vulnerability. This issue can be exploited to make the server send requests to probe the internal network, remotely download malicious files, and perform other dangerous operations.

Severity CVSS v4.0: Pending analysis

Last modification:

02/04/2026