Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-30304
Publication date:
27/03/2026
In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-30407
Publication date:
27/03/2026
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2026

CVE-2026-30637
Publication date:
27/03/2026
Server-Side Request Forgery (SSRF) vulnerability exists in the AnnounContent of the /admin/read.php in OTCMS V7.66 and before. The vulnerability allows remote attackers to craft HTTP requests, without authentication, containing a URL pointing to internal services or any remote server
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-29871
Publication date:
27/03/2026
A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19) in the Beifong AI News and Podcast Agent backend in FastAPI backend, stream-audio endpoint, in file routers/podcast_router.py, in function stream_audio. The stream-audio endpoint accepts a user-controlled path parameter that is concatenated into a filesystem path without proper validation or restriction. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary files from the server filesystem, potentially disclosing sensitive information such as configuration files and credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-30303
Publication date:
27/03/2026
The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The Axon Code parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-28375
Publication date:
27/03/2026
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-27879
Publication date:
27/03/2026
A resample query can be used to trigger out-of-memory crashes in Grafana.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-27880
Publication date:
27/03/2026
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-27877
Publication date:
27/03/2026
When using public dashboards and direct data-sources, all direct data-sources&amp;#39; passwords are exposed despite not being used in dashboards.<br /> <br /> No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments&amp;#39; security.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-27876
Publication date:
27/03/2026
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.<br /> <br /> Only instances with the sqlExpressions feature toggle enabled are vulnerable.<br /> <br /> Only instances in the following version ranges are affected:<br /> <br /> - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.<br /> - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.<br /> - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.<br /> - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix.<br /> - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-1496
Publication date:
27/03/2026
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
Severity CVSS v4.0: CRITICAL
Last modification:
30/03/2026

CVE-2025-69988
Publication date:
27/03/2026
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An unauthenticated attacker in physical proximity can associate with this open network. Once connected, the attacker gains access to the camera&amp;#39;s private network interface and can retrieve sensitive information, including the live video and audio stream, without providing credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026
Subscribe to Vulnerabilities