Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1612
Publication date:
30/03/2026
AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO&amp;#39;s AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 and 8.0.22.0524 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: MEDIUM
Last modification:
13/04/2026

CVE-2026-5128
Publication date:
30/03/2026
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: CRITICAL
Last modification:
31/03/2026

CVE-2026-4416
Publication date:
30/03/2026
The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation.
Severity CVSS v4.0: HIGH
Last modification:
08/04/2026

CVE-2026-4415
Publication date:
30/03/2026
Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.
Severity CVSS v4.0: CRITICAL
Last modification:
08/04/2026

CVE-2026-5121
Publication date:
30/03/2026
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2026-2328
Publication date:
30/03/2026
An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026

CVE-2026-3945
Publication date:
30/03/2026
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen
Severity CVSS v4.0: HIGH
Last modification:
30/03/2026

CVE-2025-3716
Publication date:
30/03/2026
User enumeration in ESET Protect (on-prem) via Response Timing.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-25704
Publication date:
30/03/2026
A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in  cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.<br /> <br /> <br /> <br /> <br /> This issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.
Severity CVSS v4.0: MEDIUM
Last modification:
16/04/2026

CVE-2025-15379
Publication date:
30/03/2026
A command injection vulnerability exists in MLflow&amp;#39;s model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact&amp;#39;s `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2026

CVE-2026-5119
Publication date:
30/03/2026
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2026-5107
Publication date:
30/03/2026
A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch.
Severity CVSS v4.0: LOW
Last modification:
30/03/2026
Subscribe to Vulnerabilities