Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-5469
Publication date:
03/04/2026
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
03/04/2026

CVE-2026-26477
Publication date:
03/04/2026
An issue in Dokuwiki v.2025-05-14b 'Librarian' allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2025-59710
Publication date:
03/04/2026
An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the loading a DLL file. During the loading, a method is called. An attacker can craft a malicious DLL, upload it to the server, and use it to achieve remote code execution on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2025-59711
Publication date:
03/04/2026
An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2025-59709
Publication date:
03/04/2026
An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-5468
Publication date:
03/04/2026
A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
03/04/2026

CVE-2026-25773
Publication date:
03/04/2026
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-28736
Publication date:
03/04/2026
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-23420
Publication date:
03/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wlcore: Fix a locking bug<br /> <br /> Make sure that wl-&gt;mutex is locked before it is unlocked. This has been<br /> detected by the Clang thread-safety analyzer.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-23421
Publication date:
03/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/configfs: Free ctx_restore_mid_bb in release<br /> <br /> ctx_restore_mid_bb memory is allocated in wa_bb_store(), but<br /> xe_config_device_release() only frees ctx_restore_post_bb.<br /> <br /> Free ctx_restore_mid_bb[0].cs as well to avoid leaking the allocation<br /> when the configfs device is removed.<br /> <br /> (cherry picked from commit a235e7d0098337c3f2d1e8f3610c719a589e115f)
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-23422
Publication date:
03/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler<br /> <br /> Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ<br /> handler") introduces a range check for if_id to avoid an out-of-bounds<br /> access. If an out-of-bounds if_id is detected, the interrupt status is<br /> not cleared. This may result in an interrupt storm.<br /> <br /> Clear the interrupt status after detecting an out-of-bounds if_id to avoid<br /> the problem.<br /> <br /> Found by an experimental AI code review agent at Google.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026

CVE-2026-23423
Publication date:
03/04/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: free pages on error in btrfs_uring_read_extent()<br /> <br /> In this function the &amp;#39;pages&amp;#39; object is never freed in the hopes that it is<br /> picked up by btrfs_uring_read_finished() whenever that executes in the<br /> future. But that&amp;#39;s just the happy path. Along the way previous<br /> allocations might have gone wrong, or we might not get -EIOCBQUEUED from<br /> btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a<br /> cleanup section that frees all memory allocated by this function without<br /> assuming any deferred execution, and this also needs to happen for the<br /> &amp;#39;pages&amp;#39; allocation.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2026
Subscribe to Vulnerabilities