Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-20989
Publication date:
16/03/2026
Improper verification of cryptographic signature in Font Settings prior to SMR Mar-2026 Release 1 allows physical attackers to use custom font.
Severity CVSS v4.0: MEDIUM
Last modification:
16/03/2026

CVE-2026-20990
Publication date:
16/03/2026
Improper export of android application components in Secure Folder prior to SMR Mar-2026 Release 1 allows local attackers to launch arbitrary activity with Secure Folder privilege.
Severity CVSS v4.0: HIGH
Last modification:
16/03/2026

CVE-2026-20991
Publication date:
16/03/2026
Improper privilege management in ThemeManager prior to SMR Mar-2026 Release 1 allows local privileged attackers to reuse trial contents.
Severity CVSS v4.0: MEDIUM
Last modification:
16/03/2026

CVE-2026-1883
Publication date:
16/03/2026
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-1947
Publication date:
16/03/2026
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-1948
Publication date:
16/03/2026
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-0977
Publication date:
16/03/2026
IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-1870
Publication date:
16/03/2026
The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-0639
Publication date:
16/03/2026
in OpenHarmony v6.0 and prior versions allow a local attacker case DOS through missing release of memory.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-0849
Publication date:
16/03/2026
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-0385
Publication date:
16/03/2026
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2025-69246
Publication date:
16/03/2026
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges.<br /> <br /> This issue was fixed in version 1.4.6.
Severity CVSS v4.0: MEDIUM
Last modification:
16/03/2026
Subscribe to Vulnerabilities