Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-4897
Publication date:
26/03/2026
A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2026

CVE-2026-33397
Publication date:
26/03/2026
The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request.
Severity CVSS v4.0: MEDIUM
Last modification:
30/03/2026

CVE-2026-29976
Publication date:
26/03/2026
Buffer Overflow vulnerability in ZerBea hcxpcapngtool v. 7.0.1-43-g2ee308e allows a local attacker to obtain sensitive information via the getradiotapfield() function
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-30162
Publication date:
26/03/2026
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-29934
Publication date:
26/03/2026
A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2026

CVE-2026-29933
Publication date:
26/03/2026
A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-28297
Publication date:
26/03/2026
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-28298
Publication date:
26/03/2026
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-27663
Publication date:
26/03/2026
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-27664
Publication date:
26/03/2026
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2026-26072
Publication date:
26/03/2026
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026

CVE-2026-26071
Publication date:
26/03/2026
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2026
Subscribe to Vulnerabilities