Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-32290
Publication date:
17/03/2026
The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.
Severity CVSS v4.0: HIGH
Last modification:
27/04/2026

CVE-2026-21570
Publication date:
17/03/2026
This High severity RCE (Remote Code Execution)  vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.<br /> <br /> This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system.<br /> <br /> Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24<br /> <br /> Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16<br /> <br /> Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3<br /> <br /> See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).<br /> <br /> This vulnerability was reported via our Atlassian (Internal) program.
Severity CVSS v4.0: HIGH
Last modification:
18/03/2026

CVE-2026-4148
Publication date:
17/03/2026
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
Severity CVSS v4.0: HIGH
Last modification:
10/04/2026

CVE-2026-4147
Publication date:
17/03/2026
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
Severity CVSS v4.0: HIGH
Last modification:
10/04/2026

CVE-2026-28506
Publication date:
17/03/2026
Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user&amp;#39;s actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (such as Document IDs, user activity timestamps, and in some specific cases like the Document Title of Permanent Delete). Crucially, leaking valid Document IDs of deleted drafts removes the protection of UUID randomness, making High-severity IDOR attacks (such as the one identified in documents.restore) trivially exploitable by lowering the attack complexity. Version 1.5.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2026

CVE-2026-24901
Publication date:
17/03/2026
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2026

CVE-2026-23759
Publication date:
17/03/2026
Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell &amp;#39;ps&amp;#39; command does not perform proper argument sanitization and passes user-supplied parameters into an &amp;#39;sh -c&amp;#39; invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the &amp;#39;ps&amp;#39; subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system.
Severity CVSS v4.0: HIGH
Last modification:
01/05/2026

CVE-2026-21886
Publication date:
17/03/2026
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2026

CVE-2026-3564
Publication date:
17/03/2026
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2026

CVE-2026-4318
Publication date:
17/03/2026
A vulnerability was determined in UTT HiPER 810G up to 1.7.7-171114. Affected is the function strcpy of the file /goform/formApLbConfig. This manipulation of the argument loadBalanceNameOld causes buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2025-13406
Publication date:
17/03/2026
NULL Pointer Dereference vulnerability in Softing Industrial Automation GmbH smartLink SW-HT (Webserver modules) allows HTTP DoS.This issue affects smartLink SW-HT: 1.43.
Severity CVSS v4.0: MEDIUM
Last modification:
27/03/2026

CVE-2026-4324
Publication date:
17/03/2026
A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2026
Subscribe to Vulnerabilities