Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-70250
Publication date:
09/03/2026
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formdumpeasysetup.
Severity CVSS v4.0: Pending analysis
Last modification:
11/03/2026

CVE-2025-70243
Publication date:
09/03/2026
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard534.
Severity CVSS v4.0: Pending analysis
Last modification:
11/03/2026

CVE-2025-70238
Publication date:
09/03/2026
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard52.
Severity CVSS v4.0: Pending analysis
Last modification:
11/03/2026

CVE-2025-70059
Publication date:
09/03/2026
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in YMFE yapi v1.12.0 and allows attackers to cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2025-69648
Publication date:
09/03/2026
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2025-69647
Publication date:
09/03/2026
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2026-3089
Publication date:
09/03/2026
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
Severity CVSS v4.0: MEDIUM
Last modification:
09/04/2026

CVE-2026-2919
Publication date:
09/03/2026
Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability was fixed in Focus for iOS 148.2.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2026

CVE-2026-2261
Publication date:
09/03/2026
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.<br /> <br /> Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.<br /> <br /> Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.<br /> <br /> An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.<br /> <br /> Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.<br /> <br /> The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3038
Publication date:
09/03/2026
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it&amp;#39;s possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.<br /> <br /> In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.<br /> <br /> The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.<br /> <br /> Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3819
Publication date:
09/03/2026
A vulnerability has been found in SourceCodester Resort Reservation System 1.0. The affected element is an unknown function of the file /?page=manage_reservation of the component Reservation Management Module. Such manipulation of the argument ID leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2026-21736
Publication date:
09/03/2026
Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory.<br /> <br /> This is caused by improper handling of the memory protections for the user-mode wrapped memory resource.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2026
Subscribe to Vulnerabilities