Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33486
Publication date:
26/03/2026
Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33477
Publication date:
26/03/2026
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-32857
Publication date:
26/03/2026
Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an externally valid URL that passes validation and returns an HTTP redirect to an internal or restricted resource, allowing the browser to follow the redirect and fetch the final destination without revalidation, thereby gaining access to internal network services and sensitive endpoints. This issue is distinct from CVE-2024-56800, which describes redirect-based SSRF generally. This vulnerability specifically arises from a post-redirect enforcement gap in implemented SSRF protections, where validation is applied only to the initial request and not to the final redirected destination.
Severity CVSS v4.0: HIGH
Last modification:
26/03/2026

CVE-2026-3112
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3113
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3114
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3115
Publication date:
26/03/2026
Mattermost versions 11.2.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3116
Publication date:
26/03/2026
Mattermost Plugins versions
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-4867
Publication date:
26/03/2026
Impact:<br /> <br /> A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.<br /> <br /> Patches:<br /> <br /> Upgrade to path-to-regexp@0.1.13<br /> <br /> Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.<br /> <br /> Workarounds:<br /> <br /> All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).<br /> <br /> If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33468
Publication date:
26/03/2026
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely&amp;#39;s `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`&amp;#39;` → `&amp;#39;&amp;#39;`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33636
Publication date:
26/03/2026
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng&amp;#39;s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-34071
Publication date:
26/03/2026
Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a malicious email to a Stirling-PDF user can achieve JavaScript execution when that user exports the email using the "Download HTML intermediate file" feature. Version 2.8.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026
Subscribe to Vulnerabilities