Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33490
Publication date:
26/03/2026
H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33481
Publication date:
26/03/2026
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available. The patch has been released in v1.42.3. Syft now cleans up temporary files when an error condition is encountered. There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33486
Publication date:
26/03/2026
Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33477
Publication date:
26/03/2026
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-32857
Publication date:
26/03/2026
Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an externally valid URL that passes validation and returns an HTTP redirect to an internal or restricted resource, allowing the browser to follow the redirect and fetch the final destination without revalidation, thereby gaining access to internal network services and sensitive endpoints. This issue is distinct from CVE-2024-56800, which describes redirect-based SSRF generally. This vulnerability specifically arises from a post-redirect enforcement gap in implemented SSRF protections, where validation is applied only to the initial request and not to the final redirected destination.
Severity CVSS v4.0: HIGH
Last modification:
26/03/2026

CVE-2026-3112
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3113
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3114
Publication date:
26/03/2026
Mattermost versions 11.4.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3115
Publication date:
26/03/2026
Mattermost versions 11.2.x
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-3116
Publication date:
26/03/2026
Mattermost Plugins versions
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-4867
Publication date:
26/03/2026
Impact:<br /> <br /> A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.<br /> <br /> Patches:<br /> <br /> Upgrade to path-to-regexp@0.1.13<br /> <br /> Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.<br /> <br /> Workarounds:<br /> <br /> All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).<br /> <br /> If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-33468
Publication date:
26/03/2026
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely&amp;#39;s `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`&amp;#39;` → `&amp;#39;&amp;#39;`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026
Subscribe to Vulnerabilities