Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-2741
Publication date:
10/03/2026
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. <br /> <br /> Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.<br /> <br /> <br /> Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.<br /> <br /> Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Severity CVSS v4.0: LOW
Last modification:
07/05/2026

CVE-2026-2339
Publication date:
10/03/2026
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection.<br /> <br /> This issue affects Liderahenk: before 3.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2026

CVE-2026-27661
Publication date:
10/03/2026
A vulnerability has been identified in SINEC Security Monitor (All versions
Severity CVSS v4.0: MEDIUM
Last modification:
17/03/2026

CVE-2026-26738
Publication date:
10/03/2026
Buffer Overflow vulnerability in Uderzo Software SpaceSniffer v.2.0.5.18 allows a remote attacker to execute arbitrary code via a crafted .sns snapshot file.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-26144
Publication date:
10/03/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2026-26148
Publication date:
10/03/2026
External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2026-26130
Publication date:
10/03/2026
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2026

CVE-2026-26131
Publication date:
10/03/2026
Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2026-26132
Publication date:
10/03/2026
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2026

CVE-2026-26134
Publication date:
10/03/2026
Integer overflow or wraparound in Microsoft Office allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2026-26141
Publication date:
10/03/2026
Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2026-26117
Publication date:
10/03/2026
Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026
Subscribe to Vulnerabilities