Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3441
Publication date:
16/03/2026
A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-3442
Publication date:
16/03/2026
A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
16/03/2026

CVE-2026-3086
Publication date:
16/03/2026
GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.<br /> <br /> The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3085
Publication date:
16/03/2026
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.<br /> <br /> The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3084
Publication date:
16/03/2026
GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.<br /> <br /> The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3083
Publication date:
16/03/2026
GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.<br /> <br /> The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3082
Publication date:
16/03/2026
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.<br /> <br /> The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3081
Publication date:
16/03/2026
GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.<br /> <br /> The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2026-3110
Publication date:
16/03/2026
Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa specifically at the endpoint &amp;#39;/administracion/admin_usuarios.cgi?filtro_estado=T&amp;wAccion=listado_xlsx&amp;wBuscar=&amp;wFiltrar=&amp;wOrden=alta_usuario&amp;wid_cursoActual=[ID]&amp;#39; where the data of users enrolled in the course is exported. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access user data (e.g., usernames, first and last names, email addresses, and phone numbers) and retrieve the data of all users enrolled in courses by performing a brute-force attack on the course ID via a manipulated URL.
Severity CVSS v4.0: HIGH
Last modification:
16/03/2026

CVE-2026-3020
Publication date:
16/03/2026
Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim&amp;#39;s email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users&amp;#39; legitimate accounts
Severity CVSS v4.0: HIGH
Last modification:
16/03/2026

CVE-2026-3021
Publication date:
16/03/2026
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint &amp;#39;vets.wakyma.com/centro/equipo/empleado&amp;#39;. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL commands. This would lead to the enumeration of sensitive employee data.
Severity CVSS v4.0: HIGH
Last modification:
16/03/2026

CVE-2026-3022
Publication date:
16/03/2026
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint &amp;#39;vets.wakyma.com/hospitalization/generate-hospitalization-summary&amp;#39;. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting special NoSQL commands, resulting in the attacker being able to obtain customer reports.
Severity CVSS v4.0: HIGH
Last modification:
16/03/2026
Subscribe to Vulnerabilities