Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-28483
Publication date:
23/03/2026
Rejected reason: This CVE ID has been rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-32012
Publication date:
23/03/2026
Rejected reason: This CVE ID has been rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-32047
Publication date:
23/03/2026
Rejected reason: This CVE ID has been rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-32066
Publication date:
23/03/2026
Rejected reason: This CVE ID has been rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-1940
Publication date:
23/03/2026
An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-27183
Publication date:
23/03/2026
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning.
Severity CVSS v4.0: LOW
Last modification:
23/03/2026

CVE-2026-27646
Publication date:
23/03/2026
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled.
Severity CVSS v4.0: MEDIUM
Last modification:
23/03/2026

CVE-2026-22173
Publication date:
23/03/2026
Rejected reason: This CVE ID has been rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2026-28455
Publication date:
23/03/2026
Rejected reason: This CVE ID has been rejected.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2026

CVE-2025-60949
Publication date:
23/03/2026
Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8.1.0 alpha.
Severity CVSS v4.0: CRITICAL
Last modification:
23/03/2026

CVE-2025-60946
Publication date:
23/03/2026
Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.
Severity CVSS v4.0: HIGH
Last modification:
23/03/2026

CVE-2025-60947
Publication date:
23/03/2026
Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.
Severity CVSS v4.0: HIGH
Last modification:
23/03/2026
Subscribe to Vulnerabilities