Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-48587
Publication date:
03/06/2026
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.<br /> `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.<br /> Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.<br /> Django would like to thank Navid Rezazadeh for reporting this issue.
Severity CVSS v4.0: LOW
Last modification:
03/06/2026

CVE-2026-44545
Publication date:
03/06/2026
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn&amp;#39;s WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-44546
Publication date:
03/06/2026
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted&amp;#39;s parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-37460
Publication date:
03/06/2026
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-35193
Publication date:
03/06/2026
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.<br /> `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.<br /> Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.<br /> Django would like to thank Shai Berger for reporting this issue.
Severity CVSS v4.0: LOW
Last modification:
03/06/2026

CVE-2026-10729
Publication date:
03/06/2026
An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails.<br /> <br /> <br /> This issue affects Canarytokens: from Docker tag sha-c42435e before sha-bfda4df, from Git commit c42435e before bfda4df.
Severity CVSS v4.0: LOW
Last modification:
03/06/2026

CVE-2025-60477
Publication date:
03/06/2026
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2025-70100
Publication date:
03/06/2026
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2025-70101
Publication date:
03/06/2026
An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability occurs due to insufficient validation of extent header fields before performing a binary search over extent index entries, which can result in invalid pointer calculations and an out-of-bounds memory read during extent tree traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2024-47263
Publication date:
03/06/2026
An improper limitation of a pathname to a restricted directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2024-47273
Publication date:
03/06/2026
An improper limitation of a pathname to a restricted directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2022-49042
Publication date:
03/06/2026
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026
Subscribe to Vulnerabilities