Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59471
Publication date:
26/01/2026
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.<br /> <br /> Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2026-23864
Publication date:
26/01/2026
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.<br /> <br /> The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.<br /> <br /> Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-9522
Publication date:
26/01/2026
Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
Severity CVSS v4.0: MEDIUM
Last modification:
26/01/2026

CVE-2025-9615
Publication date:
26/01/2026
A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system&amp;#39;s network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-9820
Publication date:
26/01/2026
A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2026-1190
Publication date:
26/01/2026
A flaw was found in Keycloak&amp;#39;s SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2026-1443
Publication date:
26/01/2026
A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
26/01/2026

CVE-2026-0810
Publication date:
26/01/2026
A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-14525
Publication date:
26/01/2026
A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system&amp;#39;s ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator&amp;#39;s ability to manage the VM, leading to a denial of service for administrative operations.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-14969
Publication date:
26/01/2026
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-9520
Publication date:
26/01/2026
An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026

CVE-2025-9521
Publication date:
26/01/2026
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
Severity CVSS v4.0: LOW
Last modification:
26/01/2026
Subscribe to Vulnerabilities