Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24132
Publication date:
23/01/2026
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions <br /> 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2026-24137
Publication date:
23/01/2026
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2026-20613
Publication date:
23/01/2026
The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2026-24307
Publication date:
22/01/2026
Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-24124
Publication date:
22/01/2026
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
Severity CVSS v4.0: HIGH
Last modification:
22/01/2026

CVE-2026-24129
Publication date:
22/01/2026
Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-24130
Publication date:
22/01/2026
Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0.
Severity CVSS v4.0: LOW
Last modification:
22/01/2026

CVE-2026-24305
Publication date:
22/01/2026
Azure Entra ID Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-24306
Publication date:
22/01/2026
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-21227
Publication date:
22/01/2026
Improper limitation of a pathname to a restricted directory (&amp;#39;path traversal&amp;#39;) in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-21264
Publication date:
22/01/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) in Microsoft Account allows an unauthorized attacker to perform spoofing over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-21520
Publication date:
22/01/2026
Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026
Subscribe to Vulnerabilities