Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22045
Publication date:
15/01/2026
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2026-22863
Publication date:
15/01/2026
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.
Severity CVSS v4.0: CRITICAL
Last modification:
16/01/2026

CVE-2026-22864
Publication date:
15/01/2026
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2026-1008
Publication date:
15/01/2026
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques.<br /> The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2025-68671
Publication date:
15/01/2026
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS&amp;#39;s S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2026-0915
Publication date:
15/01/2026
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library&amp;#39;s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2025-67823
Publication date:
15/01/2026
A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim&amp;#39;s browser or desktop client application.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2023-7334
Publication date:
15/01/2026
Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC).
Severity CVSS v4.0: CRITICAL
Last modification:
16/01/2026

CVE-2025-67822
Publication date:
15/01/2026
A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2011-10041
Publication date:
15/01/2026
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location.
Severity CVSS v4.0: CRITICAL
Last modification:
16/01/2026

CVE-2026-21918
Publication date:
15/01/2026
A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects Junos OS on SRX and MX Series:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S7,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2026-21920
Publication date:
15/01/2026
An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> <br /> <br /> <br /> If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered.<br /> <br /> This issue affects Junos OS on SRX Series:<br /> <br /> <br /> <br /> * 23.4 versions before 23.4R2-S5,<br /> * 24.2 versions before 24.2R2-S1,<br /> * 24.4 versions before 24.4R2.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS versions before 23.4R1.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026
Subscribe to Vulnerabilities