Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-21281
Publication date:
13/01/2026
InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21274
Publication date:
13/01/2026
Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21272
Publication date:
13/01/2026
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21271
Publication date:
13/01/2026
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21268
Publication date:
13/01/2026
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21267
Publication date:
13/01/2026
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21226
Publication date:
13/01/2026
Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2025-68949
Publication date:
13/01/2026
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2025-68271
Publication date:
13/01/2026
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21265
Publication date:
13/01/2026
Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot.<br /> The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees.<br /> <br /> <br /> <br /> Certificate Authority (CA)<br /> Location<br /> Purpose<br /> Expiration Date<br /> <br /> <br /> <br /> <br /> Microsoft Corporation KEK CA 2011<br /> KEK<br /> Signs updates to the DB and DBX<br /> 06/24/2026<br /> <br /> <br /> Microsoft Corporation UEFI CA 2011<br /> DB<br /> Signs 3rd party boot loaders, Option ROMs, etc.<br /> 06/27/2026<br /> <br /> <br /> Microsoft Windows Production PCA 2011<br /> DB<br /> Signs the Windows Boot Manager<br /> 10/19/2026<br /> <br /> <br /> <br /> For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-20965
Publication date:
13/01/2026
Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2026-21221
Publication date:
13/01/2026
Concurrent execution using shared resource with improper synchronization (&amp;#39;race condition&amp;#39;) in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026
Subscribe to Vulnerabilities