Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53968
Publication date:
22/01/2026
This vulnerability arises because there are no limitations on the number<br /> of authentication attempts a user can make. An attacker can exploit <br /> this weakness by continuously sending authentication requests, leading <br /> to a denial-of-service (DoS) condition. This can overwhelm the <br /> authentication system, rendering it unavailable to legitimate users and <br /> potentially causing service disruption. This can also allow attackers to<br /> conduct brute-force attacks to gain unauthorized access.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2025-54816
Publication date:
22/01/2026
This vulnerability occurs when a WebSocket endpoint does not enforce <br /> proper authentication mechanisms, allowing unauthorized users to <br /> establish connections. As a result, attackers can exploit this weakness <br /> to gain unauthorized access to sensitive data or perform unauthorized <br /> actions. Given that no authentication is required, this can lead to <br /> privilege escalation and potentially compromise the security of the <br /> entire system.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2025-25051
Publication date:
22/01/2026
An attacker could decrypt sensitive data, impersonate legitimate users <br /> or devices, and potentially gain access to network resources for lateral<br /> attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-23988
Publication date:
22/01/2026
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-24058
Publication date:
22/01/2026
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim&amp;#39;s public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
Severity CVSS v4.0: HIGH
Last modification:
22/01/2026

CVE-2026-24117
Publication date:
22/01/2026
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-23953
Publication date:
22/01/2026
Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6<br /> and 6.21.0, but they have not been released at the time of publication.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-23954
Publication date:
22/01/2026
Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-23831
Publication date:
22/01/2026
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2026

CVE-2026-20904
Publication date:
22/01/2026
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users&amp;#39; OpenID identities.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2026-20912
Publication date:
22/01/2026
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2026-20897
Publication date:
22/01/2026
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026
Subscribe to Vulnerabilities