Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1685
Publication date:
30/01/2026
A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used.
Severity CVSS v4.0: MEDIUM
Last modification:
30/01/2026

CVE-2024-4027
Publication date:
30/01/2026
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-1682
Publication date:
30/01/2026
A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
30/01/2026

CVE-2026-1683
Publication date:
30/01/2026
A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. To fix this issue, it is recommended to deploy a patch.
Severity CVSS v4.0: MEDIUM
Last modification:
30/01/2026

CVE-2025-6723
Publication date:
30/01/2026
Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption.<br /> <br /> This issue affects Chef Inspec: through 5.23.
Severity CVSS v4.0: MEDIUM
Last modification:
30/01/2026

CVE-2025-9226
Publication date:
30/01/2026
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-1498
Publication date:
30/01/2026
An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user&amp;#39;s valid passphrase.This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0.
Severity CVSS v4.0: HIGH
Last modification:
30/01/2026

CVE-2025-13176
Publication date:
30/01/2026
Planting a custom configuration file<br /> <br /> in <br /> <br /> ESET Inspect Connector allow load a malicious DLL.
Severity CVSS v4.0: HIGH
Last modification:
30/01/2026

CVE-2026-22626
Publication date:
30/01/2026
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-0709
Publication date:
30/01/2026
Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-22623
Publication date:
30/01/2026
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-22624
Publication date:
30/01/2026
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users&amp;#39; file resources without proper authorization.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026
Subscribe to Vulnerabilities