Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-58184
Publication date:
13/02/2026
Rejected reason: reserved but not needed
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2025-58182
Publication date:
13/02/2026
Rejected reason: reserved but not needed
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2023-45291
Publication date:
13/02/2026
Rejected reason: reserved but not needed
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2024-34154
Publication date:
13/02/2026
Rejected reason: reserved but not needed
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2024-34157
Publication date:
13/02/2026
Rejected reason: reserved but not needed
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2025-47915
Publication date:
13/02/2026
Rejected reason: reserved but not needed
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2026-26269
Publication date:
13/02/2026
Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026

CVE-2026-2441
Publication date:
13/02/2026
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2026-26264
Publication date:
13/02/2026
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0rc4 and 1.4.3rc2, a malformed WriteProperty request can trigger a length underflow in the BACnet stack, leading to an out‑of‑bounds read and a crash (DoS). The issue is in wp.c within wp_decode_service_request. When decoding the optional priority context tag, the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode without validating that apdu_size
Severity CVSS v4.0: HIGH
Last modification:
18/02/2026

CVE-2026-26208
Publication date:
13/02/2026
ADB Explorer is a fluent UI for ADB on Windows. Prior to Beta 0.9.26020, ADB Explorer is vulnerable to Insecure Deserialization leading to Remote Code Execution. The application attempts to deserialize the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects. This allows an attacker to supply a crafted JSON file containing a gadget chain (e.g., ObjectDataProvider) to execute arbitrary code when the application launches and subsequently saves its settings. This vulnerability is fixed in Beta 0.9.26020.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2026-26190
Publication date:
13/02/2026
Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026

CVE-2026-26187
Publication date:
13/02/2026
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. Prior to 1.77.0, the local block adapter (pkg/block/local/adapter.go) allows authenticated users to read and write files outside their designated storage boundaries. The verifyRelPath function used strings.HasPrefix() to verify that requested paths fall within the configured storage directory. This check was insufficient because it validated only the path prefix without requiring a path separator, allowing access to sibling directories with similar names. Also, the adapter verified that resolved paths stayed within the adapter's base path, but did not verify that object identifiers stayed within their designated storage namespace. This allowed attackers to use path traversal sequences in the object identifier to access files in other namespaces. Fixed in version v1.77.0.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026
Subscribe to Vulnerabilities