Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-26069
Publication date:
12/02/2026
Scraparr is a Prometheus Exporter for various components of the *arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions are met, Readarr scraping feature was enabled and no alias configured, the exporter’s /metrics endpoint was accessible to external or unauthorized users, and the Readarr instance is externally accessible. If the /metrics endpoint was publicly accessible, the Readarr API key could have been disclosed via exported metrics data. This vulnerability is fixed in 3.0.2.
Severity CVSS v4.0: CRITICAL
Last modification:
13/02/2026

CVE-2026-26075
Publication date:
12/02/2026
FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain security issues. In addition to implementing internal network isolation in the deployment environment, this optimization has added stricter internal network address detection. This vulnerability is fixed in 4.14.7.
Severity CVSS v4.0: MEDIUM
Last modification:
13/02/2026

CVE-2026-26076
Publication date:
12/02/2026
ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to degraded server performance even when a server could otherwise handle the load. This vulnerability is fixed in 1.7.1.
Severity CVSS v4.0: MEDIUM
Last modification:
13/02/2026

CVE-2026-25828
Publication date:
12/02/2026
grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device().
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2026-1358
Publication date:
12/02/2026
Airleader Master versions 6.381 and prior allow for file uploads without<br /> restriction to multiple webpages running maximum privileges. This could<br /> allow an unauthenticated user to potentially obtain remote code <br /> execution on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
17/02/2026

CVE-2025-14282
Publication date:
12/02/2026
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root,<br /> only switching to the logged-in user upon spawning a shell or performing<br /> some operations like reading the user&amp;#39;s files.<br /> With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root&amp;#39;s credentials, bypassing both file system restrictions and any SO_PEERCRED / SO_PASSCRED checks performed by the peer.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026

CVE-2025-70845
Publication date:
12/02/2026
lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /setting/ page where the "intro" field is not properly sanitized or escaped.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2026-26005
Publication date:
12/02/2026
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF can be triggered, causing GET requests to be sent to internal servers. An attacker can exploit this to scan the internal network. Even a regular (non-privileged) user can carry out the attack.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026

CVE-2026-26011
Publication date:
12/02/2026
navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL&amp;#39;s particle filter clustering logic. By publishing a single crafted geometry_msgs/PoseWithCovarianceStamped message with extreme covariance values to the /initialpose topic, an unauthenticated attacker on the same ROS 2 DDS domain can trigger a negative index write (set-&gt;clusters[-1]) into heap memory preceding the allocated buffer. In Release builds, the sole boundary check (assert) is compiled out, leaving zero runtime protection. This primitive allows controlled corruption of the heap chunk metadata(at least the size of the heap chunk where the set-&gt;clusters is in is controllable by the attacker), potentially leading to further exploitation. At minimum, it provides a reliable single-packet denial of service that kills localization and halts all navigation.
Severity CVSS v4.0: CRITICAL
Last modification:
13/02/2026

CVE-2026-26020
Publication date:
12/02/2026
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled block inside a graph. The BlockInstallationBlock — a development tool capable of writing and importing arbitrary Python code — was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block&amp;#39;s execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.
Severity CVSS v4.0: CRITICAL
Last modification:
17/02/2026

CVE-2026-26000
Publication date:
12/02/2026
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it&amp;#39;s possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
Severity CVSS v4.0: MEDIUM
Last modification:
19/02/2026

CVE-2026-0619
Publication date:
12/02/2026
A reachable infinite loop via an integer wraparound is present in Silicon Labs&amp;#39; Matter SDK which allows an attacker to trigger a denial of service. A hard reset is required to recover the device.
Severity CVSS v4.0: MEDIUM
Last modification:
13/02/2026
Subscribe to Vulnerabilities