Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3185
Publication date:
25/02/2026
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."
Severity CVSS v4.0: MEDIUM
Last modification:
26/02/2026

CVE-2026-3186
Publication date:
25/02/2026
A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use of default password. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.3.3-beta addresses this issue. Patch name: aefaabfd7527188bfba3c8c9eee17c316d094802. It is suggested to upgrade the affected component. The project was informed beforehand and acted very professional: "We have added authorization validation to the password reset interface; now only users with the corresponding permissions are allowed to perform password resets."
Severity CVSS v4.0: MEDIUM
Last modification:
26/02/2026

CVE-2026-28193
Publication date:
25/02/2026
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2026-28194
Publication date:
25/02/2026
In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2026

CVE-2026-21725
Publication date:
25/02/2026
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.<br /> <br /> This requires several very stringent conditions to be met:<br /> <br /> - The attacker must have admin access to the specific datasource prior to its first deletion.<br /> - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.<br /> - The attacker must delete the datasource, then someone must recreate it.<br /> - The new datasource must not have the attacker as an admin.<br /> - The new datasource must have the same UID as the prior datasource. These are randomised by default.<br /> - The datasource can now be re-deleted by the attacker.<br /> - Once 30 seconds are up, the attack is spent and cannot be repeated.<br /> - No datasource with any other UID can be attacked.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-2624
Publication date:
25/02/2026
Missing Authentication for Critical Function vulnerability in ePati Cyber ​​Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows Authentication Bypass.This issue affects Antikor Next Generation Firewall (NGFW): from v.2.0.1298 before v.2.0.1301.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2026-0704
Publication date:
25/02/2026
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-25701
Publication date:
25/02/2026
An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like:<br /> * gain access to possible private information found in /var/lib/pcrlock.d<br /> * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.<br /> *  overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.<br /> <br /> <br /> This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca.
Severity CVSS v4.0: HIGH
Last modification:
25/02/2026

CVE-2026-3118
Publication date:
25/02/2026
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-26104
Publication date:
25/02/2026
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2026

CVE-2025-67601
Publication date:
25/02/2026
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2025-67860
Publication date:
25/02/2026
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2026
Subscribe to Vulnerabilities