Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24736
Publication date:
27/01/2026
Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2026-1504
Publication date:
27/01/2026
Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2025-21589
Publication date:
27/01/2026
An Authentication Bypass Using an<br /> Alternate Path or Channel vulnerability in Juniper Networks Session Smart<br /> Router may allows a network-based attacker to bypass authentication<br /> and take administrative control of the device.<br /> <br /> This issue affects Session Smart Router: <br /> <br /> <br /> <br /> * from 5.6.7 before 5.6.17, <br /> * from 6.0 before 6.0.8 (affected from 6.0.8),<br /> <br /> * from 6.1 before 6.1.12-lts, <br /> * from 6.2 before 6.2.8-lts, <br /> * from 6.3 before 6.3.3-r2; <br /> <br /> <br /> <br /> <br /> This issue affects Session Smart Conductor: <br /> <br /> <br /> <br /> * from 5.6.7 before 5.6.17, <br /> * from 6.0 before 6.0.8 (affected from 6.0.8),<br /> <br /> * from 6.1 before 6.1.12-lts, <br /> * from 6.2 before 6.2.8-lts, <br /> * from 6.3 before 6.3.3-r2; <br /> <br /> <br /> <br /> <br /> This issue affects WAN Assurance Managed Routers: <br /> <br /> <br /> <br /> * from 5.6.7 before 5.6.17, <br /> * from 6.0 before 6.0.8 (affected from 6.0.8),<br /> <br /> * from 6.1 before 6.1.12-lts, <br /> * from 6.2 before 6.2.8-lts, <br /> * from 6.3 before 6.3.3-r2.
Severity CVSS v4.0: CRITICAL
Last modification:
29/01/2026

CVE-2026-24858
Publication date:
27/01/2026
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2026-24771
Publication date:
27/01/2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim&amp;#39;s browser. Version 4.11.7 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2026

CVE-2026-24688
Publication date:
27/01/2026
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
Severity CVSS v4.0: MEDIUM
Last modification:
06/02/2026

CVE-2026-24473
Publication date:
27/01/2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/02/2026

CVE-2026-24472
Publication date:
27/01/2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2026

CVE-2025-14988
Publication date:
27/01/2026
A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.
Severity CVSS v4.0: CRITICAL
Last modification:
29/01/2026

CVE-2025-12810
Publication date:
27/01/2026
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.<br /> <br /> A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.<br /> <br /> Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails.
Severity CVSS v4.0: MEDIUM
Last modification:
06/02/2026

CVE-2026-24116
Publication date:
27/01/2026
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime&amp;#39;s compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it&amp;#39;s possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it&amp;#39;s not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2026-24881
Publication date:
27/01/2026
In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026
Subscribe to Vulnerabilities