Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22798
Publication date:
12/01/2026
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2026-22799
Publication date:
12/01/2026
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.
Severity CVSS v4.0: CRITICAL
Last modification:
13/01/2026

CVE-2025-29329
Publication date:
12/01/2026
Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
12/01/2026

CVE-2025-12420
Publication date:
12/01/2026
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.<br /> <br /> ServiceNow has addressed this vulnerability by deploying a relevant security update to  hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
Severity CVSS v4.0: CRITICAL
Last modification:
13/01/2026

CVE-2025-67146
Publication date:
12/01/2026
Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the &amp;#39;name&amp;#39; parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the &amp;#39;id&amp;#39; parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2026-22772
Publication date:
12/01/2026
Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio&amp;#39;s metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2025-67147
Publication date:
12/01/2026
Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the &amp;#39;name&amp;#39;, &amp;#39;email&amp;#39;, and &amp;#39;comment&amp;#39; parameters in (1) submit_contact.php, the &amp;#39;username&amp;#39; and &amp;#39;pass_key&amp;#39; parameters in (2) secure_login.php, and the &amp;#39;login_id&amp;#39;, &amp;#39;pwfield&amp;#39;, and &amp;#39;login_key&amp;#39; parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2021-41074
Publication date:
12/01/2026
A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin&amp;#39;s email address via a crafted HTML document.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2025-66802
Publication date:
12/01/2026
Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2023-36331
Publication date:
12/01/2026
Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users&amp;#39; order details via manipulation of the query parameter userId.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2025-51567
Publication date:
12/01/2026
A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2026-22784
Publication date:
12/01/2026
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee&amp;#39;s album password unlock functionality that allows users to gain possibly unauthorized access to other users&amp;#39; password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
Severity CVSS v4.0: LOW
Last modification:
13/01/2026
Subscribe to Vulnerabilities