Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-36940
Publication date:
27/01/2026
Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to trigger an application crash.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2020-36941
Publication date:
27/01/2026
Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2020-36942
Publication date:
27/01/2026
Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2020-36946
Publication date:
27/01/2026
SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2020-36938
Publication date:
27/01/2026
WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2026-1470
Publication date:
27/01/2026
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.<br /> <br /> An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-1489
Publication date:
27/01/2026
A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-1484
Publication date:
27/01/2026
A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-1485
Publication date:
27/01/2026
A flaw was found in Glib&amp;#39;s content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-1213
Publication date:
27/01/2026
All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2025-12387
Publication date:
27/01/2026
A vulnerability in the Pix-Link LV-WR21Q router&amp;#39;s language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2025-41726
Publication date:
27/01/2026
A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026
Subscribe to Vulnerabilities