Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24738
Publication date:
27/01/2026
gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2026-24740
Publication date:
27/01/2026
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2026-24736
Publication date:
27/01/2026
Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-1504
Publication date:
27/01/2026
Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-21589
Publication date:
27/01/2026
An Authentication Bypass Using an<br /> Alternate Path or Channel vulnerability in Juniper Networks Session Smart<br /> Router may allows a network-based attacker to bypass authentication<br /> and take administrative control of the device.<br /> <br /> This issue affects Session Smart Router: <br /> <br /> <br /> <br /> * from 5.6.7 before 5.6.17, <br /> * from 6.0 before 6.0.8 (affected from 6.0.8),<br /> <br /> * from 6.1 before 6.1.12-lts, <br /> * from 6.2 before 6.2.8-lts, <br /> * from 6.3 before 6.3.3-r2; <br /> <br /> <br /> <br /> <br /> This issue affects Session Smart Conductor: <br /> <br /> <br /> <br /> * from 5.6.7 before 5.6.17, <br /> * from 6.0 before 6.0.8 (affected from 6.0.8),<br /> <br /> * from 6.1 before 6.1.12-lts, <br /> * from 6.2 before 6.2.8-lts, <br /> * from 6.3 before 6.3.3-r2; <br /> <br /> <br /> <br /> <br /> This issue affects WAN Assurance Managed Routers: <br /> <br /> <br /> <br /> * from 5.6.7 before 5.6.17, <br /> * from 6.0 before 6.0.8 (affected from 6.0.8),<br /> <br /> * from 6.1 before 6.1.12-lts, <br /> * from 6.2 before 6.2.8-lts, <br /> * from 6.3 before 6.3.3-r2.
Severity CVSS v4.0: CRITICAL
Last modification:
27/01/2026

CVE-2026-24858
Publication date:
27/01/2026
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-24688
Publication date:
27/01/2026
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2026-24771
Publication date:
27/01/2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim&amp;#39;s browser. Version 4.11.7 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-24473
Publication date:
27/01/2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2026-24472
Publication date:
27/01/2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-14988
Publication date:
27/01/2026
A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.
Severity CVSS v4.0: CRITICAL
Last modification:
27/01/2026

CVE-2025-12810
Publication date:
27/01/2026
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.<br /> <br /> A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.<br /> <br /> Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026
Subscribe to Vulnerabilities