Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1498
Publication date:
30/01/2026
An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase.This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0.
Severity CVSS v4.0: HIGH
Last modification:
30/01/2026

CVE-2025-13176
Publication date:
30/01/2026
Planting a custom configuration file<br /> <br /> in <br /> <br /> ESET Inspect Connector allow load a malicious DLL.
Severity CVSS v4.0: HIGH
Last modification:
30/01/2026

CVE-2026-22626
Publication date:
30/01/2026
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-0709
Publication date:
30/01/2026
Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-22623
Publication date:
30/01/2026
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-22624
Publication date:
30/01/2026
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users&amp;#39; file resources without proper authorization.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-22625
Publication date:
30/01/2026
Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2025-26385
Publication date:
30/01/2026
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects <br /> <br /> <br /> <br /> * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, <br /> * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, <br /> * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, <br /> * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, <br /> * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
Severity CVSS v4.0: CRITICAL
Last modification:
30/01/2026

CVE-2026-1699
Publication date:
30/01/2026
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository&amp;#39;s CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-22277
Publication date:
30/01/2026
Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2026-21418
Publication date:
30/01/2026
Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2025-1395
Publication date:
30/01/2026
Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026.<br /> <br /> NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026
Subscribe to Vulnerabilities