Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-8452

Publication date:

22/01/2026

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used.

Severity CVSS v4.0: Pending analysis

Last modification:

22/01/2026

CVE-2026-1331

Publication date:

22/01/2026

MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Severity CVSS v4.0: CRITICAL

Last modification:

26/01/2026

CVE-2026-1330

Publication date:

22/01/2026

MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

Severity CVSS v4.0: HIGH

Last modification:

26/01/2026

CVE-2020-8451

Publication date:

22/01/2026

Rejected reason: The reserved CVE was never used.

Severity CVSS v4.0: Pending analysis

Last modification:

22/01/2026

CVE-2026-24332

Publication date:

22/01/2026

Discord through 2026-01-16 allows gathering information about whether a user&#39;s client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline."

Severity CVSS v4.0: Pending analysis

Last modification:

26/01/2026

CVE-2026-0920

Publication date:

22/01/2026

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the &#39;ajax_register_handle&#39; function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the &#39;lakit_bkrole&#39; parameter during registration and gain administrator access to the site.

Severity CVSS v4.0: Pending analysis

Last modification:

26/01/2026

CVE-2026-24049

Publication date:

22/01/2026

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Severity CVSS v4.0: Pending analysis

Last modification:

26/01/2026

CVE-2025-71176

Publication date:

22/01/2026

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

26/01/2026

CVE-2026-24042

Publication date:

22/01/2026

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.

Severity CVSS v4.0: Pending analysis

Last modification:

26/01/2026

CVE-2026-24055

Publication date:

22/01/2026

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0.

Severity CVSS v4.0: MEDIUM

Last modification:

26/01/2026

CVE-2026-24039

Publication date:

22/01/2026

Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0.

Severity CVSS v4.0: Pending analysis

Last modification:

29/01/2026

CVE-2026-24038

Publication date:

22/01/2026

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.

Severity CVSS v4.0: Pending analysis

Last modification:

29/01/2026

Subscribe to Vulnerabilities