Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1010
Publication date:
15/01/2026
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.<br /> <br /> When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2026-1009
Publication date:
15/01/2026
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post.<br /> Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2026-1008
Publication date:
15/01/2026
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques.<br /> The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2025-68671
Publication date:
15/01/2026
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS&amp;#39;s S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2026-0915
Publication date:
15/01/2026
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library&amp;#39;s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2025-67823
Publication date:
15/01/2026
A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim&amp;#39;s browser or desktop client application.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2026

CVE-2025-67822
Publication date:
15/01/2026
A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2026

CVE-2023-7334
Publication date:
15/01/2026
Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).
Severity CVSS v4.0: CRITICAL
Last modification:
23/01/2026

CVE-2011-10041
Publication date:
15/01/2026
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location.
Severity CVSS v4.0: CRITICAL
Last modification:
20/01/2026

CVE-2026-21920
Publication date:
15/01/2026
An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> <br /> <br /> <br /> If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered.<br /> <br /> This issue affects Junos OS on SRX Series:<br /> <br /> <br /> <br /> * 23.4 versions before 23.4R2-S5,<br /> * 24.2 versions before 24.2R2-S1,<br /> * 24.4 versions before 24.4R2.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS versions before 23.4R1.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2026-21921
Publication date:
15/01/2026
A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS).<br /> <br /> When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered.<br /> <br /> This issue affects:<br /> <br />  Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S8,<br /> * 23.2 versions before 23.2R2-S5,<br /> * 23.4 versions before 23.4R2;<br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S8-EVO,<br /> * 23.2 versions before 23.2R2-S5-EVO,<br /> * 23.4 versions before 23.4R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2026-21918
Publication date:
15/01/2026
A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects Junos OS on SRX and MX Series:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S7,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026
Subscribe to Vulnerabilities