Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-68271

Publication date:

13/01/2026

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026

CVE-2026-21265

Publication date:

13/01/2026

Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026

CVE-2026-20962

Publication date:

13/01/2026

Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026

CVE-2026-21219

Publication date:

13/01/2026

Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026

CVE-2026-21224

Publication date:

13/01/2026

Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026

CVE-2026-20963

Publication date:

13/01/2026

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026

CVE-2026-20965

Publication date:

13/01/2026

Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally.

Severity CVSS v4.0: Pending analysis

Last modification:

16/01/2026

CVE-2026-21221

Publication date:

13/01/2026

Concurrent execution using shared resource with improper synchronization (&#39;race condition&#39;) in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.

Severity CVSS v4.0: Pending analysis

Last modification:

16/01/2026

CVE-2026-20959

Publication date:

13/01/2026

Improper neutralization of input during web page generation (&#39;cross-site scripting&#39;) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2026