Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-70336
Publication date:
28/01/2026
A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. The saved payload gets executed on 'View All Live Items' and 'Live Stream' pages.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-61140
Publication date:
28/01/2026
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-57283
Publication date:
28/01/2026
The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-58150
Publication date:
28/01/2026
Shadow mode tracing code uses a set of per-CPU variables to avoid<br /> cumbersome parameter passing. Some of these variables are written to<br /> with guest controlled data, of guest controllable size. That size can<br /> be larger than the variable, and bounding of the writes was missing.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1520
Publication date:
28/01/2026
A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
28/01/2026

CVE-2026-1521
Publication date:
28/01/2026
A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
28/01/2026

CVE-2026-23014
Publication date:
28/01/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: Ensure swevent hrtimer is properly destroyed<br /> <br /> With the change to hrtimer_try_to_cancel() in<br /> perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to<br /> still be active by the time the event gets freed.<br /> <br /> Make sure the event does a full hrtimer_cancel() on the free path by<br /> installing a perf_event::destroy handler.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1060
Publication date:
28/01/2026
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1237
Publication date:
28/01/2026
Vulnerable cross-model authorization in juju. If a charm&amp;#39;s cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Severity CVSS v4.0: LOW
Last modification:
28/01/2026

CVE-2025-14795
Publication date:
28/01/2026
The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1056
Publication date:
28/01/2026
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the &amp;#39;generate_user_dirpath&amp;#39; function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2020-36990
Publication date:
28/01/2026
Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
Severity CVSS v4.0: HIGH
Last modification:
28/01/2026
Subscribe to Vulnerabilities