Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-54764

Publication date:
06/07/2026
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6.
Severity CVSS v4.0: MEDIUM
Last modification:
08/07/2026

CVE-2026-48267

Publication date:
06/07/2026
DNG SDK versions 1.7.1 2536 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-50135

Publication date:
06/07/2026
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
Severity CVSS v4.0: MEDIUM
Last modification:
08/07/2026

CVE-2026-34038

Publication date:
06/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-42341

Publication date:
06/07/2026
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to `/ipn.php` at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.
Severity CVSS v4.0: CRITICAL
Last modification:
07/07/2026

CVE-2026-33734

Publication date:
06/07/2026
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the `Massmailer` module filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing untrusted input to be interpolated directly into SQL in the recipient selection query. Version 0.8.0 patches the issue. Some workarounds are available. Restrict administrator access to trusted users only, disable the `Massmailer` module if it is not required, audit existing records in the `mod_massmailer` table for suspicious filter values, and/or review administrator activity related to `Massmailer` message updates.
Severity CVSS v4.0: MEDIUM
Last modification:
07/07/2026

CVE-2026-42331

Publication date:
06/07/2026
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice. An attacker who obtains an invoice hash, which may leak through shared URLs, referrer headers, or email links, can change the `gateway_id` on an unpaid invoice to any payment gateway configured in the system. This does not allow redirecting payments to an arbitrary external endpoint, as the gateway must already be installed and configured by an administrator. The practical impact is further limited by the `invoice_accessible_from_hash` system setting. Version 0.8.0 contains a patch. No known workarounds are available.
Severity CVSS v4.0: HIGH
Last modification:
07/07/2026

CVE-2026-25271

Publication date:
06/07/2026
Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-25268

Publication date:
06/07/2026
Memory Corruption when processing invalid HT40 channel layouts during dynamic channel switching operations.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-21384

Publication date:
06/07/2026
Memory Corruption when updating prepared commands with invalid port indices based on user space input exceeds supported read client limits.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-21379

Publication date:
06/07/2026
Memory Corruption when allocating memory with sizes that exceed the maximum allowed value.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-21370

Publication date:
06/07/2026
Memory Corruption when validating input batch size and buffer plane count exceeds maximum allowed values.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026