Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33264

Publication date:
07/07/2026
A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-controlled class paths when the Scheduler / API Server loaded a serialized DAG: a DAG author could embed a malicious trigger into a DAG to gain remote code execution on the API Server / Scheduler process, crossing the Airflow security boundary that DAG-author code must never execute in those processes. Users are advised to upgrade to `apache-airflow` 3.3.0 or later. As a defense-in-depth mitigation, deployments where DAG-author trust is limited can restrict the `[core] allowed_deserialization_classes` config to a narrow allowlist.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-14474

Publication date:
07/07/2026
A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-14476

Publication date:
07/07/2026
A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-11610

Publication date:
07/07/2026
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server<br /> (389-ds-base). After a successful SASL bind with integrity protection (SSF &gt; 0),<br /> an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet<br /> that is copied into a 512-byte heap receive buffer without a bounds check in<br /> sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of<br /> attacker-controlled data to overflow the buffer, causing a denial of service (server<br /> crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with<br /> a valid Kerberos ticket, any enrolled host, or any service account can trigger this<br /> vulnerability over the network after authenticating via GSSAPI.<br /> The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and<br /> was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow<br /> in schema.c only.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-58384

Publication date:
07/07/2026
A flaw was found in GIMP&amp;#39;s PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-13199

Publication date:
07/07/2026
EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices produced non-random KASLR and RNG seed values. This resulted in consistent kernel addresses across boots and devices, potentially making it easier to exploit other vulnerabilities. Additionally, the low-quality RNG seed may affect the quality of random numbers or delay booting while sufficient entropy is accumulated from other sources.
Severity CVSS v4.0: MEDIUM
Last modification:
07/07/2026

CVE-2026-8309

Publication date:
07/07/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Reflected XSS.<br /> <br /> This issue affects Access Control System (GKS): before Version 2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-8377

Publication date:
07/07/2026
Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Collect Data from Common Resource Locations.<br /> <br /> This issue affects Access Control System (GKS): before Version 2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-5730

Publication date:
07/07/2026
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects Ontime: through 04052026.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-5799

Publication date:
07/07/2026
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects Ontime: through 04052026.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-7380

Publication date:
07/07/2026
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows XSS Targeting HTML Attributes.<br /> <br /> This issue affects Access Control System (GKS): before Version 2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026

CVE-2026-8306

Publication date:
07/07/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Stored XSS.<br /> <br /> This issue affects Access Control System (GKS): before Version 2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2026