Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45063

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, X509Authenticator extracts the user identifier from $_SERVER['SSL_CLIENT_S_DN'] with an unanchored regex that matches emailAddress= anywhere in the distinguished name, allowing an attacker with a trusted certificate containing emailAddress=victim inside another RDN value such as CN to authenticate as the victim. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: CRITICAL
Last modification:
14/07/2026

CVE-2026-45064

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: LOW
Last modification:
14/07/2026

CVE-2026-15720

Publication date:
14/07/2026
In Open5GS through version 2.7.7 a pre-authentication heap out-of-bounds read in the AMF NAS 5GS mobile-identity handler may result in subscriber-wide denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15712

Publication date:
14/07/2026
A heap buffer over-read vulnerability was discovered in libsoup's (versions: libsoup 3.0 to 3.7.0) HTTP/2 connection tracking framework. When the library processes an HTTP/2 GOAWAY frame, it improperly handles the "Additional Debug Data" payload by assuming the data stream is a safely NUL-terminated C-string. Because the parser lacks strict length-boundary verification before reading this data, a remote, unauthenticated attacker can intentionally send a malformed GOAWAY frame missing the appropriate null delimiter. This causes the library to read past the end of the allocated buffer, triggering an application crash that results in a denial of service (DoS), or potentially exposing fragments of memory contents.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15637

Publication date:
14/07/2026
Improper authorization in the PAM SSH key and certificate retrieval <br /> endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an <br /> authenticated low-privileged user to disclose the private key of an SSH <br /> key or certificate PAM credential via a direct object reference to the <br /> credential identifier.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15641

Publication date:
14/07/2026
Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15642

Publication date:
14/07/2026
Insertion of sensitive information into a file in the Recovery Kit response file generation feature in Devolutions Server 2026.1.22.0, 2026.2.11.0 allows an attacker with access to the generated response file to obtain the Azure Key Vault client secret in cleartext, even when the option to exclude sensitive data is selected.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15058

Publication date:
14/07/2026
Improper authorization in the secure messages deletion endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated user to delete another user&amp;#39;s messages via a direct object reference to the message identifier.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-62658

Publication date:
14/07/2026
A security flaw was discovered in certain NETGEAR Nighthawk RAX series routers<br /> that could allow someone already logged in to the device to run unauthorized commands<br /> or code on the router.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62659

Publication date:
14/07/2026
A<br /> security flaw was discovered in the NETGEAR WAX333 Access Point that could<br /> allow someone already logged in and connected to the local network to make<br /> unauthorized changes to the device&amp;#39;s settings
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62655

Publication date:
14/07/2026
A<br /> security flaw was found in certain NETGEAR Orbi models that<br /> could allow an unauthorized user to cause the device to stop responding or<br /> restart unexpectedly, disrupting network connectivity and making the device<br /> temporarily unavailable.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62656

Publication date:
14/07/2026
A<br /> security flaw was found in certain NETGEAR RAX models that could allow<br /> a logged-in user to send specially crafted requests to the router and run<br /> unauthorized commands. This could enable the user to make unauthorized changes<br /> to the router and affect its security and operation.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026