Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-15713

Publication date:
14/07/2026
A vulnerability was found in libsoup's HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system's heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15709

Publication date:
14/07/2026
A flaw was found in libsoup's WebSocket implementation when using the permessage-deflate extension. The extension's decompression loop (inflate()) processes data in chunks without enforcing an upper boundary limit on the output buffer size. While libsoup limits the incoming compressed frame size via max_incoming_payload_size, it fails to track or limit memory allocation during decompression. A separate check for decompressed size (max_total_message_size) exists but executes only after inflation is complete, and it is entirely disabled by default for client connections. A remote, unauthenticated attacker can exploit this by sending a small, highly compressed payload (a decompression bomb), causing unbounded memory allocation that triggers an Out-of-Memory (OOM) crash and a Denial of Service (DoS).
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-13001

Publication date:
14/07/2026
The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'podlove_handle_cache_files' function in all versions up to, and including, 4.5.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15409

Publication date:
14/07/2026
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-15410

Publication date:
14/07/2026
Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-5040

Publication date:
14/07/2026
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.<br /> <br /> Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-47767

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER[&amp;#39;argv&amp;#39;] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-47301

Publication date:
14/07/2026
Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-47302

Publication date:
14/07/2026
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-47303

Publication date:
14/07/2026
Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47300

Publication date:
14/07/2026
Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47304

Publication date:
14/07/2026
Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026