Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33786
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS).<br /> <br /> When a specific &amp;#39;show chassis&amp;#39; CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again.<br /> <br /> This issue affects Junos OS on SRX1600, SRX2300 and SRX4300:<br /> <br /> <br /> <br /> * 24.4 versions before 24.4R1-S3, 24.4R2.<br /> <br /> <br /> This issue does not affect Junos OS versions before 24.4R1.
Severity CVSS v4.0: MEDIUM
Last modification:
13/04/2026

CVE-2026-33787
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS).<br /> <br /> When a specific &amp;#39;show chassis&amp;#39; CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again.<br /> <br /> <br /> <br /> This issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600: <br /> <br /> <br /> <br /> * 23.2 versions before 23.2R2-S6,<br /> * 23.4 versions before 23.4R2-S7<br /> * 24.2 versions before 24.2R2-S2,<br /> * 24.4 versions before 24.4R2,<br /> * 25.2 versions before 25.2R1-S1, 25.2R2.
Severity CVSS v4.0: MEDIUM
Last modification:
13/04/2026

CVE-2026-33790
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition.<br /> <br /> During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart.<br /> <br /> This issue cannot be triggered using IPv4 nor other IPv6 traffic.<br /> <br /> <br /> <br /> This issue affects Junos OS on SRX Series:<br /> * all versions before 21.2R3-S10,<br /> * all versions of 21.3,<br /> * from 21.4 before 21.4R3-S12,<br /> * all versions of 22.1,<br /> * from 22.2 before 22.2R3-S8,<br /> * all versions of 22.4,<br /> * from 22.4 before 22.4R3-S9,<br /> * from 23.2 before 23.2R2-S6,<br /> * from 23.4 before 23.4R2-S7,<br /> * from 24.2 before 24.2R2-S3,<br /> * from 24.4 before 24.4R2-S3,<br /> * from 25.2 before 25.2R1-S2, 25.2R2.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33788
Publication date:
09/04/2026
A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device.<br /> <br /> A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component.<br /> <br /> This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202:<br /> <br /> <br /> <br /> <br /> * All versions before 21.2R3-S8-EVO,<br /> * 21.4-EVO versions before 21.4R3-S7-EVO,<br /> * 22.2-EVO versions before 22.2R3-S4-EVO,<br /> * 22.3-EVO versions before 22.3R3-S3-EVO,<br /> * 22.4-EVO versions before 22.4R3-S2-EVO,<br /> * 23.2-EVO versions before 23.2R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33781
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS).<br /> <br /> On EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS:<br /> <br /> <br /> <br /> * 24.4 releases before 24.4R2,<br /> * 25.2 releases before 25.2R1-S1, 25.2R2.<br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS releases before 24.4R1.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33782
Publication date:
09/04/2026
A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS).<br /> <br /> In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered.<br /> <br /> The memory usage of jdhcpd can be monitored with:<br /> <br /> user@host&gt; show system processes extensive | match jdhcpd<br /> <br /> <br /> <br /> This issue affects Junos OS:<br /> <br /> * all versions before 22.4R3-S1,<br /> * 23.2 versions before 23.2R2,<br /> * 23.4 versions before 23.4R2.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33783
Publication date:
09/04/2026
A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS).<br /> <br /> <br /> If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn&amp;#39;t restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured.<br /> <br /> <br /> This issue affects Junos OS Evolved on PTX Series: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S9-EVO,<br /> * 23.2 versions before 23.2R2-S6-EVO,<br /> * 23.4 versions before 23.4R2-S7-EVO,<br /> * 24.2 versions before 24.2R2-S4-EVO,<br /> * 24.4 versions before 24.4R2-S2-EVO,<br /> * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33785
Publication date:
09/04/2026
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices.<br /> <br /> Any user logged in, without requiring specific privileges, can issue &amp;#39;request csds&amp;#39; CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX.<br /> <br /> This issue affects Junos OS on MX Series:<br /> <br /> <br /> <br /> * 24.4 releases before 24.4R2-S3, <br /> * 25.2 releases before 25.2R2.<br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS releases before 24.4.
Severity CVSS v4.0: MEDIUM
Last modification:
13/04/2026

CVE-2026-33784
Publication date:
09/04/2026
A Use of Default Password vulnerability in the Juniper Networks <br /> <br /> Support Insights (JSI) <br /> <br /> Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.<br /> <br /> vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Severity CVSS v4.0: CRITICAL
Last modification:
13/04/2026

CVE-2026-33776
Publication date:
09/04/2026
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local user with low privileges to read sensitive information.<br /> <br /> A local user with low privileges can execute the CLI command &amp;#39;show mgd&amp;#39; with specific arguments which will expose sensitive information.<br /> <br /> This issue affects<br /> <br /> Junos OS:<br /> * all versions before 22.4R3-S8,<br /> * 23.2 versions before 23.2R2-S6,<br /> * 23.4 versions before 23.4R2-S6,<br /> * 24.2 versions before 24.2R2-S4,<br /> * 24.4 versions before 24.4R2-S1,<br /> * 25.2 version before 25.2R1-S2, 25.2R2;<br /> <br /> <br /> <br /> Junos OS Evolved:<br /> * all versions before 23.2R2-S6-EVO,<br /> * 23.4 version before 23.4R2-S6-EVO,<br /> * 24.2 version before 24.2R2-S4-EVO,<br /> * 24.4 versions before 24.4R2-S1-EVO,<br /> * 25.2 versions before 25.2R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
13/04/2026

CVE-2026-33775
Publication date:
09/04/2026
A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).<br /> <br /> If the authentication packet-type option is configured and a received packet does not match that packet type, the memory leak occurs. When all memory <br /> <br /> available to bbe-smgd has been consumed, no new subscribers will be able to login.<br /> <br /> The memory utilization of bbe-smgd can be monitored with the following show command:<br /> <br /> user@host&gt; show system processes extensive | match bbe-smgd<br /> <br /> The below log message can be observed when this limit has been reached:<br /> <br /> bbesmgd[]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exhaustion<br /> <br /> <br /> This issue affects Junos OS on MX Series:<br /> * all versions before 22.4R3-S8,<br /> * 23.2 versions before 23.2R2-S5,<br /> * 23.4 versions before 23.4R2-S6,<br /> * 24.2 versions before 24.2R2-S2,<br /> * 24.4 versions before 24.4R2,<br /> * 25.2 versions before 25.2R2.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33778
Publication date:
09/04/2026
An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS).<br /> <br /> If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections.<br /> <br /> This issue affects Junos OS on <br /> <br /> SRX Series and MX Series:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S9,<br /> * 23.2 version before 23.2R2-S6,<br /> * 23.4 version before 23.4R2-S7,<br /> * 24.2 versions before 24.2R2-S4,<br /> * 24.4 versions before 24.4R2-S3,<br /> * 25.2 versions before 25.2R1-S2, 25.2R2.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026
Subscribe to Vulnerabilities