Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35210

Publication date:
08/07/2026
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.
Severity CVSS v4.0: Pending analysis
Last modification:
13/07/2026

CVE-2026-35211

Publication date:
08/07/2026
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, allowing computationally expensive scripts to consume cluster CPU resources and degrade or deny service for all users. This issue is fixed in version 7.260401.0.
Severity CVSS v4.0: Pending analysis
Last modification:
13/07/2026

CVE-2026-14896

Publication date:
08/07/2026
HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15171

Publication date:
08/07/2026
SSH protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15170

Publication date:
08/07/2026
Z39.50 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15163

Publication date:
08/07/2026
Multiple protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allow denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15166

Publication date:
08/07/2026
IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15167

Publication date:
08/07/2026
DBS Etherwatch file parser crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15169

Publication date:
08/07/2026
UMTS FP protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-15164

Publication date:
08/07/2026
Crash in ciscodump 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-15165

Publication date:
08/07/2026
TLS ECH decryptor crash in Wireshark 4.6.0 to 4.6.6 allows denial of service
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-11827

Publication date:
08/07/2026
GitLab has remediated an issue in GitLab EE affecting all versions from 9.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to obtain another user's stored credentials due to improper authorization controls.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026