Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-71213

Publication date:
21/05/2026
An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.<br /> <br /> Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2025-13477

Publication date:
21/05/2026
Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass.<br /> <br /> This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2025-13479

Publication date:
21/05/2026
Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-5118

Publication date:
21/05/2026
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled &amp;#39;role&amp;#39; parameter from POST data during user registration without validating it against the form&amp;#39;s configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2026

CVE-2026-6841

Publication date:
21/05/2026
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.<br /> <br /> This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Severity CVSS v4.0: MEDIUM
Last modification:
01/06/2026

CVE-2026-45760

Publication date:
21/05/2026
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.<br /> <br /> This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.<br /> <br /> Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
23/05/2026

CVE-2026-43502

Publication date:
21/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/rds: handle zerocopy send cleanup before the message is queued<br /> <br /> A zerocopy send can fail after user pages have been pinned but before<br /> the message is attached to the sending socket.<br /> <br /> The purge path currently infers zerocopy state from rm-&gt;m_rs, so an<br /> unqueued message can be cleaned up as if it owned normal payload pages.<br /> However, zerocopy ownership is really determined by the presence of<br /> op_mmp_znotifier, regardless of whether the message has reached the<br /> socket queue.<br /> <br /> Capture op_mmp_znotifier up front in rds_message_purge() and use it as<br /> the cleanup discriminator. If the message is already associated with a<br /> socket, keep the existing completion path. Otherwise, drop the pinned<br /> page accounting directly and release the notifier before putting the<br /> payload pages.<br /> <br /> This keeps early send failure cleanup consistent with the zerocopy<br /> lifetime rules without changing the normal queued completion path.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2026-43498

Publication date:
21/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/ivpu: Disallow re-exporting imported GEM objects<br /> <br /> Prevent re-exporting of imported GEM buffers by adding a custom<br /> prime_handle_to_fd callback that checks if the object is imported<br /> and returns -EOPNOTSUPP if so.<br /> <br /> Re-exporting imported GEM buffers causes loss of buffer flags settings,<br /> leading to incorrect device access and data corruption.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2026-43497

Publication date:
21/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free<br /> <br /> dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages<br /> to userspace but sets no vm_ops on the VMA. This means the kernel cannot<br /> track active mmaps. When dlfb_realloc_framebuffer() replaces the backing<br /> buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.<br /> On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages<br /> while userspace PTEs still reference them, resulting in a use-after-free:<br /> the process retains read/write access to freed kernel pages.<br /> <br /> Add vm_operations_struct with open/close callbacks that maintain an<br /> atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),<br /> check mmap_count and return -EBUSY if the buffer is currently mapped,<br /> preventing buffer replacement while userspace holds stale PTEs.<br /> <br /> Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2026-43499

Publication date:
21/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtmutex: Use waiter::task instead of current in remove_waiter()<br /> <br /> remove_waiter() is used by the slowlock paths, but it is also used for<br /> proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from<br /> futex_requeue().<br /> <br /> In the latter case waiter::task is not current, but remove_waiter()<br /> operates on current for the dequeue operation. That results in several<br /> problems:<br /> <br /> 1) the rbtree dequeue happens without waiter::task::pi_lock being held<br /> <br /> 2) the waiter task&amp;#39;s pi_blocked_on state is not cleared, which leaves a<br /> dangling pointer primed for UAF around.<br /> <br /> 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter<br /> task<br /> <br /> Use waiter::task instead of current in all related operations in<br /> remove_waiter() to cure those problems.<br /> <br /> [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the<br /> changelog ]
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-43501

Publication date:
21/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: rpl: reserve mac_len headroom when recompressed SRH grows<br /> <br /> ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps<br /> the next segment into ipv6_hdr-&gt;daddr, recompresses, then pulls the old<br /> header and pushes the new one plus the IPv6 header back. The<br /> recompressed header can be larger than the received one when the swap<br /> reduces the common-prefix length the segments share with daddr (CmprI=0,<br /> CmprE&gt;0, seg[0][0] != daddr[0] gives the maximum +8 bytes).<br /> <br /> pskb_expand_head() was gated on segments_left == 0, so on earlier<br /> segments the push consumed unchecked headroom. Once skb_push() leaves<br /> fewer than skb-&gt;mac_len bytes in front of data,<br /> skb_mac_header_rebuild()&amp;#39;s call to:<br /> <br /> skb_set_mac_header(skb, -skb-&gt;mac_len);<br /> <br /> will store (data - head) - mac_len into the u16 mac_header field, which<br /> wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB<br /> past skb-&gt;head.<br /> <br /> A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two<br /> segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one<br /> pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.<br /> <br /> Fix this by expanding the head whenever the remaining room is less than<br /> the push size plus mac_len, and request that much extra so the rebuilt<br /> MAC header fits afterwards.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-43496

Publication date:
21/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked<br /> <br /> When red qdisc has children (eg qfq qdisc) whose peek() callback is<br /> qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such<br /> qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from<br /> its child (red in this case), it will do the following:<br /> 1a. do a peek() - and when sensing there&amp;#39;s an skb the child can offer, then<br /> - the child in this case(red) calls its child&amp;#39;s (qfq) peek.<br /> qfq does the right thing and will return the gso_skb queue packet.<br /> Note: if there wasnt a gso_skb entry then qfq will store it there.<br /> 1b. invoke a dequeue() on the child (red). And herein lies the problem.<br /> - red will call the child&amp;#39;s dequeue() which will essentially just<br /> try to grab something of qfq&amp;#39;s queue.<br /> <br /> [ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]<br /> [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)<br /> [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011<br /> [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]<br /> [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d<br /> [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216<br /> [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048<br /> [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078<br /> [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000<br /> [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200<br /> [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000<br /> [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0<br /> [ 78.671585][ T363] PKRU: 55555554<br /> [ 78.671713][ T363] Call Trace:<br /> [ 78.671843][ T363] <br /> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]<br /> [ 78.672148][ T363] ? __pfx__printk+0x10/0x10<br /> [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0<br /> [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0<br /> [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]<br /> [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]<br /> [ 78.673566][ T363] __qdisc_run+0x169/0x1900<br /> <br /> The right thing to do in #1b is to grab the skb off gso_skb queue.<br /> This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()<br /> method instead.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026