Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45067

Publication date:
14/07/2026
### Description<br /> <br /> `Symfony\Component\Mime\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.<br /> <br /> The constructor accepts email addresses whose local-part (the part before `@`) is an RFC-5322 *quoted string* containing raw `\r\n` bytes — e.g. `"x\r\nBcc: attacker@evil"@example.com`. The stored address is later emitted verbatim into (1) the rendered message headers and (2) `SmtpTransport`&amp;#39;s `MAIL FROM:` / `RCPT TO:` protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.<br /> <br /> ### Resolution<br /> <br /> The `Address` constructor now rejects addresses containing line breaks.<br /> <br /> The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604) for branch 5.4.<br /> <br /> ### Credits<br /> <br /> We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-45066

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: LOW
Last modification:
16/07/2026

CVE-2026-45065

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, UrlGenerator validates route parameters against a pattern built as ^ plus the raw requirement plus $; with ungrouped alternations, middle alternatives match as unanchored substrings, allowing a value such as //evil.com to satisfy a common locale requirement and generate a protocol-relative off-site URL. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: LOW
Last modification:
15/07/2026

CVE-2026-45074

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 7.1.0 until 7.4.12 and 8.0.12, Cas2Handler builds the CAS service parameter from Request::getSchemeAndHttpHost(), which reflects an attacker-controlled Host header when framework.trusted_hosts is not configured; an attacker controlling another application registered with the same CAS server can replay a victim ticket against the Symfony application and authenticate as the victim. This issue is fixed in versions 7.4.12 and 8.0.12.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-15715

Publication date:
14/07/2026
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity CVSS v4.0: LOW
Last modification:
14/07/2026

CVE-2026-15757

Publication date:
14/07/2026
A security flaw was discovered in the NETGEAR DGND3700v1 that could<br /> allow someone on the same local WiFi network to send unauthorized commands to<br /> the device.<br /> <br /> <br /> <br /> This issue was identified through testing in a controlled research<br /> environment using a simulated version of the router&amp;#39;s software and has not been<br /> confirmed on physical production devices.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-15747

Publication date:
14/07/2026
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.<br /> <br /> _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.<br /> <br /> An attacker able to query it can recover the token and pass csrf_protect validation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-0515

Publication date:
14/07/2026
Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-59886

Publication date:
14/07/2026
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the univ.Real type converted its mantissa, base, and exponent value to a Python float using exact big-integer exponentiation. A BER, CER, or DER encoded REAL value only a few bytes long can carry a very large exponent, causing float conversion through prettyPrint(), str(), comparison, arithmetic, int(), or an explicit float() call to consume excessive CPU and memory and hang applications that decode untrusted ASN.1 data and then print, log, or compare decoded objects. This issue is fixed in version 0.6.4.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-59888

Publication date:
14/07/2026
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.15.0 until 2.18.8, 2.21.4, and 3.1.4, Java Records using a PropertyNamingStrategy can bypass @JsonIgnore because POJOPropertiesCollector._removeUnwantedIgnorals() records an ignored component under its original implicit name before _renameUsing() applies the naming strategy, allowing the renamed JSON key to be assigned to the Record constructor parameter. This issue is fixed in versions 2.18.8, 2.21.4, and 3.1.4.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-59891

Publication date:
14/07/2026
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-59197

Publication date:
14/07/2026
Pillow is a Python imaging library. Prior to 12.3.0, Pillow&amp;#39;s public rank-filter API can trigger a native heap out-of-bounds write when given a very large odd filter size because ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before rank-filter size validation and ImagingExpand() computes output dimensions with unchecked signed int arithmetic. This issue is fixed in version 12.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026