Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-34038

Publication date:
06/07/2026
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and exfiltrate sensitive environment variables through deployment logs via fields such as dockerfile_location and deployment commands. This issue is fixed in version 4.0.0-beta.469.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-42331

Publication date:
06/07/2026
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice. An attacker who obtains an invoice hash, which may leak through shared URLs, referrer headers, or email links, can change the `gateway_id` on an unpaid invoice to any payment gateway configured in the system. This does not allow redirecting payments to an arbitrary external endpoint, as the gateway must already be installed and configured by an administrator. The practical impact is further limited by the `invoice_accessible_from_hash` system setting. Version 0.8.0 contains a patch. No known workarounds are available.
Severity CVSS v4.0: HIGH
Last modification:
06/07/2026

CVE-2026-42341

Publication date:
06/07/2026
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to `/ipn.php` at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.
Severity CVSS v4.0: CRITICAL
Last modification:
06/07/2026

CVE-2026-21384

Publication date:
06/07/2026
Memory Corruption when updating prepared commands with invalid port indices based on user space input exceeds supported read client limits.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-25268

Publication date:
06/07/2026
Memory Corruption when processing invalid HT40 channel layouts during dynamic channel switching operations.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-25271

Publication date:
06/07/2026
Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-14468

Publication date:
06/07/2026
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-14471

Publication date:
06/07/2026
Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted table_name value that is interpolated into SQL statements in identifier position.<br /> <br /> <br /> <br /> To remediate this issue, users should upgrade to version 1.0.13 or later.
Severity CVSS v4.0: HIGH
Last modification:
06/07/2026

CVE-2026-21368

Publication date:
06/07/2026
Memory Corruption when parsing jpeg commands due to unaccounted extra writes to the buffer during validation checks.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-21369

Publication date:
06/07/2026
Memory Corruption when handling flash commands due to outdated LED count values being used after userspace modification.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-21370

Publication date:
06/07/2026
Memory Corruption when validating input batch size and buffer plane count exceeds maximum allowed values.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-21379

Publication date:
06/07/2026
Memory Corruption when allocating memory with sizes that exceed the maximum allowed value.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026