Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-58225

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.<br /> <br /> Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.<br /> <br /> The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.<br /> <br /> An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.<br /> <br /> This issue affects postgrex: from 0.16.0 before 0.22.3.
Gravedad CVSS v4.0: BAJA
Última modificación:
10/07/2026

CVE-2026-14461

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash.<br /> <br /> <br /> This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.
Gravedad CVSS v4.0: MEDIA
Última modificación:
10/07/2026

CVE-2026-9857

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the plugin&amp;#39;s API key stored in wp_options, modify invoice plugin settings, and alter WooCommerce tax rate data in the wp_woocommerce_tax_rates table.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/07/2026

CVE-2026-41879

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file.<br /> <br /> This issue was fixed in version v3.17-2000.
Gravedad CVSS v4.0: ALTA
Última modificación:
10/07/2026

CVE-2026-41880

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding neutralizes the injection during the standard web upload flow. An authenticated attacker who is able to trigger the OCR functionality for the uploaded file can execute OS commands within the context of a root user.<br /> <br /> This issue was fixed in version v3.19-2862 and v3.17-2580.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
10/07/2026

CVE-2026-13010

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The JoomSport – for Sports: Team &amp; League, Football, Hockey &amp; more plugin for WordPress is vulnerable to time-based SQL Injection via &amp;#39;event&amp;#39; Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The shortcode can be embedded in posts or pages by Contributor-level users, making this exploitable by any authenticated user with at least that role.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/07/2026

CVE-2026-13247

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Logo Slider – Logo Carousel, Client Logo Slider &amp; Brand Showcase for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;lgx_tooltip_position&amp;#39; parameter in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/07/2026

CVE-2026-15378

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in the `guardrails-detectors` component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery (SSRF) by submitting a specially crafted XML Schema Definition (XSD) string. This can lead to unauthorized access to sensitive information, including credentials from cloud metadata services, Kubernetes API, internal MinIO, and other internal network endpoints. Additionally, it enables local file reads of critical data such as service account tokens and pod secrets.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
10/07/2026

CVE-2026-13710

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets &amp; Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget&amp;#39;s &amp;#39;sg_body_description&amp;#39; parameter in versions up to, and including, 3.2.6. This is due to insufficient input sanitization and output escaping on the description attribute in the render_body() method of the Image_Box_View class — every other attribute used by the method is wrapped in esc_attr(), but the description value is concatenated directly into HTML body context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/07/2026

CVE-2026-41876

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function. The document converter executes shell commands using unsanitized file paths and format parameters. This allows an authenticated attacker to execute arbitrary system commands with the privileges of the web server user.<br /> <br /> This issue was fixed in version v3.19-2752 and v3.17-2580.
Gravedad CVSS v4.0: ALTA
Última modificación:
10/07/2026

CVE-2026-41877

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** R-SOFT DMS is vulnerable to Stored XSS in file upload functionality. Authenticated attacker can inject arbitrary HTML and JS into the name of the file being uploaded, which will be executed when visiting file list or upload status by other users.<br /> <br /> This issue was fixed in version v3.19-2832 and v3.17-2580.
Gravedad CVSS v4.0: MEDIA
Última modificación:
10/07/2026

CVE-2026-41878

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file.<br /> <br /> This issue was fixed in version v3.19-2862 and v3.17-2580.
Gravedad CVSS v4.0: ALTA
Última modificación:
10/07/2026