Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-59083

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat&amp;#39;s rewrite valve allowed security constraint bypass for some configurations.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.<br /> <br /> Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.
Gravedad: Pendiente de análisis
Última modificación:
14/07/2026

CVE-2026-59084

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Other versions that have reached end of support may also be affected.<br /> <br /> Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.
Gravedad: Pendiente de análisis
Última modificación:
14/07/2026

CVE-2026-59246

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP/2 server to exhaust memory on the client host and cause a denial of service.<br /> <br /> The Mint.HTTP2.handle_continuation/3 function in lib/mint/http2.ex accumulates the header-block fragment carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting, one level deeper per frame, and only releases it when a frame with the END_HEADERS flag arrives. The only guard on this accumulator is Mint.HTTP2.assert_header_block_within_max_size/2, which sums the byte size of the fragments received so far. Because a CONTINUATION frame is permitted by the protocol to carry a zero-length payload, an unbounded chain of zero-length CONTINUATION frames adds no bytes to the running total, never trips the size cap, and never emits END_HEADERS, yet each frame still nests the accumulator one level deeper.<br /> <br /> A malicious HTTP/2 server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can open a stream by sending a HEADERS frame without END_HEADERS and then stream zero-length CONTINUATION frames indefinitely. Client memory grows one cons cell per frame received; sustained bandwidth from the peer drives the BEAM node running the Mint client to memory exhaustion and eventual out-of-memory termination.<br /> <br /> This issue affects mint: from 0.1.0 before 1.9.2.
Gravedad CVSS v4.0: MEDIA
Última modificación:
14/07/2026

CVE-2026-6790

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).<br /> <br /> <br /> <br /> <br /> This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).<br /> <br /> <br /> <br /> <br /> This mismatch can cause a number of problems that may be classified as vulnerabilities such as:<br /> <br /> <br /> <br /> * <br /> <br /> URI constructions (for example, for redirects -- this is typical for login pages)<br /> <br /> * <br /> <br /> Virtual host selection<br /> <br /> * <br /> <br /> Reverse proxying<br /> <br /> * <br /> <br /> Misleading logs<br /> <br /> * <br /> <br /> Etc.<br /> <br /> <br /> <br /> <br /> <br /> <br /> Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-13699

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional data_point field in PublishValueRequest. When a request contains a valid signal_id but omits data_point, the server directly calls unwrap() on request.data_point, triggering a panic in the Tokio worker thread. This issue can be triggered by any client holding a valid JWT token. Unauthenticated or invalid-token requests are rejected and do not reach the vulnerable path. The panic causes the individual gRPC call to be cancelled but does not terminate the Databroker process, which remains available for subsequent requests.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-15075

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In Eclipse Vert.x versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), DefaultRedirectHandler (vertx-core) propagates all request headers as-is across cross-origin HTTP 30x redirects. Only Content-Length is stripped; no origin comparison (scheme, host, port) is performed before copying headers to the redirect target.<br /> As a result, credential headers, including Authorization, Cookie, Proxy-Authorization, and arbitrary custom headers such as X-API-Token, are forwarded to the redirect destination without the caller&amp;#39;s knowledge.<br /> <br /> <br /> <br /> <br /> An attacker who can cause a Vert.x HttpClient to issue a request that is redirected to an attacker-controlled host (for example, by supplying a URL to a webhook dispatcher, image proxy, or microservice URL fetcher) can capture bearer tokens, basic-auth credentials, session cookies, and API keys attached to the original request.
Gravedad CVSS v4.0: ALTA
Última modificación:
14/07/2026

CVE-2026-15076

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server&amp;#39;s domain, in violation of RFC 6265 section 5.3.<br /> An attacker who controls any server that the victim application contacts can inject a cookie scoped to an arbitrary third-party domain; because the session store performs no cross-domain ownership check, it stores and later transmits that cookie to the targeted domain.<br /> <br /> <br /> <br /> <br /> When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, causing the receiving service to process the request under the attacker&amp;#39;s account. Sensitive data included in the victim application&amp;#39;s requests, such as payment amounts, card details, or other API payloads, may then be accessible to the attacker through their own account on that service.
Gravedad CVSS v4.0: ALTA
Última modificación:
14/07/2026

CVE-2026-15183

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Multiple input validation vulnerabilities in the Snowflake Spark Connector (spark-snowflake) versions prior to 3.2.1 can allow attackers to exfiltrate OAuth client credentials, execute arbitrary SQL with the connector&amp;#39;s Snowflake role, or redirect COPY operations to attacker-controlled storage. An attacker could exploit these vulnerabilities by supplying a crafted OAuth token request URL, placing malicious files in an ingestion pipeline, injecting SQL via staging options in a shared Spark environment , or issuing runtime SET commands in a shared Spark-SQL session to inject arbitrary SQL into the SnowflakeFallbackCatalog&amp;#39;s option map, which executes under the cluster admin&amp;#39;s JDBC credentials. Successful exploitation may result in credential theft, unauthorized access to Snowflake account data, or privilege escalation within connected infrastructure.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
14/07/2026

CVE-2026-15416

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2024-7708

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak.<br /> This is particularly the case for 100-Continue, but any request where the network is slow can leak.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2025-8412

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Buffer Copy without Checking Size of Input (&amp;#39;Classic Buffer Overflow&amp;#39;) vulnerability in SUSE Virtual Machine Driver Pack allows an attacker with the ability to modify the registry to affect the integrity of the driver. We&amp;#39;re not aware of a feasible way to exploit this currently.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue affects Virtual Machine Driver Pack: before e7a602ec232756ead019bdf19d6d3b9d010cc94b.
Gravedad CVSS v4.0: BAJA
Última modificación:
14/07/2026

CVE-2026-10051

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection.<br /> Subsequent request that do not have trailers report the trailers of the first request.<br /> Subsequent request that do have trailers report the union of trailers of the first request and the current request.
Gravedad CVSS v4.0: MEDIA
Última modificación:
14/07/2026