Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-55659

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim's Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/07/2026

CVE-2026-55664

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15.
Gravedad CVSS v3.1: MEDIA
Última modificación:
10/07/2026

CVE-2026-55665

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim's authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Gravedad CVSS v4.0: ALTA
Última modificación:
10/07/2026

CVE-2026-55213

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/07/2026

CVE-2026-55229

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg's /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion, enabling blind SSRF and limited local file disclosure via linked image resource loading. This issue is fixed in version 8.34.0.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/07/2026

CVE-2026-55233

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** OpenResty is a high performance web platform. From 1.29.2.1 to before 1.29.2.5, an out-of-bounds write vulnerability exists in the upstream PROXY protocol v2 implementation. When OpenResty is configured to send PROXY protocol version 2 headers to upstream servers, constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer, causing the worker process to crash and resulting in a denial of service. Only configurations that explicitly enable PROXY protocol v2 for upstream connections are impacted. This issue is fixed in version 1.29.2.5.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/07/2026

CVE-2026-55405

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** LangChain4j is a Java library for building LLM-powered applications on the JVM. Prior to 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26, the MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys, and in MariaDB string values, directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations, enabling blind data exfiltration, denial of service via sleep functions, and deletion of arbitrary rows through removeAll(Filter). This issue is fixed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26.
Gravedad CVSS v3.1: ALTA
Última modificación:
10/07/2026

CVE-2026-34196

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address. One of these virutal mappings can be freed along with the physical page, allowing for a read/write UAF via the second mapping<br /> <br /> <br /> <br /> The second virtual mapping references a physical address that has been freed after the first virtual mapping has been freed. This allows the physical memory to be allocated (for example) by another process and read/written to.
Gravedad: Pendiente de análisis
Última modificación:
10/07/2026

CVE-2026-41154

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls.<br /> <br /> <br /> <br /> When indexing pages larger than 4kB in the page freeing logic of the sparse memory implementation, incorrect buffer indexing leads to OOB access.
Gravedad: Pendiente de análisis
Última modificación:
10/07/2026

CVE-2026-45196

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a GPU register access which can lead to privilege escalation.
Gravedad: Pendiente de análisis
Última modificación:
10/07/2026

CVE-2026-45203

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.<br /> <br /> <br /> <br /> A TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but before use.
Gravedad: Pendiente de análisis
Última modificación:
10/07/2026

CVE-2026-12761

Fecha de publicación:
10/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the &amp;#39;email_field&amp;#39; POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin&amp;#39;s address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied — granting full administrator access.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
10/07/2026