Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-49988

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, the Repomix MCP server attach_packed_output and read_repomix_output flow can register and read arbitrary local .json, .txt, .md, or .xml files without the file_system_read_file runSecretLint() safety check or Repomix packed-output validation, allowing MCP callers to bypass the local file-read secret-scanning boundary. This issue is fixed in version 1.14.1.
Gravedad CVSS v4.0: MEDIA
Última modificación:
15/07/2026

CVE-2026-49987

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.
Gravedad CVSS v4.0: ALTA
Última modificación:
15/07/2026

CVE-2026-46485

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-46421

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. User should upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. No known workarounds are available.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
15/07/2026

CVE-2026-26032

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The PackagerResolver of Apache Ivy is able to download online<br /> artifacts and to (re)package them in a format defined by a<br /> packager.xml file. This repackaging is done by an Ant script, which is<br /> stored in a subdirectory of the configured "buildRoot" directory. This<br /> subdirectory is calculated based on modules coordinates, like the<br /> organisation, name or version.<br /> <br /> If one of the coordinates contains "../" sequences - which are valid<br /> characters for Ivy coordinates in general- it is possible to break out<br /> of the configured "buildRoot" directory where other files can be<br /> overwritten.<br /> <br /> In order to exploit this vulnerability an attacker needs to have<br /> access to a packager repository and add or modify the coordinates in<br /> ivy.xml files to have such "../" sequences.<br /> <br /> Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.
Gravedad CVSS v3.1: MEDIA
Última modificación:
16/07/2026

CVE-2026-15895

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument.<br /> <br /> <br /> <br /> To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or later.
Gravedad CVSS v4.0: ALTA
Última modificación:
15/07/2026

CVE-2026-15746

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator&amp;#39;s ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator&amp;#39;s Elasticsearch API key in the Authorization header.<br /> <br /> <br /> <br /> We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed.
Gravedad CVSS v4.0: MEDIA
Última modificación:
15/07/2026

CVE-2026-12997

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Gravity Forms plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.10.4 via the &amp;#39;gform_uploaded_files&amp;#39; parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the targeted form to not enforce login (so publicly accessible), which allows the unauthenticated attacker to reach the process_send_resume_link endpoint and supply an arbitrary recipient email address to receive the traversal-retrieved file as a notification attachment.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-8055

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-48866. Reason: This candidate is a reservation duplicate of CVE-2026-48866. Notes: All CVE users should reference CVE-2026-48866 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Gravedad: Pendiente de análisis
Última modificación:
15/07/2026

CVE-2026-62948

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefiles_write_state6() and statefiles_write_state4() without escaping, allowing newline injection of forged lease lines that LuCI rpcd-mod-luci getDHCPLeases displays through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js dom.append as live HTML in the Active DHCPv6 Leases admin page. This vulnerability is fixed in 25.12.5.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
15/07/2026

CVE-2026-61643

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, an authenticated FastGPT user can save a workflow node that points to another user&amp;#39;s private HTTP toolset by using a crafted saved tool id such as http-/. The normal toolset routes deny access, but the workflow save and runtime path did not apply the same authorization check to the referenced toolset, allowing /api/v2/chat/completions to resolve the saved reference and execute the victim-owned HTTP tool. This issue is fixed in version 4.15.0-beta5.
Gravedad CVSS v3.1: MEDIA
Última modificación:
15/07/2026

CVE-2026-59255

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting all users and tenants by invoking unprotected POST, PUT, and DELETE operations on the custom-nodes endpoints.
Gravedad CVSS v4.0: ALTA
Última modificación:
15/07/2026