Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-44752

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data displayed in the client�s browser. This results in a high impact on confidentiality, low impact on integrity with no impact on availability of the application.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2026-44753

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.
Gravedad CVSS v3.1: BAJA
Última modificación:
14/07/2026

CVE-2026-44759

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-44760

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Due to a Cross-Site Scripting (XSS) vulnerability, applications based on Business Server Pages framework in SAP NetWeaver Application Server ABAP reflects unsanitized input into the HTTP response which allows an attacker to inject and execute arbitrary JavaScript code under certain conditions. Successful exploitation could allow the attacker to steal session information, perform authenticated actions on behalf of the victim user etc. This vulnerability has low impact on confidentiality and integrity of the data and no impact on application 's availability.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-15620

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed with the label "not planned".
Gravedad CVSS v4.0: BAJA
Última modificación:
14/07/2026

CVE-2026-0487

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** SAProuter on Microsoft Windows allows an unauthenticated attacker to load library (DLL) files from an untrusted location, allowing them to execute malicious code on the system. This could enable the attacker to hijack the DLL loading process and achieve arbitrary code execution. This has high impact on confidentiality, integrity and availability of the system.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2026-15618

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. The affected element is the function guardExecCommand of the file tools/tool_exec.go of the component exec Safety Guard. The manipulation results in protection mechanism failure. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed with the label "not planned".
Gravedad CVSS v4.0: BAJA
Última modificación:
14/07/2026

CVE-2026-15619

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A weakness has been identified in mosaxiv clawlet up to 0.2.10. The impacted element is the function web_fetch of the file tools/tool_web_fetch.go of the component IPv4 Handler. This manipulation of the argument url causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed with the label "not planned".
Gravedad CVSS v4.0: BAJA
Última modificación:
14/07/2026

CVE-2026-58486

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, HedgeDoc was vulnerable to a YAML alias bomb due to unsafe processing of the note frontmatter. HedgeDoc parsed frontmatter with js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, which resolved YAML anchor aliases. A compact malicious payload could therefore expand into a huge object structure, consuming excessive CPU. This expansion ran on every request to the publish view (/s/) and, when placed under the opengraph key, the editor view (/). A ten-level alias bomb could block the single Node.js event loop for roughly 235 seconds per request, causing concurrent requests to hang or drop and rendering the instance unavailable (DoS). Because the note was stored in the database, the impact survived process restarts until the note was removed. toobusy-js did not reliably mitigate the worst cases, as the event loop was saturated before the middleware could respond. This issue was fixed in version 1.11.0.
Gravedad CVSS v4.0: ALTA
Última modificación:
14/07/2026

CVE-2026-58489

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2  state  value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not properly validated, an attacker could forge a callback URL containing their own valid GitHub OAuth code. When processing the callback, HedgeDoc used the victim's logged-in session to select which note to export, but the attacker's authorization code to determine which GitHub account received it. As a result, a logged-in victim who clicked a crafted link could export their own private, protected, or limited note directly into a Gist controlled by the attacker. This issue has been fixed in version 1.11.0.
Gravedad CVSS v4.0: MEDIA
Última modificación:
14/07/2026

CVE-2026-58101

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference.<br /> <br /> X509V3_EXT_d2i(ext) returns NULL when an extension&amp;#39;s DER value fails to parse. basicC, ia5string, and auth_att dereference its result without a NULL check. keyid_data also dereferences akid-&gt;keyid, which is NULL for an empty AKI SEQUENCE (DER 30 00) even when the parse succeeds.<br /> <br /> A caller invoking an affected helper on an extension from an untrusted certificate triggers a SIGSEGV that crashes the Perl process.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2026-58102

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts.<br /> <br /> When building the extension hash (via extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid()), the code passes OBJ_obj2txt()&amp;#39;s return value as the hash-key length; because that value is the OID&amp;#39;s full text length rather than the bytes written to the fixed-size buffer (129 bytes), an OID whose text is longer than the 129-byte buffer causes a read past the allocation, exposing adjacent heap memory as the returned hash key. extensions_by_name() uses the static shortname path and is not affected.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
14/07/2026