Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-55771

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals() has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals() method has inverted logic for null and self-reference checks, returning true for null comparisons and false for self-comparisons. This does not affect Cedar authorization decisions (computed in Rust from JSON), but could affect integrators who perform their own equality checks on entity identifiers. This issue has been fixed in version 4.9.0.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2026-12536

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-12385

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts authored by any user, including Administrators and Editors. The required nonce is emitted on /wp-admin/post-new.php, which is accessible to Contributor-level users via the edit_posts capability, meaning any Contributor can obtain the nonce needed to trigger the injection.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-6875

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform.<br /> <br /> <br /> ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners.<br /> <br /> <br /> <br /> <br /> Further, the vulnerability is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. We are not currently aware of exploitation against ServiceNow instances.<br /> <br /> <br /> <br /> <br /> We recommend customers promptly apply appropriate updates or upgrade to a patched release if they have not already done so.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
14/07/2026

CVE-2026-58228

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Cross-site scripting vulnerability in phoenixframework phoenix_live_view allows an attacker to bypass URL scheme validation and execute JavaScript in a victim&amp;#39;s browser session.<br /> <br /> The Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions in lib/phoenix_live_view/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input&amp;#39;s first byte is an ASCII letter. Inputs beginning with an ASCII control character or space fall through to a nil-returning clause, causing the URL to be treated as a safe relative path.<br /> <br /> Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. As a result, an input such as " javascript:alert(1)" is passed unchanged into and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim&amp;#39;s session.<br /> <br /> Applications that render user-supplied URLs (for example profile links, redirect targets, or external references) via are affected.<br /> <br /> This issue affects phoenix_live_view: from 1.2.2 before 1.2.7.
Gravedad CVSS v4.0: MEDIA
Última modificación:
13/07/2026

CVE-2026-55772

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI boundary. CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (__entity and __extn) for entity references and extension values. When serializing a CedarMap, there is no validation preventing these reserved keys from being used. If an integrating service builds a CedarMap from caller-supplied key/value data (such as request headers, user-defined metadata, or resource tags), an actor who controls those keys could cause the Rust evaluator to interpret a record as an entity reference. This issue requires the integrating service to build a CedarMap where the an actor controls the keys, and a policy must reference that value in a when/unless clause. This vulnerability has been fixed in versions 2.3.6, 3.4.1, and 4.9.
Gravedad CVSS v3.1: ALTA
Última modificación:
13/07/2026

CVE-2026-49972

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFO_FILENAME extraction preserves the inner .php extension in the base name, and on misconfigured Apache or nginx servers that execute any filename containing .php as PHP, the stored file is interpreted as executable code while all MIME type, extension, and aggregate type validation checks pass due to the outer .jpg extension.
Gravedad CVSS v4.0: ALTA
Última modificación:
13/07/2026

CVE-2026-49971

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attackers can store persistent XSS payloads in uploaded SVG files that execute with full DOM access when victims open or preview the file, enabling session cookie theft, CSRF token capture, and account takeover.
Gravedad CVSS v4.0: MEDIA
Última modificación:
14/07/2026

CVE-2026-49969

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.
Gravedad CVSS v4.0: MEDIA
Última modificación:
13/07/2026

CVE-2026-49970

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination(). Attackers can exploit the permissive character-class regex that allows both dot and slash characters combined with an ineffective trailing trim() call to bypass sanitization and upload files to sensitive locations such as the document root, environment configuration files, or application configuration directories, enabling remote code execution.
Gravedad CVSS v4.0: ALTA
Última modificación:
14/07/2026

CVE-2026-26396

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter “filename” is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory traversal vulnerability that may result in sensitive information disclosure.
Gravedad CVSS v3.1: ALTA
Última modificación:
13/07/2026

CVE-2026-14906

Fecha de publicación:
13/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox. This vulnerability was fixed in Firefox for iOS 152.4.
Gravedad CVSS v3.1: MEDIA
Última modificación:
13/07/2026