Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-42096

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Gravedad CVSS v4.0: ALTA
Última modificación:
02/06/2026

CVE-2026-42097

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
02/06/2026

CVE-2026-42099

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Gravedad CVSS v4.0: ALTA
Última modificación:
02/06/2026

CVE-2026-23558

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** The adjustments made for XSA-379 as well as those subsequently becoming<br /> XSA-387 still left a race window, when a HVM or PVH guest does a grant<br /> table version change from v2 to v1 in parallel with mapping the status<br /> page(s) via XENMEM_add_to_physmap. Some of the status pages may then be<br /> freed while mappings of them would still be inserted into the guest&amp;#39;s<br /> secondary (P2M) page tables.
Gravedad CVSS v3.1: ALTA
Última modificación:
19/05/2026

CVE-2026-23557

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES<br /> command within a transaction due to an assert() triggering.<br /> <br /> In case xenstored was built with NDEBUG #defined nothing bad will<br /> happen, as assert() is doing nothing in this case. Note that the<br /> default is not to define NDEBUG for xenstored builds even in release<br /> builds of Xen.
Gravedad CVSS v3.1: MEDIA
Última modificación:
19/05/2026

CVE-2025-40903

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2025-40904

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2025-14575

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application&amp;#39;s working directory.
Gravedad CVSS v4.0: BAJA
Última modificación:
19/05/2026

CVE-2025-40900

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2025-40901

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2025-40902

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2026-8912

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;form_input&amp;#39; parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated &amp;#39;post_cg_gallery_form_upload&amp;#39; AJAX action (specifically the &amp;#39;cb&amp;#39; branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into &amp;#39;SELECT Field_Content FROM ... WHERE id = $f_input_id&amp;#39;). The endpoint is gated only by a public frontend nonce (&amp;#39;cg1l_action&amp;#39; / &amp;#39;cg_nonce&amp;#39;) that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Gravedad CVSS v3.1: ALTA
Última modificación:
19/05/2026