Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-4883

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
19/05/2026

CVE-2026-45442

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.<br /> <br /> This issue affects Presto Player: from n/a through 4.1.3.
Gravedad CVSS v3.1: MEDIA
Última modificación:
19/05/2026

CVE-2026-7860

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.<br /> <br /> <br /> Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:<br /> <br /> Product version<br /> Vaadin 23.0.0 - 23.6.9<br /> Vaadin 24.0.0 - 24.9.16<br /> Vaadin 24.10.0 - 24.10.3<br /> Vaadin 25.0.0 - 25.0.10<br /> Vaadin 25.1.0 - 25.1.4<br /> <br /> Mitigation<br /> Upgrade to 23.6.10<br /> Upgrade to 24.9.17 or newer<br /> Upgrade to 24.10.4 or newer<br /> Upgrade to 25.0.11 or newer<br /> Upgrade to 25.1.5 or newer<br /> <br /> Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.<br /> <br /> ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5
Gravedad CVSS v4.0: BAJA
Última modificación:
21/05/2026

CVE-2026-7571

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
Gravedad CVSS v3.1: ALTA
Última modificación:
03/06/2026

CVE-2026-4630

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource&amp;#39;s unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/06/2026

CVE-2026-43493

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: pcrypt - Fix handling of MAY_BACKLOG requests<br /> <br /> MAY_BACKLOG requests can return EBUSY. Handle them by checking<br /> for that value and filtering out EINPROGRESS notifications.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
26/06/2026

CVE-2026-7307

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-7504

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak&amp;#39;s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited.<br /> <br /> The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java&amp;#39;s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak&amp;#39;s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-7507

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A session fixation vulnerability was found in Keycloak&amp;#39;s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim&amp;#39;s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-37979

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak. This access control vulnerability in Keycloak&amp;#39;s OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/06/2026

CVE-2026-37982

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak&amp;#39;s WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim&amp;#39;s account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/06/2026

CVE-2026-37981

Fecha de publicación:
19/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/06/2026