Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2025-71216

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations.<br /> <br /> Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br /> <br /> The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 &amp; 2005 Yearly Release).
Gravedad CVSS v3.1: ALTA
Última modificación:
05/06/2026

CVE-2025-71215

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations.<br /> <br /> Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br /> <br /> The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 &amp; 2005 Yearly Release).
Gravedad CVSS v3.1: ALTA
Última modificación:
05/06/2026

CVE-2025-71214

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations.<br /> <br /> Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br /> <br /> The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 &amp; 2005 Yearly Release).
Gravedad CVSS v3.1: ALTA
Última modificación:
05/06/2026

CVE-2025-71210

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations.<br /> <br /> Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.<br /> <br /> For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
21/05/2026

CVE-2025-71211

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable. <br /> <br /> Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.<br /> <br /> For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
21/05/2026

CVE-2025-71212

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A link following vulnerability in the Trend Micro Apex One scan engine could allow a local attacker to escalate privileges on affected installations.<br /> <br /> Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Gravedad CVSS v3.1: ALTA
Última modificación:
21/05/2026

CVE-2025-71213

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.<br /> <br /> Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Gravedad CVSS v3.1: ALTA
Última modificación:
21/05/2026

CVE-2025-13477

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass.<br /> <br /> This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v3.1: ALTA
Última modificación:
21/05/2026

CVE-2025-13479

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers.<br /> <br /> This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v3.1: ALTA
Última modificación:
21/05/2026

CVE-2026-5118

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled &amp;#39;role&amp;#39; parameter from POST data during user registration without validating it against the form&amp;#39;s configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
21/05/2026

CVE-2026-6841

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.<br /> <br /> This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Gravedad CVSS v4.0: MEDIA
Última modificación:
01/06/2026

CVE-2026-45760

Fecha de publicación:
21/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.<br /> <br /> This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.<br /> <br /> Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
23/05/2026