Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-52841

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.
Gravedad CVSS v3.1: BAJA
Última modificación:
14/07/2026

CVE-2026-55651

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users.<br /> Using these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2026-52838

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.
Gravedad CVSS v3.1: BAJA
Última modificación:
14/07/2026

CVE-2026-52840

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Caldav::connect_to_server` at `application/controllers/Caldav.php:60` hands the request&amp;#39;s `caldav_url` to a Guzzle `REPORT` call without scheme or host validation. A logged-in backend user (admin, provider, or secretary) reaches loopback, RFC1918, and link-local hosts on the deployment&amp;#39;s network. The Guzzle exception path returns the upstream status code plus ~120 bytes of response body in the JSON `message` field (`Caldav.php:74-78`), so the SSRF is semi-blind. Version 1.6.0 contains a patch.
Gravedad CVSS v3.1: BAJA
Última modificación:
15/07/2026

CVE-2026-52839

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 correctly filter provider-scoped appointments in the `appointments/search` response, proving that provider isolation is an intended security boundary. However, the direct mutation endpoints `appointments/store` and `appointments/update` only check generic appointment privileges and never verify that the submitted `id_users_provider` belongs to the current session. A normal authenticated provider can inject new appointments into another provider&amp;#39;s schedule via `store`, or reassign existing appointments into a foreign provider&amp;#39;s calendar via `update`. The `store` path contains an additional write-before-crash bug: the unauthorized row is committed to the database before the controller crashes on a type error, so the attacker receives an error response while the foreign appointment is already persisted. Version 1.6.0 patches the issue.
Gravedad CVSS v3.1: BAJA
Última modificación:
15/07/2026

CVE-2026-23573

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.6, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiPAM 1.8.0, FortiPAM 1.7 all versions, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.3, FortiProxy 7.2.0 through 7.2.9 may allow an authenticated remote user to execute code or commands via crafted requests.
Gravedad CVSS v3.1: MEDIA
Última modificación:
14/07/2026

CVE-2026-15698

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was determined in kofrasa mingo up to 7.2.1. This impacts the function update/updateOne/updateMany of the component Update API. Executing a manipulation of the argument Set can lead to improperly controlled modification of object prototype attributes. The attack may be launched remotely. Upgrading to version 7.2.2 will fix this issue. This patch is called fadc398251792c2ba441cbc539f359fc7943c0c2. It is recommended to upgrade the affected component.
Gravedad CVSS v4.0: BAJA
Última modificación:
14/07/2026

CVE-2026-15699

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in spencermountain compromise up to 14.15.1. Affected is the function nlp.extend of the file src/API/extend.js of the component Public Root API. The manipulation of the argument plugin leads to improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is b4644ab7179700df0607521f61c1ee9b5f78d89d. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Gravedad CVSS v4.0: BAJA
Última modificación:
14/07/2026

CVE-2026-15697

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
Gravedad CVSS v4.0: BAJA
Última modificación:
15/07/2026

CVE-2026-12707

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Summary<br /> <br /> <br /> <br /> Cloudflare quiche was discovered to be vulnerable to memory resource exhaustion due to unbounded queuing of post-handshake client migration events.<br /> <br /> <br /> <br /> Impact<br /> <br /> <br /> <br /> quiche supports the connection migration features described in Section 9 of RFC 9000, which allows a single QUIC connection to survive changes in the network path. Although quiche implements the protections described in Section 9.3 of RFC 9000 to limit server state commitment, it was discovered that the collection of PathEvents, intended to be consumed by applications via the path_event_next() function, was not bounded.<br /> <br /> <br /> <br /> Once the QUIC handshake completed, a peer could exploit rapid source address migration in order to cause unbounded queuing of the PathEvent::ReusedSourceConnectionId type. Servers are vulnerable even if active connection migration is disabled.<br /> <br /> <br /> <br /> Mitigation:<br /> <br /> * <br /> <br /> Applications can call path_event_next() to drain the PathEvent collection, mitigating the attack.<br /> <br /> <br /> * <br /> <br /> Users are requested to upgrade to quiche 0.29.3 which is the earliest version that prevents excessive queueing of PathEvent::ReusedSourceConnectionId.
Gravedad CVSS v3.1: ALTA
Última modificación:
14/07/2026

CVE-2026-12659

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A denial-of-service security issue exists in the affected products. The security issue stems from improper handling of exceptional conditions when processing crafted CIP packets sent to the adapter. A power cycle is required to recover the module and associated I/O.
Gravedad CVSS v4.0: ALTA
Última modificación:
14/07/2026

CVE-2026-15392

Fecha de publicación:
14/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location.<br /> <br /> The complete_table_name method builds the absolute table file path without checking whether the file is a symbolic link. A link inside the data directory can point to a table file at any path outside of the configured f_dir and f_dir_search directories.<br /> <br /> Callers of file-based drivers can read or write files outside of the data directory.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026