Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-16072

Publication date:
17/07/2026
A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2024-23564

Publication date:
17/07/2026
HCL Aftermarket EPC is affected by Business Logic Vulnerability using which a non valid user of the application can obtain passwords from the server and redirect them to their own email address by manipulating the server's response. The application includes checks in the initial requests to verify the validity of the provided UserId, but similar validation is not applied to Email requests when sending passwords to user emails.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2024-23567

Publication date:
17/07/2026
HCL Aftermarket EPC is affected by Sensitive Information in GET method & in URL which allows application to pass sensitive data via URL parameters during normal usage. Data passed in this manner can be exposed because it may end up stored in unintended locations, including server logs, local browser history and proxy logs.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-59695

Publication date:
17/07/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet in a single request by naming an arbitrarily high gas price.<br /> <br /> When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including max_fee_per_gas and max_priority_fee_per_gas, without validating that they are within reasonable bounds. A malicious client embeds arbitrarily large values for these fields in the signed envelope. The server co-signs and broadcasts the transaction. The effective_gas_price billed against the fee-payer wallet is derived from the attacker-supplied ceilings, so the server pays those inflated per-gas rates out of its own wallet. A single crafted request can drain the wallet entirely, after which the server can no longer sponsor gas for legitimate payment requests.<br /> <br /> This issue affects mpp: from 0.2.0 before 0.6.0.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-59252

Publication date:
17/07/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients.<br /> <br /> When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests.<br /> <br /> The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions.<br /> <br /> This issue affects mpp: from 0.2.0 before 0.6.0.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-59694

Publication date:
17/07/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to inflate the fee-payer&amp;#39;s gas cost per payment by a large multiplier, degrading the sponsor&amp;#39;s operating margin.<br /> <br /> When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. EIP-2930 access list entries incur intrinsic gas (~2,400 gas per address, plus 1,900 gas per storage key) charged before any opcode executes, regardless of whether the listed addresses are ever touched. A malicious client submits a valid transferWithMemo call alongside a large number of fabricated access-list entries. The server co-signs and broadcasts the transaction. The intended transfer executes normally, but the fee-payer wallet pays a large multiple of the expected gas cost with no corresponding on-chain work.<br /> <br /> At the maintainer&amp;#39;s default of 137 access-list entries (fitting within Bandit&amp;#39;s 10,000-byte per-header-field limit) and 100 Gwei max_fee_per_gas, per-payment gas cost rises from ~51,287 to ~380,087 gas, a 7.4x multiplier. Sustained abuse destroys the sponsor&amp;#39;s operating margin on low-cost payments and, over time, drains the fee-payer wallet.<br /> <br /> This issue affects mpp: from 0.2.0 before 0.6.0.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-22104

Publication date:
17/07/2026
Improper access control in Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8 allows any created account to read all cracked hashes of a Hashtopolis server instance.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-62764

Publication date:
17/07/2026
Improper Handling of Insufficient Privileges vulnerability in Apache Accumulo.<br /> An authenticated, but low-privileged user without system permissions may<br /> issue a remote command to gracefully shutdown system components<br /> (compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver),<br /> leading to a denial of service.<br /> <br /> This issue affects Apache Accumulo 2.1.4 and 2.1.5.<br /> <br /> Users are recommended to upgrade to version 2.1.6, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-9656

Publication date:
17/07/2026
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site&amp;#39;s plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-15380

Publication date:
17/07/2026
A non-administrator interactive user can obtain full SYSTEM code execution through a DCOM/task scheduler logic chain — no network access, no memory corruption required (ITMS 8.7.3)
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-15379

Publication date:
17/07/2026
The Altiris WMI provider exposes a class (AltirisAgent_Stream) that allows any local standard user to read the contents of any file accessible to the SYSTEM account, bypassing filesystem ACLs. No admin privileges required. The provider reverts to the LocalSystem context when servicing WMI queries without re-impersonating the caller. Any local standard user can therefore read SYSTEM-readable files — including configuration files, service logs, and secrets stored with SYSTEM/Administrator-only ACLs — by querying the provider directly.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-9810

Publication date:
17/07/2026
The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitrary user creation and role escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026