Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-54429

Publication date:
14/07/2026
A vulnerability has been identified in SIMATIC S7-PLCSIM Advanced (All versions). Affected devices do not properly handle high-volume multicast network traffic, which can exhaust available memory resources in the affected application. This could allow an unauthenticated attacker on the local network segment to cause a denial-of-service condition of the affected application. The affected application becomes inaccessible and requires a manual restart; no project data is lost. Successful exploitation requires a specific project configuration to be already active on the targeted instance.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-56451

Publication date:
14/07/2026
A vulnerability has been identified in Opcenter X (All versions
Severity CVSS v4.0: CRITICAL
Last modification:
14/07/2026

CVE-2026-58319

Publication date:
14/07/2026
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to cluster instability or denial of service. <br /> <br /> This issue affects Apache Doris versions prior to 3.1.0. Users are advised to upgrade to Apache Doris 3.1.0 or later.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-3014

Publication date:
14/07/2026
Milestone<br /> has released a new version of XProtect® (and several cumulative patch updates)<br /> which fix security vulnerability in Management Server API. <br /> <br /> <br /> <br /> The vulnerability<br /> causes users with edit permissions to the Management Server to be able to<br /> execute arbitrary code in context of the Management Server Service.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-14852

Publication date:
14/07/2026
Privilege escalation in Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) allows a local unprivileged user to execute arbitrary commands as root by starting a process crafted to look like a SAP HANA instance. Without an explicit database configuration, the mk_sap_hana agent plugin derives instance identifiers from the process list and uses them to build a command executed with elevated privileges (requires the plugin to run as root with RUNAS=agent).
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-15043

Publication date:
14/07/2026
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted = SQL operators on text.<br /> <br /> DBI::SQL::Nano, DBI&amp;#39;s built-in mini-SQL engine, evaluated WHERE predicates incorrectly in some cases. In the non-numeric string branch of the is_matched method, = was evaluated using Perl&amp;#39;s le operator.<br /> <br /> SQL::Nano is the fallback query engine for DBI&amp;#39;s file-backed drivers (DBD::File, DBD::DBM, CSV-style drivers) whenever SQL::Statement is not installed, and is forced whenever DBI_SQL_NANO=1. Queries over such tables use these predicates directly.<br /> <br /> The impact depends on the context. Where an application relies on a WHERE clause to filter file-backed data for policy or authorization, an inverted = comparison silently returns the wrong rows.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2025-40945

Publication date:
14/07/2026
A vulnerability has been identified in COMOS V10.4.5 (All versions
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-12478

Publication date:
14/07/2026
The fix for CVE-2026-0716 (commit 6ff7ef0, libsoup 3.6.6) placed the integer overflow guard inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64_MAX to trigger an OOB read in a libsoup-based client when max_incoming_payload_size is set to 0.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-8384

Publication date:
14/07/2026
In Eclipse Jetty, an HTTP URI of this form:<br /> <br /> <br /> <br /> <br /> <br /> /public;/../admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> results in an unresolved path of:<br /> <br /> <br /> <br /> <br /> <br /> /public/../admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> instead of the expected:<br /> <br /> <br /> <br /> <br /> <br /> /admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).<br /> <br /> <br /> <br /> <br /> However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-9561

Publication date:
14/07/2026
Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty&amp;#39;s ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim&amp;#39;s IP address and triggering a ban on that address.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-57898

Publication date:
14/07/2026
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API.<br /> <br /> <br /> <br /> <br /> The AAS thumbnail upload path accepted a client-controlled fileName request parameter and passed it through repository file handling as both a repository key and, during thumbnail retrieval, a local filesystem path. With the MongoDB file repository, the supplied filename was treated as an opaque GridFS key and was not normalized or restricted as a filesystem path. A remote attacker could upload thumbnail content using an absolute or traversal-style filename, then trigger thumbnail retrieval so that the uploaded bytes were written to the attacker-chosen path on the server filesystem.<br /> <br /> <br /> <br /> <br /> This could allow writing files anywhere the Java process has permission to write and may lead to remote code execution. The default InMemory backend is not affected by this specific path because it normalizes and restricts file paths to its temporary directory.<br /> <br /> <br /> <br /> <br /> The issue is fixed in Eclipse BaSyx Java Server SDK 2.0.0-milestone-13.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-58229

Publication date:
14/07/2026
Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service.<br /> <br /> The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. The section has no cap on the number of headers or on total bytes, and the underlying :erlang.decode_packet(:httph_bin, binary, []) parser is invoked with an empty option list so its per-line and per-packet size limits also default to unlimited.<br /> <br /> A malicious HTTP server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can stream complete header lines (or, after a chunked body, complete trailer lines) indefinitely without ever emitting the terminating blank line. The connection state grows without bound until the BEAM node is killed by the operating system&amp;#39;s out-of-memory handler, taking down the entire application that uses Mint as an HTTP client.<br /> <br /> This issue affects mint: from 0.1.0 before 1.9.2.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026