Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-15804

Publication date:
15/07/2026
The HCM developed by MetaGuru has a SQL Injection vulnerability. Authenticated remote attackers can inject SQL commands via specific parameters, thereby compromising the confidentiality, integrity, and availability of database data.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-14251

Publication date:
15/07/2026
A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-15583

Publication date:
15/07/2026
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-42936

Publication date:
15/07/2026
The installer of HYPER SBI 2 insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-8919

Publication date:
15/07/2026
Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a request containing a UNC path to the application’s local service endpoint. This can result in information disclosure or data tampering, may cause GameSDK to become unavailable, and may also enable access to the victim’s information on other services.<br /> Refer to the &amp;#39; Security Update for ASUS GameSDK  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-8920

Publication date:
15/07/2026
Improper Restriction of Communication Channel to Intended Endpoints and External Control of File Name or Path in Aura Wallpaper Service allow a local user to perform file operations by sending crafted commands containing an arbitrary file path and bypassing the service’s path restrictions . On specific models , this can also cause a single feature to become unavailable .<br /> Refer to the &amp;#39; Security Update for Aura Wallpaper Service &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-15029

Publication date:
15/07/2026
Untrusted Pointer Dereference in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to perform arbitrary physical memory read and write operations via crafted IOCTL requests to the driver, bypassing OS-enforced memory protections.<br /> Refer to the &amp;#39; <br /> Security Update for ASUS System Control Interface  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-15030

Publication date:
15/07/2026
Out-of-bounds Read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to read memory regions beyond the intended firmware boundary by supplying a crafted IOCTL request that bypasses the validation.<br /> Refer to the &amp;#39; Security Update for ASUS System Control Interface  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-13385

Publication date:
15/07/2026
An Improper Validation of Integrity Check Value and Improper Certificate Validation in certain ASUS router models allows a remote man-in-the-middle(MITM) user to make the router download and execute arbitrary command via a spoofed server.<br /> Refer to the &amp;#39; <br /> Security Update for ASUS Router Firmware  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: CRITICAL
Last modification:
15/07/2026

CVE-2026-13585

Publication date:
15/07/2026
Allocation of Resources Without Limits and Throttling and Sensitive Information in Resource Not Removed Before Reuse in the ASUS System Control Interface driver and ASUS Business Manager allow a local administrator to disclose sensitive information via crafted IOCTL requests, which, in severe cases, may lead to a Denial of Service (DoS) on the system.<br /> Refer to the &amp;#39; <br /> Security Update for ASUS System Control Interface  &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-11851

Publication date:
15/07/2026
Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") in the web management interface of certain ASUS router models allows a remote authenticated user to disclose confidential information via a crafted request that bypasses existing input validation<br /> Refer to the &amp;#39; <br /> Security Update for ASUS Router Firmware &amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-9770

Publication date:
15/07/2026
Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem<br /> that is shared across devices.  An<br /> attacker with access to the firmware image can extract the embedded key.  <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation may allow an unauthenticated attacker on the same network to use<br /> this key in the web management service, compromising the confidentiality of<br /> encrypted communications. This may enable passive decryption of traffic or<br /> active man-in-the-middle (MITM) attacks
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026