Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-6893
Publication date:
10/06/2026
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-46643
Publication date:
10/06/2026
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1.
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-46529
Publication date:
10/06/2026
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-45106
Publication date:
10/06/2026
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-1220
Publication date:
10/06/2026
Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-50639
Publication date:
10/06/2026
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.<br /> <br /> Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.<br /> <br /> In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50637
Publication date:
10/06/2026
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.<br /> <br /> The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.<br /> <br /> Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-50638
Publication date:
10/06/2026
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.<br /> <br /> Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.<br /> <br /> In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-11626
Publication date:
10/06/2026
CleanWipe Removal Tool (macOS), prior to 16.0.0.65, may be susceptible to an Local Privilege Escalation vulnerability, which is a type of issue whereby an attacker with limited privilege access on an affected system can escalate their privileges to gain administrative control.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-10740
Publication date:
10/06/2026
Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets.<br /> <br /> <br /> <br /> To remediate this issue, users should upgrade to v1.8.2.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-9151
Publication date:
10/06/2026
An OS<br /> command injection vulnerability exists in the VPN module of TP-Link Archer AX12<br /> v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an<br /> adjacent, authenticated attacker to execute arbitrary commands on the device by<br /> importing a specially crafted VPN client configuration file. The issue stems<br /> from improper filtering of special characters. <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation of this vulnerability may enable an attacker to gain full control<br /> of the affected device, potentially compromising configuration integrity,<br /> network security, and service availability.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-50567
Publication date:
10/06/2026
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result without checking whether the resolved path stayed under the destination. A zip entry named ../../tmp/evil therefore landed at /tmp/evil. An attacker who could control a Package.Spec.Source.URL or Deployment.URL archive could induce the fetcher (running as the per-environment pod&amp;#39;s fission-fetcher sidecar) to write files anywhere that process could reach: into other tenants&amp;#39; /packages// directories, into mounted secret/config volumes, or into the fetcher&amp;#39;s own binary. This issue has been patched in version 1.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026
Subscribe to Vulnerabilities