Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-53278

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm_mpam: Check whether the config array is allocated before destroying it<br /> <br /> __destroy_component_cfg() is called to free the configuration array.<br /> It uses the embedded &amp;#39;garbage&amp;#39; structure, which means the array has<br /> to be allocated.<br /> <br /> If __destroy_component_cfg() is called from mpam_disable() before the<br /> configuration was ever allocated, then a NULL pointer is dereferenced.<br /> <br /> Check for this case and return early if the configuration is not<br /> allocated.<br /> <br /> __destroy_component_cfg() also frees the mbwu_state as this is allocated<br /> by __allocate_component_cfg(). As the mbwu_state is allocated after<br /> comp-&gt;cfg is set, and is also under mpam_list_lock, only the first<br /> pointer needs checking.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53279

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/gma500/oaktrail_lvds: fix hang on init failure<br /> <br /> The LVDS init code looks up an I2C adapter using i2c_get_adapter() and<br /> tries to read the EDID before falling back to allocating and registering<br /> its own adapter.<br /> <br /> The error handling does not separate these cases so on a late init<br /> failure it will try to deregister and free also an adapter that had<br /> previously been registered. Since i2c_get_adapter() takes another<br /> reference to the adapter, deregistration hangs indefinitely while<br /> waiting for the reference to be released.<br /> <br /> Fix this by only destroying adapters allocated during LVDS init on<br /> errors.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53280

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu: Fix NULL group-&gt;domain dereference in pci_dev_reset_iommu_done()<br /> <br /> Local sashiko review pointed it out that group-&gt;domain could be NULL when<br /> a default domain fails to allocate during the first probe, which can crash<br /> at domain-&gt;ops-&gt;attach_dev dereference in __iommu_attach_device() invoked<br /> by pci_dev_reset_iommu_done().<br /> <br /> pci_dev_reset_iommu_prepare() is fine as an old_domain pointer can be NULL.<br /> <br /> Skip the re-attach in pci_dev_reset_iommu_done() to fix the bug.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-53281

Publication date:
26/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Avoid NULL pointer dereference or refcount corruption<br /> <br /> Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE")<br /> fixed a NULL pointer dereference in an unlikely situation partly.<br /> <br /> If dev_pasid is not found in the dev_pasids list, it remains NULL.<br /> However, the teardown operations are executed unconditionally, this lead<br /> to a NULL pointer dereference or refcount corruption.<br /> <br /> If the domain was never attached to this IOMMU, info will be NULL, which<br /> would cause an immediate dereference when checking --info-&gt;refcnt.<br /> <br /> Even if info is not NULL, decrementing the refcount without having removed<br /> a valid PASID might unbalance the count. This could lead to premature<br /> dropping of the refcount to 0, potentially causing a use-after-free for the<br /> remaining active devices sharing the domain.<br /> <br /> Fix it by returning early if dev_pasid is NULL, before executing the<br /> teardown operations.<br /> <br /> Issue found by AI review and suggested by Kevin Tian.<br /> https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-52780

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2026

CVE-2026-52784

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2026-52783

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject&amp;#39;s Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage..httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2026

CVE-2026-52779

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2026

CVE-2026-52781

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim&amp;#39;s authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2026

CVE-2026-52782

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/project_storages/ via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project&amp;#39;s project_folder_id into the attacker&amp;#39;s Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project&amp;#39;s user list. This vulnerability is fixed in 17.3.3 and 17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2026

CVE-2026-49355

Publication date:
26/06/2026
OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2026

CVE-2026-49991

Publication date:
26/06/2026
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users&amp;#39; buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2026