Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-53329

Publication date:
01/07/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Use krealloc_array() in dal_vector_reserve()<br /> <br /> [Why &amp; How]<br /> dal_vector_reserve() computes the allocation size as<br /> "capacity * vector-&gt;struct_size" using uint32_t arithmetic, which can<br /> silently wrap to a small value on overflow. This would cause krealloc to<br /> return a smaller buffer than expected, leading to heap overflows on<br /> subsequent vector appends.<br /> <br /> Replace krealloc() with krealloc_array() which performs an internal<br /> overflow check and returns NULL on wrap, preventing the issue.<br /> <br /> (cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Severity CVSS v4.0: Pending analysis
Last modification:
04/07/2026

CVE-2026-53330

Publication date:
01/07/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()<br /> <br /> [Why &amp; How]<br /> The aux_rd_interval array in struct dc_lttpr_caps is declared with<br /> MAX_REPEATER_CNT - 1 (7) elements, indexed 0..6. However, the offset<br /> parameter passed to dp_get_eq_aux_rd_interval() can be as large as<br /> MAX_REPEATER_CNT (8) when a sink reports 8 LTTPR repeaters via DPCD.<br /> This leads to an out-of-bounds read of aux_rd_interval[7] when offset<br /> is 8.<br /> <br /> Fix this by growing aux_rd_interval to MAX_REPEATER_CNT elements to<br /> accommodate the full range of valid repeater counts defined by the DP<br /> spec.<br /> <br /> (cherry picked from commit a55a458a8df37a65ffda5cf721d554a8f74f6b04)
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-13603

Publication date:
01/07/2026
The payment integration pretix-oppwa provides support <br /> for the payment providers VR Payment, Hobex, and potentially others <br /> based on Oppwa&amp;#39;s technology. The integration of Oppwa, following their <br /> official documentation, includes a step where the user is redirected <br /> from the payment provider back to our system with a query parameter like<br /> ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.<br /> <br /> <br /> <br /> Our plugin pretix-oppwa did so insecurely by <br /> concatenating the parameter form the URL to the base domain of the API <br /> without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different<br /> server instead. Since the request includes the access token (API key) <br /> of the Oppwa account, this would leak the access token, giving access to<br /> data contained in the payment provider&amp;#39;s system. This is fixed with the<br /> release today by strictly validating the given API URL.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
Severity CVSS v4.0: CRITICAL
Last modification:
02/07/2026

CVE-2026-8387

Publication date:
01/07/2026
A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting `.zip` archives using the `ZipFile.extractall()` method in `StorageManager._extract_to_cache()`. This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-5120

Publication date:
01/07/2026
A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2026

CVE-2026-53909

Publication date:
01/07/2026
MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-53903

Publication date:
01/07/2026
MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier.<br /> An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-53902

Publication date:
01/07/2026
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation.<br /> An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.<br /> <br /> <br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: HIGH
Last modification:
06/07/2026

CVE-2026-53908

Publication date:
01/07/2026
MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-53907

Publication date:
01/07/2026
MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-53906

Publication date:
01/07/2026
MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026

CVE-2026-53905

Publication date:
01/07/2026
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks.<br /> This may expose sensitive permission mappings and internal configuration details.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Severity CVSS v4.0: MEDIUM
Last modification:
06/07/2026