Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-10748

Publication date:
16/06/2026
An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2026

CVE-2024-39575

Publication date:
16/06/2026
update_disk_psu_baseline.sh requires password in plain text
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-53776

Publication date:
16/06/2026
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Severity CVSS v4.0: CRITICAL
Last modification:
14/07/2026

CVE-2026-39926

Publication date:
16/06/2026
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-39927

Publication date:
16/06/2026
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-42089

Publication date:
16/06/2026
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-44932

Publication date:
16/06/2026
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-12412

Publication date:
16/06/2026
Rejected reason: loading template...
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-24155

Publication date:
16/06/2026
NVIDIA NeMo Framework for all platforms contains a code injection vulnerability. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-24228

Publication date:
16/06/2026
NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, data tampering, and information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-12003

Publication date:
16/06/2026
To allow builds of Python to be run from an in-tree layout (rather than<br /> an installed file layout), the VPATH variable is defined at build time<br /> and used to locate certain landmarks - specifically,<br /> Modules/setup.local. When this landmark is found relative to VPATH<br /> relative to the executable, Python assumes it is running in a source<br /> tree and generates a different default sys.path. This code remains in<br /> release builds, so that release-ready builds can be built in-tree.<br /> <br /> On Windows, since builds are written to &amp;#39;PCbuild/&amp;#39;, the value of<br /> VPATH is set to &amp;#39;..\..&amp;#39;, which results in a landmark of<br /> &amp;#39;..\..\Modules\setup.local&amp;#39;. This path is outside the install directory<br /> of Python, and may have different permissions, potentially allowing a<br /> low-privilege user to create the landmark and an alternative `Lib`<br /> folder that will be discovered by an otherwise restricted install.<br /> <br /> Such a setup occurs with the legacy default install location for all<br /> users (in the now superseded EXE installer), due to how Windows allows<br /> all users to create folders in the root directory of their OS drive.<br /> <br /> Our recommended mitigation on Windows is to migrate away from the<br /> legacy installer and use the new [Python install<br /> manager](https://www.python.org/downloads/latest/pymanager/) to install<br /> for the current user. Installs where the directory two levels above the<br /> Python installation directory have equivalent permissions are unaffected<br /> (in general, a per-user install cannot be modified at all by other<br /> users, removing any escalation of privilege risk, and could be directly<br /> modified by a privileged user, making the potential tampering<br /> irrelevant). Alternative mitigations might include preemptively creating<br /> and restricting access to a `Modules` directory. Be aware that only 3.13<br /> and 3.14 will receive updated legacy installers - earlier fixes are only<br /> provided as sources.<br /> <br /> Platforms other than Windows allow VPATH to be overridden, but as they<br /> don&amp;#39;t usually use a separated directory in the build for binaries, are<br /> unlikely to have a landmark reference outside of the install directory.<br /> <br /> The landmark detection involving VPATH is a fallback for when a more<br /> specific landmark - .\pybuilddir.txt - is absent, and was included for<br /> compatibility. Future releases of Python will no longer include the<br /> fallback, and so builds will need to generate or preserve the<br /> pybuilddir.txt file in order to work in-tree. This landmark file has<br /> been generated on Windows since 3.11, and on other platforms for longer.
Severity CVSS v4.0: MEDIUM
Last modification:
23/06/2026

CVE-2025-71261

Publication date:
16/06/2026
An attacker with network-level access between the SUSE Virtualization <br /> and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it <br /> to bypass TLS as a security control.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026