Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35622
Publication date:
09/04/2026
OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.
Severity CVSS v4.0: MEDIUM
Last modification:
17/04/2026

CVE-2026-35618
Publication date:
09/04/2026
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
Severity CVSS v4.0: HIGH
Last modification:
17/04/2026

CVE-2026-34512
Publication date:
09/04/2026
OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2026-33793
Publication date:
09/04/2026
An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system.<br /> <br /> When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation. <br /> <br /> This issue affects Junos OS: <br /> <br /> * All versions before 22.4R3-S7, <br /> * from 23.2 before 23.2R2-S4, <br /> * from 23.4 before 23.4R2-S6,<br /> * from 24.2 before 24.2R1-S2, 24.2R2, <br /> * from 24.4 before 24.4R1-S2, 24.4R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions before 22.4R3-S7-EVO, <br /> * from 23.2 before 23.2R2-S4-EVO, <br /> * from 23.4 before 23.4R2-S6-EVO,<br /> * from 24.2 before 24.2R2-EVO, <br /> * from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
16/04/2026

CVE-2026-35617
Publication date:
09/04/2026
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.
Severity CVSS v4.0: LOW
Last modification:
16/04/2026

CVE-2026-33791
Publication date:
09/04/2026
An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system.<br /> <br /> Certain &amp;#39;set system&amp;#39; commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system.<br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S8, <br /> * from 23.2 before 23.2R2-S5, <br /> * from 23.4 before 23.4R2-S7, <br /> * from 24.2 before 24.2R2-S2, <br /> * from 24.4 before 24.4R2, <br /> * from 25.2 before 25.2R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S8-EVO, <br /> * from 23.2 before 23.2R2-S5-EVO, <br /> * from 23.4 before 23.4R2-S7-EVO, <br /> * from 24.2 before 24.2R2-S2-EVO, <br /> * from 24.4 before 24.4R2-EVO, <br /> * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2026-33797
Publication date:
09/04/2026
An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS).<br /> <br /> An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS:<br /> <br /> * 25.2 versions before 25.2R2<br /> <br /> <br /> This issue does not affect Junos OS versions before 25.2R1.<br /> <br /> This issue affects Junos OS Evolved: <br /> * 25.2-EVO versions before 25.2R2-EVO<br /> <br /> <br /> This issue does not affect Junos OS Evolved versions before 25.2R1-EVO.<br /> <br /> eBGP and iBGP are affected.<br /> IPv4 and IPv6 are affected.
Severity CVSS v4.0: HIGH
Last modification:
23/04/2026

CVE-2026-33788
Publication date:
09/04/2026
A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device.<br /> <br /> A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component.<br /> <br /> This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202:<br /> <br /> <br /> <br /> <br /> * All versions before 21.2R3-S8-EVO,<br /> * 21.4-EVO versions before 21.4R3-S7-EVO,<br /> * 22.2-EVO versions before 22.2R3-S4-EVO,<br /> * 22.3-EVO versions before 22.3R3-S3-EVO,<br /> * 22.4-EVO versions before 22.4R3-S2-EVO,<br /> * 23.2-EVO versions before 23.2R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
13/04/2026

CVE-2026-33790
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition.<br /> <br /> During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart.<br /> <br /> This issue cannot be triggered using IPv4 nor other IPv6 traffic.<br /> <br /> <br /> <br /> This issue affects Junos OS on SRX Series:<br /> * all versions before 21.2R3-S10,<br /> * all versions of 21.3,<br /> * from 21.4 before 21.4R3-S12,<br /> * all versions of 22.1,<br /> * from 22.2 before 22.2R3-S8,<br /> * all versions of 22.4,<br /> * from 22.4 before 22.4R3-S9,<br /> * from 23.2 before 23.2R2-S6,<br /> * from 23.4 before 23.4R2-S7,<br /> * from 24.2 before 24.2R2-S3,<br /> * from 24.4 before 24.4R2-S3,<br /> * from 25.2 before 25.2R1-S2, 25.2R2.
Severity CVSS v4.0: HIGH
Last modification:
17/04/2026

CVE-2026-33787
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS).<br /> <br /> When a specific &amp;#39;show chassis&amp;#39; CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again.<br /> <br /> <br /> <br /> This issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600: <br /> <br /> <br /> <br /> * 23.2 versions before 23.2R2-S6,<br /> * 23.4 versions before 23.4R2-S7<br /> * 24.2 versions before 24.2R2-S2,<br /> * 24.4 versions before 24.4R2,<br /> * 25.2 versions before 25.2R1-S1, 25.2R2.
Severity CVSS v4.0: MEDIUM
Last modification:
17/04/2026

CVE-2026-33786
Publication date:
09/04/2026
An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS).<br /> <br /> When a specific &amp;#39;show chassis&amp;#39; CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again.<br /> <br /> This issue affects Junos OS on SRX1600, SRX2300 and SRX4300:<br /> <br /> <br /> <br /> * 24.4 versions before 24.4R1-S3, 24.4R2.<br /> <br /> <br /> This issue does not affect Junos OS versions before 24.4R1.
Severity CVSS v4.0: MEDIUM
Last modification:
17/04/2026

CVE-2026-33784
Publication date:
09/04/2026
A Use of Default Password vulnerability in the Juniper Networks <br /> <br /> Support Insights (JSI) <br /> <br /> Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.<br /> <br /> vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Severity CVSS v4.0: CRITICAL
Last modification:
13/04/2026
Subscribe to Vulnerabilities