Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-11558

Publication date:
08/06/2026
A security vulnerability has been detected in CodeAstro Payroll System 1.0. The impacted element is an unknown function of the file /home_salary.php. The manipulation of the argument rate/salary_rate leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Severity CVSS v4.0: LOW
Last modification:
09/06/2026

CVE-2026-11393

Publication date:
08/06/2026
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent&amp;#39;s IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import.<br /> <br /> <br /> <br /> To remediate this issue, users should upgrade to version 0.14.2.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-10787

Publication date:
08/06/2026
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.<br /> <br /> This issue affects :<br /> <br /> * Devolutions Server 2026.2.4.0<br /> * Devolutions Server 2026.1.20.0 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-10786

Publication date:
08/06/2026
Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.<br /> <br /> This issue affects :<br /> <br /> * Devolutions Server 2026.2.4.0<br /> * Devolutions Server 2026.1.20.0 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-10544

Publication date:
08/06/2026
Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.<br /> <br /> This issue affects :<br /> <br /> * Devolutions Server 2026.2.4.0<br /> * Devolutions Server 2026.1.20.0 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-8913

Publication date:
08/06/2026
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-11556

Publication date:
08/06/2026
A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-11552

Publication date:
08/06/2026
A vulnerability has been found in SourceCodester Onlne Examination &amp; Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2026-11553

Publication date:
08/06/2026
A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-11554

Publication date:
08/06/2026
A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Severity CVSS v4.0: LOW
Last modification:
09/06/2026

CVE-2026-11555

Publication date:
08/06/2026
A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used.
Severity CVSS v4.0: LOW
Last modification:
09/06/2026

CVE-2026-48507

Publication date:
08/06/2026
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2026