Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-11524

Publication date:
08/06/2026
A vulnerability has been found in Tenda W20E 15.11.0.6. Impacted is the function modifyWifiFilterRules of the file /goform/modifyWifiFilterRules of the component Web Management Interface. The manipulation of the argument wifiFilterListRemark leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-11528

Publication date:
08/06/2026
A vulnerability was found in Tenda AC18 15.03.05.05. The affected element is the function sub_45304 of the file /goform/getRebootStatus of the component Web Management Interface. The manipulation of the argument callback results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-11529

Publication date:
08/06/2026
A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.3.0 is sufficient to resolve this issue. Patch name: 080bef9a96d625ce0dfbde573a08b93497871981. Upgrading the affected component is advised.
Severity CVSS v4.0: LOW
Last modification:
09/06/2026

CVE-2026-22164

Publication date:
08/06/2026
Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory.<br /> <br /> <br /> <br /> By creating resources of certain types and presenting a set of parameters to the affected interface the exploit can be used to corrupt kernel memory.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2026

CVE-2026-29167

Publication date:
08/06/2026
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration<br /> <br /> This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.<br /> <br /> Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2026

CVE-2026-11522

Publication date:
08/06/2026
A vulnerability was detected in Tenda W20E 15.11.0.6. This vulnerability affects the function formSetPortMirror of the file /goform/setPortMirror. Performing a manipulation of the argument portMirrorMirroredPorts results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2020-37248

Publication date:
08/06/2026
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2026

CVE-2025-71315

Publication date:
08/06/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vkms: Convert to DRM&amp;#39;s vblank timer<br /> <br /> Replace vkms&amp;#39; vblank timer with the DRM implementation. The DRM<br /> code is identical in concept, but differs in implementation.<br /> <br /> Vblank timers are covered in vblank helpers and initializer macros,<br /> so remove the corresponding hrtimer in struct vkms_output. The<br /> vblank timer calls vkms&amp;#39; custom timeout code via handle_vblank_timeout<br /> in struct drm_crtc_helper_funcs.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-49234

Publication date:
08/06/2026
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. <br /> <br /> This only affects users who allow API access from untrusted networks.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-49235

Publication date:
08/06/2026
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026

CVE-2026-49232

Publication date:
08/06/2026
Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server.<br /> <br /> This only affects users that make their HTTP or RTR server available to untrusted networks.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-49233

Publication date:
08/06/2026
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
Severity CVSS v4.0: HIGH
Last modification:
12/06/2026