Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-50264

Publication date:
05/06/2026
An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-50262

Publication date:
05/06/2026
An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-50263

Publication date:
05/06/2026
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2026

CVE-2026-50258

Publication date:
05/06/2026
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-50259

Publication date:
05/06/2026
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-50260

Publication date:
05/06/2026
A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-50261

Publication date:
05/06/2026
A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-25659

Publication date:
05/06/2026
Ericsson<br /> Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling<br /> of Missing Values (CWE-230) vulnerability where an attacker continuously<br /> sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
Severity CVSS v4.0: HIGH
Last modification:
08/06/2026

CVE-2026-50256

Publication date:
05/06/2026
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library&amp;#39;s maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2&amp;#39;s alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-50257

Publication date:
05/06/2026
A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-25657

Publication date:
05/06/2026
Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
Severity CVSS v4.0: HIGH
Last modification:
08/06/2026

CVE-2026-25658

Publication date:
05/06/2026
Ericsson<br /> Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling<br /> of Missing Values (CWE-230) vulnerability where an attacker continuously<br /> sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
Severity CVSS v4.0: HIGH
Last modification:
08/06/2026