Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-10796

Publication date:
04/06/2026
nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2025-67447

Publication date:
04/06/2026
The network diagnosis (ping) module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to OS command injection. The application does not properly sanitize user input in the IP address field before passing it to the system's ping command. An attacker can inject arbitrary OS commands, which will be executed with the privileges of the web server.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2025-67448

Publication date:
04/06/2026
The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the context of the victim's browser when the message is viewed.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2026-50076

Publication date:
04/06/2026
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.<br /> <br /> Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2026

CVE-2026-49940

Publication date:
04/06/2026
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.<br /> <br /> Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2026

CVE-2026-49942

Publication date:
04/06/2026
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks.<br /> <br /> The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks.<br /> <br /> Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2026

CVE-2026-49941

Publication date:
04/06/2026
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.<br /> <br /> The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.<br /> <br /> If the argument was not a well-formed IP address, then this would lead to indefinite recursion.<br /> <br /> An attacker could use this to cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2026

CVE-2026-50266

Publication date:
04/06/2026
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2026-46739

Publication date:
04/06/2026
Net::Statsd versions before 0.13 for Perl allow metric injections.<br /> <br /> The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.<br /> <br /> The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-46741

Publication date:
04/06/2026
Etsy::StatsD versions through 1.002002 for Perl allow metric injections.<br /> <br /> The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.<br /> <br /> Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2025-67446

Publication date:
04/06/2026
Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value (e.g., setting it to "admin"), an attacker can bypass the authentication schema and gain unauthorized access to admin functionalities.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2026

CVE-2026-7774

Publication date:
04/06/2026
tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.
Severity CVSS v4.0: MEDIUM
Last modification:
07/07/2026