Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-48575

Publication date:
10/06/2026
A person with access to a Mac may be able to bypass Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-0266

Publication date:
10/06/2026
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. <br /> <br /> This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).<br /> <br /> Cloud NGFW and Prisma® Access are not affected by this vulnerability.
Severity CVSS v4.0: LOW
Last modification:
14/07/2026

CVE-2022-26758

Publication date:
10/06/2026
A malicious application may cause unexpected changes in memory shared between processes. A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-46683

Publication date:
10/06/2026
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-50127

Publication date:
10/06/2026
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate&amp;#39;s VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-6893

Publication date:
10/06/2026
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut&amp;#39;s legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system&amp;#39;s boot and network behavior.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-46643

Publication date:
10/06/2026
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1.
Severity CVSS v4.0: HIGH
Last modification:
11/06/2026

CVE-2026-46529

Publication date:
10/06/2026
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-45106

Publication date:
10/06/2026
Weblate is a web based localization tool. Prior to version 2026.5, Weblate&amp;#39;s live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-1220

Publication date:
10/06/2026
Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026

CVE-2026-50637

Publication date:
10/06/2026
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet.<br /> <br /> The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.<br /> <br /> Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-50638

Publication date:
10/06/2026
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.<br /> <br /> Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.<br /> <br /> In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026