Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-45447

Publication date:
09/06/2026
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could<br /> trigger a use-after-free during PKCS#7 signature verification.<br /> <br /> Impact summary: A use-after-free may result in process crashes, heap<br /> corruption, or potentially remote code execution.<br /> <br /> When processing a PKCS#7 or S/MIME signed message, if the SignedData<br /> digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may<br /> incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent<br /> use of the BIO by the calling application results in a use-after-free<br /> condition.<br /> <br /> In the common case this occurs when the application later calls<br /> BIO_free() on the BIO originally passed to PKCS7_verify(). Depending<br /> on allocator behavior and application-specific BIO usage patterns, this<br /> may result in a crash or other memory corruption. In some application<br /> contexts this may potentially be exploitable for remote code execution.<br /> <br /> Applications that process PKCS#7 or S/MIME signed messages using OpenSSL<br /> PKCS#7 APIs may be affected. Applications using the CMS APIs for this<br /> processing are not affected.<br /> <br /> The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-45445

Publication date:
09/06/2026
Issue summary: When an application drives an AES-OCB context through the<br /> public EVP_Cipher() one-shot interface, the application-supplied<br /> initialisation vector (IV) is silently discarded.<br /> <br /> Impact summary: Every message encrypted under the same key uses the<br /> same effective nonce regardless of the IV supplied by the caller,<br /> resulting in (key, nonce) reuse and loss of confidentiality. If the<br /> same code path is used to compute the authentication tag, the tag<br /> depends only on the (key, IV) pair and not on the plaintext or<br /> ciphertext, allowing universal forgery of arbitrary ciphertext from a<br /> single captured message.<br /> <br /> OpenSSL provides two ways to drive a cipher: the documented streaming<br /> interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level<br /> one-shot, EVP_Cipher(), whose documentation explicitly recommends<br /> against use by applications in favour of EVP_CipherUpdate() and<br /> EVP_CipherFinal_ex(). The OCB provider&amp;#39;s streaming handler flushes<br /> the application-supplied IV into the OCB context before processing<br /> data; the one-shot handler did not. Every call to EVP_Cipher() on an<br /> AES-OCB context therefore ran with the all-zero key-derived offset<br /> state left by cipher initialisation, regardless of the caller&amp;#39;s IV.<br /> <br /> If EVP_EncryptFinal_ex() is subsequently used to obtain the<br /> authentication tag, the deferred IV setup runs at that point and<br /> clears the running checksum that should have been accumulated over the<br /> plaintext. The resulting tag is a function of (key, IV) only and<br /> verifies against any ciphertext produced under the same (key, IV)<br /> pair.<br /> <br /> The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a<br /> TLS cipher suite, and libssl does not call EVP_Cipher() in any case.<br /> Applications that drive AES-OCB through the documented streaming AEAD<br /> API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only<br /> applications that combine the AES-OCB cipher with the EVP_Cipher()<br /> one-shot API are vulnerable.<br /> <br /> The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by<br /> this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2026

CVE-2026-44819

Publication date:
09/06/2026
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-44821

Publication date:
09/06/2026
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-44822

Publication date:
09/06/2026
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-44824

Publication date:
09/06/2026
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2026

CVE-2026-44818

Publication date:
09/06/2026
Concurrent execution using shared resource with improper synchronization (&amp;#39;race condition&amp;#39;) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-44820

Publication date:
09/06/2026
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-44823

Publication date:
09/06/2026
Numeric truncation error in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2026

CVE-2026-44810

Publication date:
09/06/2026
Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44815

Publication date:
09/06/2026
Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2026

CVE-2026-44814

Publication date:
09/06/2026
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2026