Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-60005

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart.<br /> <br /> Impact:<br /> This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.<br /> Note: The ngx_http_slice_module module is not enabled by default; it&amp;#39;s enabled with the --with-http_slice_module configuration parameter.<br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Gravedad CVSS v4.0: ALTA
Última modificación:
15/07/2026

CVE-2026-55242

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user&amp;#39;s normal permission scope. This issue is fixed in versions 15.111.0 and 16.22.0.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-50148

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Metabase is an open-source business intelligence and embedded analytics tool. From 1.54.0 until 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4, a Metabase user with permission to add or edit a database connection can achieve remote code execution on the Metabase server by configuring a Snowflake connection to an attacker-controlled server, because a flaw in the Snowflake JDBC driver can write arbitrary files anywhere on the Metabase host, including replacing one of Metabase&amp;#39;s own database driver files that later executes inside the Metabase process. This issue is fixed in versions 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
15/07/2026

CVE-2026-50147

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server&amp;#39;s filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-46709

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing command substitution metacharacters such as $(…) and `…`, so the incomplete CVE-2026-45038 fix for control characters still allows code execution when the victim presses Enter. This issue is fixed in version 1.0.234.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-41580

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF&amp;#39;s /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute attacker-controlled JavaScript in the browser of a user who views the resulting page. This issue is fixed in version 2.0.0.
Gravedad CVSS v3.1: MEDIA
Última modificación:
15/07/2026

CVE-2026-61835

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, the SSRF protection on Directus&amp;#39;s file-import-from-URL feature can be bypassed using the address 0.0.0.0 because api/src/request/is-denied-ip.ts treats 0.0.0.0 as a keyword for local interfaces but never blocks the literal address itself. On Linux and macOS, connecting to 0.0.0.0 reaches localhost, so an authenticated user with file-upload rights can make the server fetch internal services through the /files/import endpoint and retrieve the response as a downloadable file. This issue is fixed in version 12.0.0.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-61684

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/* authenticate only by verifying a JWT signed with INVOKE_TOKEN_SECRET, which defaults to the constant string token and was not set in official deployment templates. An unauthenticated attacker can self-sign an HS256 JWT and reach /api/invoke/userInfo to disclose cross-tenant user PII by attacker-supplied tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. This issue is fixed in version 4.15.0-beta5.
Gravedad CVSS v4.0: ALTA
Última modificación:
15/07/2026

CVE-2026-61836

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.
Gravedad CVSS v3.1: ALTA
Última modificación:
15/07/2026

CVE-2026-61613

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint, enabling code execution within the affected Cloud Agent sandbox or session and access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. This issue was fixed on 03/31/2026 by requiring authentication for the relevant agent endpoint.
Gravedad CVSS v4.0: ALTA
Última modificación:
15/07/2026

CVE-2026-60062

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The NGINX Agent config_dirs directive allows a low-privileged attacker to gain limited read and write access to files outside of the designated secure directory. The config_dirs directive required for this issue can also be configured through NGINX Instance Manager. A successful exploit may allow an attacker to cross a security boundary.<br /> <br /> Impact:<br /> A remotely authenticated low-privileged attacker could gain limited read and write access outside of the list of directories specified in the NGINX Agent configuration.<br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Gravedad CVSS v4.0: MEDIA
Última modificación:
15/07/2026

CVE-2026-60065

Fecha de publicación:
15/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx_stream_mqtt_filter_module), unauthenticated attackers can send requests with conditions beyond the attacker&amp;#39;s control to cause a heap buffer over-read in the NGINX worker process, leading to a restart.<br /> <br /> Impact:<br /> This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.<br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Gravedad CVSS v4.0: MEDIA
Última modificación:
15/07/2026