Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-51218

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A heap buffer overflow in the TS7Worker::PerformFunctionWrite() function (/core/s7_server.cpp) of snap7 v1.4.3 allows attackers to cause a Denial of Service (DoS) via a crafted packet.
Gravedad CVSS v3.1: MEDIA
Última modificación:
30/06/2026

CVE-2026-51219

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.
Gravedad CVSS v3.1: MEDIA
Última modificación:
30/06/2026

CVE-2026-10648

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, default 4), which returns NULL when the pool is exhausted. In default builds the __ASSERT_NO_MSG in net_buf_reset is a no-op, so net_buf_simple_reset writes through the NULL pointer (buf->len = 0; buf->data = buf->__buf), causing a fault/crash. The fragment data reaches this code from attacker-controlled bytes on the MCUmgr serial/UART/shell-console transports (smp_uart.c, smp_raw_uart.c, smp_shell.c), and a fresh buffer is allocated at the start of essentially every new packet. An attacker on the serial/console link can flood the transport to drive the 4-entry buffer pool to exhaustion and induce the NULL dereference, crashing the device (denial of service). The defect was introduced after the original MCUmgr rework and shipped in Zephyr v4.4.0. The fix moves the NULL check ahead of net_buf_reset.
Gravedad CVSS v3.1: MEDIA
Última modificación:
01/07/2026

CVE-2026-51221

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to cause a Denial of Service (DoS) via supplying a crafted Common Packet Format (CPF) packet.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026

CVE-2026-57997

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.
Gravedad CVSS v4.0: MEDIA
Última modificación:
01/07/2026

CVE-2026-34592

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying their IDs directly. This vulnerability is fixed in 4.0.0-beta.471.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026

CVE-2026-10647

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&amp;data-sync_sem, K_FOREVER), blocking on a completion semaphore that is only ever signaled from the bulk-IN transfer-completion callback. Because nothing was enqueued, that callback never fires and the calling thread — a shared network traffic-class TX thread — deadlocks permanently while holding the interface TX lock, halting transmission until reboot (and leaking the transmit buffer).<br /> <br /> The enqueue fails under conditions controlled by the attached USB host: usbd_ep_enqueue() returns -EPERM whenever the bus is suspended (a standard, persistent host operation), and the underlying udc_ep_enqueue() returns -EPERM/-ENODEV on disconnect, bus reset, or endpoint disable. The cdc_ncm_send() guard only checks the DATA_IFACE_ENABLED and IFACE_UP flags, not the suspended state, so a packet transmitted while the host holds the bus suspended reaches the failing enqueue and deadlocks the TX path.<br /> <br /> The realistic trigger is a bus suspend that occurs while the exported network interface is active and has traffic to send — host sleep, USB selective/auto-suspend, or hub power management — after which any device-originated packet deadlocks the path, recoverable only by reboot. The impact is a persistent loss of the virtual network connection between the host&amp;#39;s NCM interface and the Zephyr device; because the deadlocked thread is a shared traffic-class TX thread, egress on other network interfaces can stall as well. There is no memory corruption or information disclosure.<br /> <br /> The defect was introduced with the CDC-NCM driver and shipped in releases through v4.4.0; it is fixed by checking the usbd_ep_enqueue() return value and freeing the buffer before the blocking wait.
Gravedad CVSS v3.1: MEDIA
Última modificación:
01/07/2026

CVE-2026-55957

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.<br /> <br /> Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/07/2026

CVE-2026-55956

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.<br /> <br /> Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
02/07/2026

CVE-2026-55955

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.<br /> <br /> Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
02/07/2026

CVE-2026-55276

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.<br /> <br /> Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
02/07/2026

CVE-2026-41896

Fecha de publicación:
29/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application&amp;#39;s manual_webhook_secret_github field, which is used by Coolify&amp;#39;s webhook endpoints to validate incoming requests, is nullable with no default — meaning newly created applications have a null webhook secret. PHP&amp;#39;s hash_hmac() function silently coerces a null key to an empty string &amp;#39;&amp;#39;. So when the secret is null, the server computes hash_hmac(&amp;#39;sha256&amp;#39;, $payload, &amp;#39;&amp;#39;) — a deterministic value that any attacker can calculate independently. By sending X-Hub-Signature-256: sha256=, an unauthenticated attacker can forge a valid signature and trigger deployments. This vulnerability is fixed in 4.0.0-beta.474.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026