Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-41124

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Improper limitation of a pathname to a restricted directory ('path traversal') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.
Gravedad CVSS v3.1: BAJA
Última modificación:
03/07/2026

CVE-2026-26355

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an OS command ('OS command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to command execution.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/07/2026

CVE-2026-10055

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.<br /> <br /> <br /> <br /> <br /> Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.<br /> <br /> <br /> <br /> <br /> The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).
Gravedad CVSS v3.1: ALTA
Última modificación:
03/07/2026

CVE-2026-13341

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.
Gravedad CVSS v3.1: ALTA
Última modificación:
03/07/2026

CVE-2026-50238

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Rejected reason: Red Hat Product Security has concluded that this CVE is not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.
Gravedad: Pendiente de análisis
Última modificación:
03/07/2026

CVE-2026-10054

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication.<br /> <br /> <br /> <br /> <br /> WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.<br /> <br /> <br /> <br /> <br /> As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.<br /> <br /> <br /> <br /> <br /> A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Gravedad CVSS v3.1: ALTA
Última modificación:
03/07/2026

CVE-2026-5137

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the &amp;#39;template&amp;#39; parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/07/2026

CVE-2026-4321

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper neutralization of special elements used in an SQL command (&amp;#39;SQL injection&amp;#39;) vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows SQL Injection.<br /> <br /> This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was learned that the product is not supported.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
03/07/2026

CVE-2026-4322

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflected XSS.<br /> <br /> This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was learned that the product is not supported.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/07/2026

CVE-2026-4804

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with &amp;#39;show_in_rest&amp;#39; =&gt; true and &amp;#39;auth_callback&amp;#39; =&gt; &amp;#39;__return_true&amp;#39;, but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/07/2026

CVE-2026-9756

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block &amp;#39;linkMetaFieldType&amp;#39; Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend &amp;#39;javascript:&amp;#39; via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.
Gravedad CVSS v3.1: MEDIA
Última modificación:
03/07/2026

CVE-2026-47896

Fecha de publicación:
03/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).<br /> <br /> This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017.<br /> <br /> Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
Gravedad CVSS v4.0: ALTA
Última modificación:
03/07/2026