Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-13603

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** The payment integration pretix-oppwa provides support <br /> for the payment providers VR Payment, Hobex, and potentially others <br /> based on Oppwa&amp;#39;s technology. The integration of Oppwa, following their <br /> official documentation, includes a step where the user is redirected <br /> from the payment provider back to our system with a query parameter like<br /> ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.<br /> <br /> <br /> <br /> Our plugin pretix-oppwa did so insecurely by <br /> concatenating the parameter form the URL to the base domain of the API <br /> without further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different<br /> server instead. Since the request includes the access token (API key) <br /> of the Oppwa account, this would leak the access token, giving access to<br /> data contained in the payment provider&amp;#39;s system. This is fixed with the<br /> release today by strictly validating the given API URL.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> After installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
02/07/2026

CVE-2026-8387

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting `.zip` archives using the `ZipFile.extractall()` method in `StorageManager._extract_to_cache()`. This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.
Gravedad CVSS v3.1: BAJA
Última modificación:
02/07/2026

CVE-2026-5120

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/07/2026

CVE-2026-53909

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-53903

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier.<br /> An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-53902

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation.<br /> An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.<br /> <br /> <br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: ALTA
Última modificación:
06/07/2026

CVE-2026-53908

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-53907

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-53906

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-53905

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks.<br /> This may expose sensitive permission mappings and internal configuration details.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-53904

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who provides victim&amp;#39;s email and answer to their security question, can successfully initiate the reset process and continuously invalidate credentials, effectively locking the victim out of their account. Answering security questions has a limited number of tries which lowers the risk of this vulnerability.<br /> <br /> Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Gravedad CVSS v4.0: MEDIA
Última modificación:
06/07/2026

CVE-2026-14198

Fecha de publicación:
01/07/2026
Idioma:
Inglés
*** Pendiente de traducción *** @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify&amp;#39;s underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
02/07/2026