Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-43972

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority.<br /> <br /> In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection&amp;#39;s origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for.<br /> <br /> A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client&amp;#39;s shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required.<br /> <br /> This issue affects gun: from 2.0.0 before 2.4.0.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2026-43973

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering.<br /> <br /> In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection&amp;#39;s buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size.<br /> <br /> A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash.<br /> <br /> This issue affects gun: from 1.0.0 before 2.4.0.
Gravedad CVSS v4.0: ALTA
Última modificación:
09/06/2026

CVE-2026-43974

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.<br /> <br /> In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.<br /> <br /> A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.<br /> <br /> This issue affects gun: from 2.0.0 before 2.4.0.
Gravedad CVSS v4.0: ALTA
Última modificación:
09/06/2026

CVE-2026-36789

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Gravedad CVSS v3.1: ALTA
Última modificación:
09/06/2026

CVE-2026-11521

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controller/TransactionController.java of the component Transaction Endpoint. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Gravedad CVSS v4.0: BAJA
Última modificación:
09/06/2026

CVE-2026-25558

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file.
Gravedad CVSS v4.0: MEDIA
Última modificación:
09/06/2026

CVE-2026-11516

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was found in UTT HiPER 2610G up to 3.0.0-171107. This affects the function strcpy of the file /goform/formNatStaticMap. Performing a manipulation of the argument NatBinds results in buffer overflow. The exploit has been made public and could be used.
Gravedad CVSS v4.0: BAJA
Última modificación:
09/06/2026

CVE-2026-11518

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
Gravedad CVSS v4.0: BAJA
Última modificación:
09/06/2026

CVE-2026-11519

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The manipulation of the argument ROLE results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Gravedad CVSS v4.0: BAJA
Última modificación:
09/06/2026

CVE-2026-11520

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A weakness has been identified in SourceCodester Inventory System 1.0. Affected by this issue is some unknown functionality of the file header.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Multiple parameters might be affected.
Gravedad CVSS v4.0: BAJA
Última modificación:
09/06/2026

CVE-2026-11517

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was determined in UTT HiPER 2610G up to 3.0.0-171107. This impacts the function strcpy of the file /goform/formConfigDnsFilterGlobal. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
Gravedad CVSS v4.0: ALTA
Última modificación:
09/06/2026

CVE-2026-9549

Fecha de publicación:
08/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Stored cross-site scripting in the service discovery active check output in Checkmk
Gravedad CVSS v4.0: MEDIA
Última modificación:
08/06/2026