Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-5228

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs.<br /> <br /> This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.
Gravedad CVSS v3.1: ALTA
Última modificación:
04/06/2026

CVE-2026-45287

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Gravedad CVSS v4.0: BAJA
Última modificación:
08/06/2026

CVE-2026-43986

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
04/06/2026

CVE-2026-43985

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
04/06/2026

CVE-2026-44393

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/06/2026

CVE-2026-41178

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
04/06/2026

CVE-2026-43984

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator&amp;#39;s browser when the log viewer is opened. Version 2.17.1 patches the issue.
Gravedad CVSS v3.1: ALTA
Última modificación:
04/06/2026

CVE-2026-40930

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
04/06/2026

CVE-2026-38570

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service.
Gravedad CVSS v3.1: ALTA
Última modificación:
08/06/2026

CVE-2026-36182

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
05/07/2026

CVE-2026-10814

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Handler. The manipulation leads to use of weak hash. The attack needs to be performed locally. The attack&amp;#39;s complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3d932f1c3e065351c4440c27abe1e6479752544d. Applying a patch is the recommended action to fix this issue.
Gravedad CVSS v4.0: BAJA
Última modificación:
10/06/2026

CVE-2026-10868

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.<br /> <br /> <br /> <br /> The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
04/06/2026