Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-35905

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
08/06/2026

CVE-2026-35906

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
04/06/2026

CVE-2026-28318

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
Gravedad CVSS v3.1: ALTA
Última modificación:
05/06/2026

CVE-2026-10860

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.
Gravedad CVSS v4.0: ALTA
Última modificación:
22/06/2026

CVE-2026-10863

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction.<br /> <br /> <br /> <br /> The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters.<br /> <br /> <br /> <br /> Affected component:<br /> app/Controller/CorrelationsController.php, overCorrelations()<br /> <br /> <br /> <br /> Security impact:<br /> An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression.
Gravedad CVSS v4.0: MEDIA
Última modificación:
22/06/2026

CVE-2026-10864

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields.<br /> <br /> <br /> <br /> For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response.<br /> <br /> <br /> <br /> The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields.<br /> <br /> <br /> <br /> Impact:<br /> An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration.
Gravedad CVSS v4.0: MEDIA
Última modificación:
22/06/2026

CVE-2026-10811

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security vulnerability has been detected in itsourcecode Fees Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /receipt.php. Such manipulation of the argument ef_id leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Gravedad CVSS v4.0: BAJA
Última modificación:
04/06/2026

CVE-2026-10812

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was detected in zilliztech GPTCache up to 0.1.44. Affected by this issue is the function BufferedReader.peek of the file gptcache/processor/pre.py of the component Cache Key Handler. Performing a manipulation of the argument input_data["image"] results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
Gravedad CVSS v4.0: BAJA
Última modificación:
04/06/2026

CVE-2026-8762

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** Rejected reason: After analysis, the originally reported behaviour was determined not to constitute a security vulnerability. The findings were parser-strictness defects without an exploitable framing-disagreement path in any tested deployment configuration.
Gravedad: Pendiente de análisis
Última modificación:
04/06/2026

CVE-2026-8037

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
01/07/2026

CVE-2026-45433

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device.
Gravedad CVSS v4.0: ALTA
Última modificación:
04/06/2026

CVE-2026-43926

Fecha de publicación:
04/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling&amp;#39;s rate limiter, which only applies to `/api/*` routes. This allows an attacker to probe the endpoint for valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect). An attacker can submit unlimited token guesses to the password reset confirmation endpoint with no throttling applied. However, practical exploitability is significantly mitigated by the current token generation, which uses `hash(&amp;#39;sha256&amp;#39;, random_bytes(32))`, providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use. The same architectural gap applies to other controller-served auth routes, including `/staff/email/:hash` (admin password reset confirmation) and `/client/confirm-email/:hash` (email confirmation). Version 0.8.0 fixes the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the `/client/reset-password-confirm/*` and `/staff/email/*` paths and/or use a WAF rule to limit request rates to these endpoints.
Gravedad CVSS v4.0: MEDIA
Última modificación:
04/06/2026