Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-10237

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was found in SourceCodester Water Billing Management System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user of the component User Management Module. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10239

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. A fix is planned for the upcoming release.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10240

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in JeecgBoot up to 3.9.2. The impacted element is an unknown function of the file /airag/airagModel/test. The manipulation of the argument baseUrl leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. A fix is planned for the upcoming release.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10241

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10235

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw has been found in CodeAstro Ingredients Stock Management System 1.0. This vulnerability affects unknown code of the file /Ingredients-Stock/stock_manager.php. This manipulation of the argument txt_search_category causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-45192

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field.
Gravedad CVSS v3.1: MEDIA
Última modificación:
01/06/2026

CVE-2026-35563

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP <br /> hostname. While the underlying code validates the certificate chain <br /> against a trusted authority, the absence of endpoint identification <br /> allows a valid certificate issued for an entirely unrelated host to be <br /> improperly accepted. This oversight leaves the connection highly <br /> vulnerable to server impersonation and complete connection compromise.<br /> <br /> <br /> The<br /> root cause of this vulnerability lies in the incomplete TLS server <br /> identity verification within the LDAP client implementation.<br /> <br /> <br /> <br /> <br /> The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client&amp;#39;s configured trust store.<br /> <br /> <br /> <br /> <br /> The hostname verification has been enforced in the new version of the LDAP API
Gravedad CVSS v4.0: ALTA
Última modificación:
03/06/2026

CVE-2026-10229

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was determined in Assimp up to 6.0.4. This affects the function HL1MDLLoader::read_meshes of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project tagged the reported issue as bug.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10230

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in Assimp up to 6.0.4. This impacts the function Assimp::MDL::HalfLife::HL1MDLLoader::read_animations of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The project tagged the reported issue as bug.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10231

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security flaw has been discovered in Assimp up to 6.0.4. Affected is the function HL1MDLLoader::extract_anim_value of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Performing a manipulation of the argument num.total results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The project tagged the reported issue as bug.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10232

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026

CVE-2026-10234

Fecha de publicación:
01/06/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Gravedad CVSS v4.0: BAJA
Última modificación:
01/06/2026