Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-8915

Fecha de publicación:
28/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.<br /> <br /> This issue affects Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/06/2026

CVE-2026-46538

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO&amp;#39;s constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device&amp;#39;s pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
28/05/2026

CVE-2026-46544

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id.
Gravedad CVSS v3.1: MEDIA
Última modificación:
28/05/2026

CVE-2026-9739

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
29/05/2026

CVE-2026-45322

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker&amp;#39;s command as the UFO process user.
Gravedad CVSS v3.1: ALTA
Última modificación:
28/05/2026

CVE-2026-46416

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client.
Gravedad CVSS v3.1: MEDIA
Última modificación:
28/05/2026

CVE-2026-46402

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory.
Gravedad CVSS v3.1: ALTA
Última modificación:
30/05/2026

CVE-2026-46414

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO&amp;#39;s WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client&amp;#39;s stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/06/2026

CVE-2026-9208

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Tanium addressed an unauthorized code execution vulnerability in Connect.
Gravedad CVSS v3.1: ALTA
Última modificación:
02/06/2026

CVE-2026-44720

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4.
Gravedad CVSS v4.0: MEDIA
Última modificación:
29/05/2026

CVE-2026-45083

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
29/05/2026

CVE-2026-45152

Fecha de publicación:
27/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1.
Gravedad CVSS v3.1: ALTA
Última modificación:
01/06/2026