Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-48126

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
Gravedad CVSS v3.1: ALTA
Última modificación:
26/05/2026

CVE-2026-47728

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-48690

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit) arithmetic. With max_captured_packet_size=1500 and sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires approximately 1516 bytes. If buffer_size_in_packets exceeds approximately 2,832,542, the multiplication overflows, resulting in a much smaller allocation than expected. Subsequent write_packet() calls then write past the allocated buffer, causing heap corruption. The buffer_size_in_packets value is derived from the ban_details_records_count configuration parameter, which is parsed using atoi() with no overflow checking.
Gravedad CVSS v3.1: ALTA
Última modificación:
27/05/2026

CVE-2026-48693

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).
Gravedad CVSS v3.1: MEDIA
Última modificación:
27/05/2026

CVE-2026-48697

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.
Gravedad CVSS v3.1: ALTA
Última modificación:
27/05/2026

CVE-2026-48691

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
27/05/2026

CVE-2026-47715

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0.
Gravedad CVSS v3.1: BAJA
Última modificación:
26/05/2026

CVE-2026-47716

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0.
Gravedad CVSS v3.1: BAJA
Última modificación:
26/05/2026

CVE-2026-46431

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-46430

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-45836

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()<br /> <br /> Add the same NULL guard already present in<br /> l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/06/2026

CVE-2026-45834

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()<br /> <br /> Add the same NULL guard already present in<br /> l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/06/2026