Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-48687

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
27/05/2026

CVE-2026-48688

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.
Gravedad CVSS v3.1: ALTA
Última modificación:
27/05/2026

CVE-2026-43935

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4.
Gravedad CVSS v3.1: ALTA
Última modificación:
26/05/2026

CVE-2026-43936

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-43934

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends only on a predictable identifier in the request to determine which comment to edit, without confirming the requesting user’s ownership of the comment. This vulnerability is fixed in 2.3.4.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-40564

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.<br /> <br /> The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.  This lets a user with CR create permissions read files from the operator pod&amp;#39;s filesystem and pull content from any backing store reachable through Flink&amp;#39;s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.<br /> <br /> Users are recommended to upgrade to version 1.15.0, which fixes the issue.
Gravedad CVSS v3.1: MEDIA
Última modificación:
02/06/2026

CVE-2026-38587

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner&amp;#39;s unique identifier (ID) and profile information, which should only be accessible to administrators.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-25112

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack.
Gravedad CVSS v3.1: ALTA
Última modificación:
09/06/2026

CVE-2026-9552

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-9551

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in Das Parking Management System 停车场管理系统 6.2.0. This affects the function xp_cmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. The manipulation of the argument Value leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-9550

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-4480

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J"<br /> substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
30/06/2026