Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-40295

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4.
Gravedad CVSS v3.1: MEDIA
Última modificación:
29/05/2026

CVE-2026-39824

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
Gravedad CVSS v3.1: BAJA
Última modificación:
27/05/2026

CVE-2026-48700

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.
Gravedad CVSS v4.0: CRÍTICA
Última modificación:
24/05/2026

CVE-2026-6406

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.<br /> <br /> A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.
Gravedad CVSS v4.0: ALTA
Última modificación:
29/05/2026

CVE-2026-39969

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta&amp;#39;s webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner&amp;#39;s credentials. The issue has been fixed in version 3.17.0.
Gravedad CVSS v3.1: MEDIA
Última modificación:
23/05/2026

CVE-2026-39968

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder&amp;#39;s getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine&amp;#39;s getCredentials() utility function uses a falsy check (if (workspaceId &amp;&amp; ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach.
Gravedad CVSS v3.1: ALTA
Última modificación:
26/05/2026

CVE-2026-39967

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine&amp;#39;s the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2&amp;#39;s cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user&amp;#39;s previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0.
Gravedad CVSS v3.1: BAJA
Última modificación:
26/05/2026

CVE-2026-46727

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carried out through a crafted authoritative DNS server or recursive resolver.
Gravedad CVSS v3.1: ALTA
Última modificación:
26/05/2026

CVE-2026-42627

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn/Tensor.cpp allows a crafted TFLite model file to bypass buffer size validation and trigger a heap-based buffer over-read during model optimization. The overflow occurs when multiplying tensor dimensions using 32-bit unsigned arithmetic without overflow detection, causing GetNumBytes() to return an understated allocation size. During Optimize()-&gt;InferOutputShapes(), the BatchToSpaceNdLayer reads beyond the allocated buffer.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-39964

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor&amp;#39;s browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker&amp;#39;s JavaScript runs in the host page&amp;#39;s origin and can exfiltrate cookies and session tokens. This can result in any authenticated Typebot user (including those on the free tier) being able to create a bot with this payload. Shared bots are publicly accessible — no victim authentication is required. This issue has been resolved in version 3.16.0.
Gravedad CVSS v3.1: MEDIA
Última modificación:
23/05/2026

CVE-2026-9255

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.<br /> <br /> <br /> <br /> We recommend you to upgrade to kiro-cli version 1.28.0 or later.
Gravedad CVSS v4.0: ALTA
Última modificación:
04/06/2026

CVE-2026-32253

Fecha de publicación:
22/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
Gravedad CVSS v3.1: CRÍTICA
Última modificación:
26/05/2026