Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las últimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las últimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS o Boletines podemos estar informados diariamente de las últimas vulnerabilidades incorporadas al repositorio.

CVE-2026-9527

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Gravedad CVSS v4.0: BAJA
Última modificación:
26/05/2026

CVE-2026-9528

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in itsourcecode Electronic Judging System 1.0. Impacted is an unknown function of the file /admin/delete_judge.php. Such manipulation of the argument judge_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-9523

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was detected in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. Affected by this vulnerability is an unknown functionality of the file /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree. Performing a manipulation of the argument sort results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-9524

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-9525

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /admin/edit_judge.php. The manipulation of the argument judge_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Gravedad CVSS v4.0: MEDIA
Última modificación:
26/05/2026

CVE-2026-9538

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.<br /> <br /> _read_tar() reads each entry&amp;#39;s payload with $handle-&gt;read($$data, $block), where $block is derived from the entry&amp;#39;s 12-byte size field in the tar header with no upper bound on that value.<br /> <br /> A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
Gravedad CVSS v3.1: ALTA
Última modificación:
28/05/2026

CVE-2026-4795

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A missing authorization vulnerability in Zyxel GS1200-5v3 firmware versions through 1.00(ACPS.2)C0, GS1200-8v3 firmware versions through 1.00(ACPT.2)C0,  GS1200-5HPv3 firmware versions through 1.00(ACPU.2)C0, GS1200-8HPv3 firmware versions through 1.00(ACPV.2)C0, and GS1200-10v3 firmware versions through 1.00(ACPW.2)C0 could allow a LAN-based, unauthenticated attacker to read the system configuration from a log file via a crafted HTTP request.
Gravedad CVSS v3.1: MEDIA
Última modificación:
26/05/2026

CVE-2026-9518

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Gravedad CVSS v4.0: BAJA
Última modificación:
26/05/2026

CVE-2026-9519

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: BAJA
Última modificación:
26/05/2026

CVE-2026-9520

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Gravedad CVSS v4.0: BAJA
Última modificación:
26/05/2026

CVE-2026-9521

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.
Gravedad CVSS v4.0: BAJA
Última modificación:
26/05/2026

CVE-2026-42497

Fecha de publicación:
26/05/2026
Idioma:
Inglés
*** Pendiente de traducción *** Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.<br /> <br /> _make_special_file() passes the tar header&amp;#39;s linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file&amp;#39;s inode.<br /> <br /> A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header&amp;#39;s mode, owner, and timestamps to the shared inode during extraction alone.
Gravedad CVSS v3.1: ALTA
Última modificación:
28/05/2026