Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-5040

Publication date:
14/07/2026
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.<br /> <br /> Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-15720

Publication date:
14/07/2026
In Open5GS through version 2.7.7 a pre-authentication heap out-of-bounds read in the AMF NAS 5GS mobile-identity handler may result in subscriber-wide denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-62658

Publication date:
14/07/2026
A security flaw was discovered in certain NETGEAR Nighthawk RAX series routers<br /> that could allow someone already logged in to the device to run unauthorized commands<br /> or code on the router.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62659

Publication date:
14/07/2026
A<br /> security flaw was discovered in the NETGEAR WAX333 Access Point that could<br /> allow someone already logged in and connected to the local network to make<br /> unauthorized changes to the device&amp;#39;s settings
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62655

Publication date:
14/07/2026
A<br /> security flaw was found in certain NETGEAR Orbi models that<br /> could allow an unauthorized user to cause the device to stop responding or<br /> restart unexpectedly, disrupting network connectivity and making the device<br /> temporarily unavailable.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62656

Publication date:
14/07/2026
A<br /> security flaw was found in certain NETGEAR RAX models that could allow<br /> a logged-in user to send specially crafted requests to the router and run<br /> unauthorized commands. This could enable the user to make unauthorized changes<br /> to the router and affect its security and operation.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-62657

Publication date:
14/07/2026
A security flaw in the router&amp;#39;s certificate validation process was<br /> discovered in the NETGEAR XR1000 Gaming Router and certain Nighthawk models that could allow an unauthorized person to remotely access and take<br /> control of the device.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-4017

Publication date:
14/07/2026
Buffer Overflow in the entry handler of the TraceEvent() system call could allow an attacker with local access to cause information disclosure, data tampering or a crash of the QNX Neutrino kernel.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-4018

Publication date:
14/07/2026
TOCTOU Race Condition in specific trace commands of the TraceEvent() system call could allow an attacker with local access and with the PROCMGR_AID_TRACE ability, to cause information disclosure, data tampering or a crash of the QNX Neutrino kernel.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15757

Publication date:
14/07/2026
A security flaw was discovered in the NETGEAR DGND3700v1 that could<br /> allow someone on the same local WiFi network to send unauthorized commands to<br /> the device.<br /> <br /> <br /> <br /> This issue was identified through testing in a controlled research<br /> environment using a simulated version of the router&amp;#39;s software and has not been<br /> confirmed on physical production devices.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-0515

Publication date:
14/07/2026
Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-59886

Publication date:
14/07/2026
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the univ.Real type converted its mantissa, base, and exponent value to a Python float using exact big-integer exponentiation. A BER, CER, or DER encoded REAL value only a few bytes long can carry a very large exponent, causing float conversion through prettyPrint(), str(), comparison, arithmetic, int(), or an explicit float() call to consume excessive CPU and memory and hang applications that decode untrusted ASN.1 data and then print, log, or compare decoded objects. This issue is fixed in version 0.6.4.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026