Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-8926

Publication date:
03/07/2026
When asking curl to use a `.netrc` file to find credentials and at the same<br /> time specifying a URL with a username(without a password), like<br /> `https://user@example.com/`, curl could wrongly get and use the password for<br /> *another* user set in the `.netrc` file for that host if such a one exists and<br /> there is no match for the specified user.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-8927

Publication date:
03/07/2026
When reusing a libcurl handle for sequential transfers driven by<br /> environment-variable proxy configuration, libcurl fails to clear the proxy<br /> authentication state between requests. Specifically, if the initial transfer<br /> authenticates against `proxyA` using Digest auth, a subsequent transfer routed<br /> through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended<br /> solely for `proxyA`.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-8932

Publication date:
03/07/2026
libcurl would reuse a previously created connection even when some mTLS config<br /> related option had been changed that should have prohibited reuse.<br /> <br /> libcurl keeps previously used connections in a connection pool for subsequent<br /> transfers to reuse if one of them matches the setup. However, some TLS<br /> settings related to client certificates were left out from the configuration<br /> match checks, making them match too easily. In particular options related to<br /> the private key.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-9079

Publication date:
03/07/2026
libcurl had a flaw that when instructed to clear proxy authentication<br /> credentials which made it not do so, leaving the old credentials around to get<br /> used for subsequent transfers that should not know nor use them.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-9080

Publication date:
03/07/2026
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`<br /> callback triggers a use-after-free vulnerability, where libcurl attempts to<br /> store a flag using a dangling struct pointer immediately after that pointer&amp;#39;s<br /> memory has been freed.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-9545

Publication date:
03/07/2026
In this scenario, libcurl first uses a proper HTTP/3 server for the initial<br /> transfers, and when it makes a second transfer to the same site it has been<br /> replaced by the attacker&amp;#39;s impostor machine - without a valid certificate.<br /> <br /> When libcurl returns to the hostname the second time with a cached SSL session<br /> (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the<br /> `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might<br /> send off the second request&amp;#39;s bytes on that new connection *before* enforcing<br /> the certificate verification failure. Potentially leaking sensitive<br /> information.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-9546

Publication date:
03/07/2026
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even<br /> when explicitly cleared. While the documentation states that passing NULL to<br /> `CURLOPT_REFERER` suppresses the header, the option failed to clear the<br /> internal state. As a result the previous referrer string was erroneously<br /> reused and sent in subsequent requests, potentially leaking sensitive<br /> information to unintended servers.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-9547

Publication date:
03/07/2026
When a libcurl-based application performs transfers via `SCP://` or `SFTP://`<br /> and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an<br /> untrusted server. This vulnerability occurs when a server presents a host key<br /> type that does not match the specific key type already recorded for that host<br /> in the `known_hosts` file. Instead of rejecting the mismatch, the callback<br /> mechanism fails to properly enforce the restriction, allowing the connection<br /> to succeed without warning and risking a potential man-in-the-middle attack.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-12064

Publication date:
03/07/2026
When a user invokes curl using a schemeless URL combined with<br /> `--proto-default` sftp (or scp), a disconnect occurs between the tool layer<br /> and libcurl. The tool layer incorrectly infers the URL scheme, which<br /> erroneously bypasses the initialization of critical SSH security options like<br /> CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the<br /> libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes<br /> the connection via SFTP/SCP as specified. Because the tool layer skipped the<br /> security configuration, these SSH host verification options are silently<br /> omitted, causing curl to connect to an unverified SSH remote host without<br /> throwing an error.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-4967

Publication date:
03/07/2026
In IMS, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-8286

Publication date:
03/07/2026
A vulnerability exists where a new transfer that uses STARTTLS to upgrade the<br /> connection might reuse an existing live connection even though the TLS<br /> configuration mismatches so it should not.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-8458

Publication date:
03/07/2026
libcurl might in some circumstances reuse the wrong connection when asked to<br /> do Negotiate-authenticated ones, even when they are set to use different<br /> &amp;#39;services&amp;#39;.<br /> <br /> libcurl features a pool of recent connections so that subsequent requests can<br /> reuse an existing connection to avoid overhead.<br /> <br /> When reusing a connection a range of criteria must be met. Due to a logical<br /> error in the code, a request that was issued by an application could<br /> wrongfully reuse an existing connection to the same server that was<br /> authenticated using different services.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026