Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-15943

Publication date:
17/07/2026
A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-8075

Publication date:
17/07/2026
Mattermost Desktop App versions
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-9602

Publication date:
17/07/2026
Mattermost Desktop App versions
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-59695

Publication date:
17/07/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet in a single request by naming an arbitrarily high gas price.<br /> <br /> When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including max_fee_per_gas and max_priority_fee_per_gas, without validating that they are within reasonable bounds. A malicious client embeds arbitrarily large values for these fields in the signed envelope. The server co-signs and broadcasts the transaction. The effective_gas_price billed against the fee-payer wallet is derived from the attacker-supplied ceilings, so the server pays those inflated per-gas rates out of its own wallet. A single crafted request can drain the wallet entirely, after which the server can no longer sponsor gas for legitimate payment requests.<br /> <br /> This issue affects mpp: from 0.2.0 before 0.6.0.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-16008

Publication date:
17/07/2026
A security vulnerability has been detected in sagold json-schema-library 11.5.0/11.5.1. This impacts the function parsePropertyDependencies of the file src/keywords/propertyDependencies.ts. The manipulation leads to improperly controlled modification of object prototype attributes. The attack can be initiated remotely. Upgrading to version 11.6.0 will fix this issue. The identifier of the patch is 432287ee6f68a02ce6f015354618486ec427a32d. It is advisable to upgrade the affected component.
Severity CVSS v4.0: LOW
Last modification:
17/07/2026

CVE-2026-59252

Publication date:
17/07/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients.<br /> <br /> When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests.<br /> <br /> The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions.<br /> <br /> This issue affects mpp: from 0.2.0 before 0.6.0.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-59694

Publication date:
17/07/2026
Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to inflate the fee-payer&amp;#39;s gas cost per payment by a large multiplier, degrading the sponsor&amp;#39;s operating margin.<br /> <br /> When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. EIP-2930 access list entries incur intrinsic gas (~2,400 gas per address, plus 1,900 gas per storage key) charged before any opcode executes, regardless of whether the listed addresses are ever touched. A malicious client submits a valid transferWithMemo call alongside a large number of fabricated access-list entries. The server co-signs and broadcasts the transaction. The intended transfer executes normally, but the fee-payer wallet pays a large multiple of the expected gas cost with no corresponding on-chain work.<br /> <br /> At the maintainer&amp;#39;s default of 137 access-list entries (fitting within Bandit&amp;#39;s 10,000-byte per-header-field limit) and 100 Gwei max_fee_per_gas, per-payment gas cost rises from ~51,287 to ~380,087 gas, a 7.4x multiplier. Sustained abuse destroys the sponsor&amp;#39;s operating margin on low-cost payments and, over time, drains the fee-payer wallet.<br /> <br /> This issue affects mpp: from 0.2.0 before 0.6.0.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-22104

Publication date:
17/07/2026
Improper access control in Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8 allows any created account to read all cracked hashes of a Hashtopolis server instance.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026

CVE-2026-62764

Publication date:
17/07/2026
Improper Handling of Insufficient Privileges vulnerability in Apache Accumulo.<br /> An authenticated, but low-privileged user without system permissions may<br /> issue a remote command to gracefully shutdown system components<br /> (compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver),<br /> leading to a denial of service.<br /> <br /> This issue affects Apache Accumulo 2.1.4 and 2.1.5.<br /> <br /> Users are recommended to upgrade to version 2.1.6, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-9656

Publication date:
17/07/2026
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site&amp;#39;s plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-15380

Publication date:
17/07/2026
A non-administrator interactive user can obtain full SYSTEM code execution through a DCOM/task scheduler logic chain — no network access, no memory corruption required (ITMS 8.7.3)
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-15379

Publication date:
17/07/2026
The Altiris WMI provider exposes a class (AltirisAgent_Stream) that allows any local standard user to read the contents of any file accessible to the SYSTEM account, bypassing filesystem ACLs. No admin privileges required. The provider reverts to the LocalSystem context when servicing WMI queries without re-impersonating the caller. Any local standard user can therefore read SYSTEM-readable files — including configuration files, service logs, and secrets stored with SYSTEM/Administrator-only ACLs — by querying the provider directly.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026