Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-20158

Publication date:
15/07/2026
As part of Cisco&amp;#39;s ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities.<br /> <br /> The vulnerabilities tracked by CVE-2026-20158 are related to improper control of a resource through its lifetime that are grouped under the Common Weakness Enumeration (CWE) Pillar CWE-664.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-20187

Publication date:
15/07/2026
As part of Cisco&amp;#39;s ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities.<br /> <br /> The vulnerabilities tracked by CVE-2026-20187 are related to improper handling of exceptional conditions that are grouped under the Common Weakness Enumeration (CWE) Pillar CWE-703.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-1562

Publication date:
15/07/2026
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-1563

Publication date:
15/07/2026
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-20146

Publication date:
15/07/2026
A vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system to either read or delete arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials.&amp;nbsp;<br /> <br /> This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files or delete arbitrary files on the affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2026

CVE-2025-32781

Publication date:
15/07/2026
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId} while configView.memberOnly.envs is enabled, allowing a low-privileged Portal user who obtains or guesses a valid releaseId to read configuration data from other applications and namespaces without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...). This issue is fixed in version 2.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-62843

Publication date:
15/07/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser&amp;#39;s archive builder uses strings.ReplaceAll(nameInArchive, "\", "/"), which turns a POSIX filename such as ..\..\evil.sh into the archive entry ../../evil.sh, allowing a user with upload permission to plant a backslash-named file that escapes the extraction directory when another user downloads and extracts the generated zip or tar archive. This issue is fixed in version 2.63.17.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-9007

Publication date:
15/07/2026
Improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in HCL Notes from HCL Software allows reflected <br /> <br /> Cross-Site Scripting (XSS). <br /> Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another user.<br /> <br /> <br /> This issue affects HCL Notes: Release 12.0.2FP5HF8 on Linux 4.18.0-553.52.1.El8_10.X64_64#1.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2026

CVE-2026-62685

Publication date:
15/07/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user&amp;#39;s files. This issue is fixed in version 2.63.17.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-62683

Publication date:
15/07/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the share cleanup path calls DeleteWithPathPrefix(file.Path, userID) and the Bolt backend performs the database prefix query with the unnormalized path before trimming the slash for boundary checks, so deleting /a/ does not delete the stored /a share and the stale public share exposes future content if the same path is recreated. This issue is fixed in version 2.63.17.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-61605

Publication date:
15/07/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-58655. Reason: This candidate is a duplicate of CVE-2026-58655. Notes: All CVE users should reference CVE-2026-58655 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-61828

Publication date:
15/07/2026
Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026