Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-59831

Publication date:
09/07/2026
GitHub CLI (gh) is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without validating that it is a loopback HTTP or HTTPS address, allowing a crafted vscode:// or vscode-insiders:// URL to be handed to VS Code. This issue is fixed in version 2.96.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-33655

Publication date:
09/07/2026
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-58122

Publication date:
09/07/2026
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.
Severity CVSS v4.0: CRITICAL
Last modification:
09/07/2026

CVE-2026-59828

Publication date:
09/07/2026
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-57032

Publication date:
09/07/2026
An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS).<br /> <br /> If an attempt is made to subscribe to an unsupported telemetry sensor path on EX2300, EX3400, EX4000, EX4100 and EX4400 via gRPC, this causes the FPC to crash. This leads to a complete service outage until the module has automatically restarted. <br /> <br /> The following log message can be seen when this issue happens:<br /> <br /> agentd[]: AGENTD_RESOURCE_NOT_FOUND: No resource name found for <br /> <br /> <br /> This issue affects Junos OS on <br /> <br /> EX2300, EX3400, EX4000, EX4100 and EX4400<br /> <br /> devices:<br /> <br /> <br /> * all versions before 23.2R2-S7,<br /> * 23.4 versions before 23.4R2-S8,<br /> * 24.2 versions before 24.2R2-S5,<br /> * 24.4 versions before 24.4R2.
Severity CVSS v4.0: HIGH
Last modification:
10/07/2026

CVE-2026-57054

Publication date:
09/07/2026
A Use of Incorrectly-Resolved Name or Reference vulnerability in the URL filtering plugin of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass web filtering and access downstream resources that should be unreachable.<br /> <br /> <br /> <br /> If an MX Series device is configured with web filtering, and an attacker sends a request with a specifically formatted URL, this request will get forwarded despite the system being configured to block it. In turn, an attacker can access downstream resources that are expected to be unreachable.<br /> <br /> This issue affects Junos OS on MX Series:<br /> <br /> <br /> * all versions before 23.2R2-S7,<br /> * 23.4 versions before 23.4R2-S8,<br /> * 24.2 versions before 24.2R2-S5,<br /> * 24.4 versions before 24.4R2-S4,<br /> * 25.2 versions before 25.2R2-S1,<br /> * 25.4 versions before 25.4R1-S2, 25.4R2.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2026

CVE-2026-58123

Publication date:
09/07/2026
Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.
Severity CVSS v4.0: CRITICAL
Last modification:
10/07/2026

CVE-2026-58143

Publication date:
09/07/2026
Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler, which never invokes the application&amp;#39;s CSRF validation function. Attackers can disable the PFS module&amp;#39;s file extension whitelist by setting pfsfilecheck to 0, enabling any user with PFS access to upload and execute arbitrary PHP files on the server.
Severity CVSS v4.0: HIGH
Last modification:
10/07/2026

CVE-2026-58144

Publication date:
09/07/2026
Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2026

CVE-2026-57027

Publication date:
09/07/2026
A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series devices allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS).When sFlow is configured in a Virtual Chassis (VC) scenario with EX4100 Series or EX4400 Series devices, multicast traffic which is received on one VC member and sent out on another member leads to a memory leak and ultimately an FPC crash and restart.<br /> <br /> The leak can be monitored by watching the continuous increase of the buffer values in the output of:<br /> <br /> user@host&gt; show chassis fpc <br /> This issue affects Junos OS on EX4100 Series and EX4400:<br /> <br /> <br /> * all versions before 23.2R2-S7,<br /> * 23.4 versions before 23.4R2-S7,<br /> * 24.2 versions before 24.2R2-S4,<br /> * 24.4 versions before 24.4R2.
Severity CVSS v4.0: HIGH
Last modification:
10/07/2026

CVE-2026-57028

Publication date:
09/07/2026
An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause license exhaustion.<br /> <br /> <br /> Due to an incorrect initialization, a process which should only be able to communicate internally within the device, can be reached over the network via an open port. This leads to unauthorized access to the license management.<br /> <br /> This issue affects all Junos OS Evolved versions before 23.2R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2026

CVE-2026-57029

Publication date:
09/07/2026
A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).<br /> <br /> <br /> When the reachability of an sFlow collector changes, the corresponding next-hop entry is updated. If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.<br /> <br /> <br /> <br /> <br /> This issue affects Junos OS Evolved on QFX Series:<br /> <br /> <br /> * all 23.2 versions, <br /> * 23.4 versions before 23.4R2-S7-EVO,<br /> * 24.2 versions before 24.2R2-S5-EVO,<br /> * 24.4 versions before 24.4R2-S3-EVO,<br /> * 25.2 versions before 25.2R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2026