Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-50652
Publication date:
08/04/2026
An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2025-30650
Publication date:
08/04/2026
A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved<br /> <br /> as root.<br /> <br /> This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include:<br /> * MPC7, MPC8, MPC9, MPC10, MPC11<br /> * LC2101, LC2103<br /> * LC480, LC4800, LC9600<br /> * MX304 (built-in FPC)<br /> * MX-SPC3<br /> * SRX5K-SPC3<br /> * EX9200-40XS<br /> <br /> <br /> * FPC3-PTX-U2, FPC3-PTX-U3<br /> * FPC3-SFF-PTX<br /> * LC1101, LC1102, LC1104, LC1105<br /> <br /> <br /> <br /> <br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S8, <br /> * from 23.2 before 23.2R2-S6, <br /> * from 23.4 before 23.4R2-S6, <br /> * from 24.2 before 24.2R2-S3, <br /> * from 24.4 before 24.4R2,<br /> * from 25.2 before 25.2R2.
Severity CVSS v4.0: HIGH
Last modification:
08/04/2026

CVE-2026-32591
Publication date:
08/04/2026
A flaw was found in Red Hat Quay&amp;#39;s Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-33458
Publication date:
08/04/2026
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-33459
Publication date:
08/04/2026
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-33466
Publication date:
08/04/2026
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-33756
Publication date:
08/04/2026
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn&amp;#39;t enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-32589
Publication date:
08/04/2026
A flaw was found in Red Hat Quay&amp;#39;s container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user&amp;#39;s in-progress image upload.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2026-32590
Publication date:
08/04/2026
A flaw was found in Red Hat Quay&amp;#39;s handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2025-52221
Publication date:
08/04/2026
Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2025-52222
Publication date:
08/04/2026
D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in the radius_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2025-45057
Publication date:
08/04/2026
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ip_position_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026
Subscribe to Vulnerabilities