Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-15714

Publication date:
14/07/2026
An out-of-bounds read vulnerability was found in libsoup's multipart processing subsystem. The flaw exists in the soup_multipart_input_stream_read_headers() function inside soup-multipart-input-stream.c, which does not adequately restrict or validate the size of incoming multipart boundary strings. When processing a crafted HTTP response containing a malformed or oversized boundary parameter, the internal stream reader reads past the allocated buffer bounds. A remote, unauthenticated attacker can exploit this behavior to cause a service denial (DoS) through application failure or potentially read fragments of unauthorized memory metadata.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-13001

Publication date:
14/07/2026
The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'podlove_handle_cache_files' function in all versions up to, and including, 4.5.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-15409

Publication date:
14/07/2026
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-15410

Publication date:
14/07/2026
Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-5040

Publication date:
14/07/2026
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.<br /> <br /> Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-47767

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER[&amp;#39;argv&amp;#39;] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026

CVE-2026-47301

Publication date:
14/07/2026
Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-47302

Publication date:
14/07/2026
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-47300

Publication date:
14/07/2026
Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47303

Publication date:
14/07/2026
Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47304

Publication date:
14/07/2026
Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47305

Publication date:
14/07/2026
Protection mechanism failure in Visual Studio allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026