Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-55723

Publication date:
15/07/2026
When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives. <br /> <br /> Impact:<br /> An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.<br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
16/07/2026

CVE-2026-52865

Publication date:
15/07/2026
When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. <br /> <br /> <br /> <br /> Impact:<br /> The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only.<br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-54560

Publication date:
15/07/2026
Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve&amp;#39;s OAuth access tokens are issued without the OAuth client_id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session authentication, allowing a low-scope OAuth access token to call APIs requiring higher scopes such as file, share, workflow, user setting, WebDAV account, and potentially admin scopes. This issue is fixed in version 4.16.1.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-54562

Publication date:
15/07/2026
Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, Cloudreve&amp;#39;s remote download workflow accepts user-supplied URLs at POST /api/v4/workflow/download and passes them to the configured downloader without blocking loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, allowing a non-admin user with remote download permission to fetch internal-only URLs and read the response after it is imported into the user&amp;#39;s own files. This issue is fixed in version 4.16.1.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-42533

Publication date:
15/07/2026
A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map&amp;#39;s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.<br /> <br /> Impact:<br /> This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.<br /> <br /> <br /> <br /> <br />  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: CRITICAL
Last modification:
16/07/2026

CVE-2026-33213

Publication date:
15/07/2026
Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the get_next_path() function in Redash&amp;#39;s authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as /login?next=////evil.com to redirect users to an external attacker-controlled site after authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-62175

Publication date:
15/07/2026
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-60091. Reason: This candidate is a duplicate of CVE-2026-60091. Notes: All CVE users should reference CVE-2026-60091 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-59838

Publication date:
15/07/2026
A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.2.0 through 7.2.6, FortiSIEM 7.1 all versions, FortiSIEM 7.0 all versions, FortiSIEM 6.7 all versions, FortiSIEM 6.6 all versions, FortiSIEM 6.5 all versions, FortiSIEM 6.4 all versions may allow attacker to execute unauthorized code or commands via
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-43637

Publication date:
15/07/2026
Cornac before 2.6.0 contains a path traversal (Tar Slip) vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the _extract_archive() function in cornac/utils/download.py. Attackers can trigger this vulnerability through the built-in dataset loaders, which automatically download and extract archives, causing archive.extractall() to write files to arbitrary locations on the filesystem accessible to the running process.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-58558

Publication date:
15/07/2026
Permission control vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-58559

Publication date:
15/07/2026
DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-58555

Publication date:
15/07/2026
Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026