Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1220
Publication date:
10/06/2026
Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50637
Publication date:
10/06/2026
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.<br /> <br /> The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.<br /> <br /> Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50638
Publication date:
10/06/2026
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.<br /> <br /> Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.<br /> <br /> In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50639
Publication date:
10/06/2026
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.<br /> <br /> The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.<br /> <br /> Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.<br /> <br /> In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-11626
Publication date:
10/06/2026
CleanWipe Removal Tool (macOS), prior to 16.0.0.65, may be susceptible to an Local Privilege Escalation vulnerability, which is a type of issue whereby an attacker with limited privilege access on an affected system can escalate their privileges to gain administrative control.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-10740
Publication date:
10/06/2026
Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets.<br /> <br /> <br /> <br /> To remediate this issue, users should upgrade to v1.8.2.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2026

CVE-2026-9151
Publication date:
10/06/2026
An OS<br /> command injection vulnerability exists in the VPN module of TP-Link Archer AX12<br /> v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an<br /> adjacent, authenticated attacker to execute arbitrary commands on the device by<br /> importing a specially crafted VPN client configuration file. The issue stems<br /> from improper filtering of special characters. <br /> <br /> <br /> <br /> <br /> <br /> Successful<br /> exploitation of this vulnerability may enable an attacker to gain full control<br /> of the affected device, potentially compromising configuration integrity,<br /> network security, and service availability.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2026

CVE-2026-50566
Publication date:
10/06/2026
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor&amp;#39;s high-privilege service account — enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. This issue has been patched in version 1.24.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50567
Publication date:
10/06/2026
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result without checking whether the resolved path stayed under the destination. A zip entry named ../../tmp/evil therefore landed at /tmp/evil. An attacker who could control a Package.Spec.Source.URL or Deployment.URL archive could induce the fetcher (running as the per-environment pod&amp;#39;s fission-fetcher sidecar) to write files anywhere that process could reach: into other tenants&amp;#39; /packages// directories, into mounted secret/config volumes, or into the fetcher&amp;#39;s own binary. This issue has been patched in version 1.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50568
Publication date:
10/06/2026
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder&amp;#39;s Clean handler (pkg/builder/builder.go:208) and the fetcher&amp;#39;s Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder&amp;#39;s shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50569
Publication date:
10/06/2026
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL — and CEL had no rules on those fields either — so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026

CVE-2026-50570
Publication date:
10/06/2026
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSafety admission webhook + sanitizeContainerSecurityContext executor merge layer), but the capability check was implemented as a fixed denylist of six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE). The denylist omitted CAP_SYS_TIME, among others. As a result, a tenant who could create a Function or Environment CRD could request securityContext.capabilities.add: ["SYS_TIME"], pass Fission&amp;#39;s admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container. This issue has been patched in version 1.25.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2026
Subscribe to Vulnerabilities