Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-7364

Publication date:
17/07/2026
IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted request to redirect a victim to arbitrary Web sites.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-7667

Publication date:
17/07/2026
IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated attacker to create a malicious flow pointing to an attacker-controlled URL that returns a specially crafted Content-Disposition header (e.g., filename="../../../target/path" ), enabling arbitrary file write operations with attacker-controlled content to any path accessible by the Langflow process.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-7754

Publication date:
17/07/2026
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow 1.9.0 could allow server-side request forgery (SSRF) due to insecure default configuration and incomplete enforcement of the SSRF protection mechanism.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-63030

Publication date:
17/07/2026
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
Severity CVSS v4.0: Pending analysis
Last modification:
18/07/2026

CVE-2026-55254

Publication date:
17/07/2026
NCalc is a fast, lightweight expression evaluator for .NET. Prior to 6.1.1, the factorial operator implementation in src/NCalc.Core/Helpers/MathHelper.cs permits specially crafted expressions with extremely large factorial operands, causing excessive CPU consumption or a non-terminating loop due to integer overflow in the factorial calculation logic when applications evaluate untrusted expressions. This issue is fixed in version 6.1.1.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-60137

Publication date:
17/07/2026
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
18/07/2026

CVE-2026-54171

Publication date:
17/07/2026
Excon is usable, fast, simple HTTP 1.1 for Ruby. Prior to 1.5.0, Excon's RedirectFollower middleware failed to strip additional sensitive headers when following redirects and did not provide a custom list of headers to strip. This could cause inadvertent leakage of sensitive data when the initial request includes header information that is not intended for the new target. This issue is fixed in version 1.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-54463

Publication date:
17/07/2026
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily large integer to be encoded as bytes with the high bit set, and a server or client can send an indefinite sequence of 0x80 or higher bytes that the peer parses into an ever-growing Ruby integer. This can make a WebSocket connection consume an unbounded amount of memory and lead to the host process running out of memory. This issue is fixed in version 0.8.1.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-54464

Publication date:
17/07/2026
### Impact<br /> <br /> If this library is used in tandem with the `permessage-deflate` extension, a<br /> WebSocket server or client can be made to accept messages that are larger than<br /> the configured maximum message size. This is because this limit is checked<br /> against the message frames&amp;#39; length headers, which give the size of the<br /> compressed data, not the size after decompression. This can lead to applications<br /> accepting larger messages than expected and exceeding their intended resource<br /> usage.<br /> <br /> ### Patches<br /> <br /> The issue has been patched in version 0.8.1, by checking the length of messages<br /> after they are processed by incoming extensions. All users should upgrade to<br /> this version.<br /> <br /> ### Workarounds<br /> <br /> No known workarounds exist.<br /> <br /> ### Acknowledgements<br /> <br /> This issue was discovered and reported by Pranjali Thakur, DepthFirst Security<br /> Research Team.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-54465

Publication date:
17/07/2026
websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server() or to complement a WebSocket client, a peer can make a single connection consume an unbounded amount of memory by sending an HTTP request or response with a never-ending list of headers. This can lead to the receiving process running out of memory. This issue is fixed in version 0.8.1.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2026

CVE-2026-52199

Publication date:
17/07/2026
An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the sbin/adbd component
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2026

CVE-2026-50197

Publication date:
17/07/2026
Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper&amp;#39;s OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10.
Severity CVSS v4.0: HIGH
Last modification:
17/07/2026