Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-13238

Publication date:
10/07/2026
Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-10768

Publication date:
10/07/2026
Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. This issue affects LocalGov Workflows versions: from 0.0.0 to 1.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-10769

Publication date:
10/07/2026
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-10770

Publication date:
10/07/2026
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Reflected XSS. This issue affects Anti-Spam by CleanTalk versions: from 0.0.0 to 9.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-11908

Publication date:
10/07/2026
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Stored XSS. This issue affects Tagify versions: from 0.0.0 to 1.2.52.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-11909

Publication date:
10/07/2026
Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing. This issue affects Examples for Developers versions: from 0.0.0 to 4.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-58499

Publication date:
10/07/2026
EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message sender_id field was not validated as a path-safe identifier, unlike app_id and project_id. During user-memory extraction, sender_id is used as owner_id and joined into the filesystem path where the extracted episode is persisted as a Markdown file, so a sender_id containing ../ sequences could direct writes outside the configured memory root and allow an unauthenticated caller to create or overwrite .md files at locations writable by the server process with partially attacker-influenced content. This issue is fixed in version 1.0.1.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-7639

Publication date:
10/07/2026
Software installed and run as a non-privileged user may conduct a sequence of improper GPU system calls causing use after free, which helps in facilitating unprivileged memory access from a shader code.<br /> <br /> <br /> <br /> Triggering failure path in the MMU mapping logic by a malicious code could lead to incomplete cleanup of an internal driver state, allowing for future unauthorized access to the contents of the physical memory.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-9726

Publication date:
10/07/2026
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-57219

Publication date:
10/07/2026
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauth_client_secret, exposing credentials to unauthenticated callers when the management plugin and that OAuth configuration are enabled. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
Severity CVSS v4.0: HIGH
Last modification:
10/07/2026

CVE-2026-57220

Publication date:
10/07/2026
RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation, allowing an unauthenticated remote client to declare oversized frame lengths and consume broker memory in rabbit_stream_core. This issue is fixed in version 4.2.6.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-57221

Publication date:
10/07/2026
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ does not perform authorization checks on passive queue.declare and exchange.declare AMQP 0-9-1 operations, allowing any authenticated user who can connect to a virtual host to enumerate queue and exchange names and read queue message and consumer counts. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2026