Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-33584

Publication date:
13/05/2026
Exposed Keycloak management <br /> service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug <br /> information such as metrics and<br /> health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-33585

Publication date:
13/05/2026
Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.<br /> <br /> <br /> <br /> This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-33583

Publication date:
13/05/2026
Exposure of the QKEY (used as <br /> input into the ‘OTA-Quantum’ device registration process) and internal <br /> system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.<br /> <br /> This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-30904

Publication date:
13/05/2026
Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-30906

Publication date:
13/05/2026
Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-30905

Publication date:
13/05/2026
External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-22677

Publication date:
13/05/2026
Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-0261

Publication date:
13/05/2026
Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI.<br /> <br /> <br /> <br /> The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .<br /> <br /> <br /> <br /> This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).<br /> <br /> <br /> <br /> Cloud NGFW and Prisma Access® are not impacted by these vulnerabilities.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2026-0262

Publication date:
13/05/2026
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic. <br /> <br /> Panorama and Cloud NGFW are not impacted by these vulnerabilities.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2026-0258

Publication date:
13/05/2026
A server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition.<br /> <br /> <br /> <br /> Panorama, Cloud NGFW and Prisma® Access are not impacted by these vulnerabilities.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2026-0257

Publication date:
13/05/2026
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.<br /> <br /> Panorama and Cloud NGFW are not impacted by these issues.
Severity CVSS v4.0: HIGH
Last modification:
09/06/2026

CVE-2026-0259

Publication date:
13/05/2026
An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.<br /> <br /> <br /> <br /> The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.<br /> <br /> <br /> <br /> Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
14/05/2026