Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-42031

Publication date:
13/05/2026
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.
Severity CVSS v4.0: HIGH
Last modification:
15/05/2026

CVE-2026-42032

Publication date:
13/05/2026
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.
Severity CVSS v4.0: MEDIUM
Last modification:
15/05/2026

CVE-2026-41132

Publication date:
13/05/2026
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in 2.10.10 and 2.11.5.
Severity CVSS v4.0: MEDIUM
Last modification:
15/05/2026

CVE-2026-33584

Publication date:
13/05/2026
Exposed Keycloak management <br /> service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug <br /> information such as metrics and<br /> health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-33585

Publication date:
13/05/2026
Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.<br /> <br /> <br /> <br /> This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-33583

Publication date:
13/05/2026
Exposure of the QKEY (used as <br /> input into the ‘OTA-Quantum’ device registration process) and internal <br /> system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.<br /> <br /> This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2026

CVE-2026-30904

Publication date:
13/05/2026
Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-30906

Publication date:
13/05/2026
Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-30905

Publication date:
13/05/2026
External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2026

CVE-2026-22677

Publication date:
13/05/2026
Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-0261

Publication date:
13/05/2026
Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI.<br /> <br /> <br /> <br /> The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .<br /> <br /> <br /> <br /> This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).<br /> <br /> <br /> <br /> Cloud NGFW and Prisma Access® are not impacted by these vulnerabilities.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026

CVE-2026-0262

Publication date:
13/05/2026
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic. <br /> <br /> Panorama and Cloud NGFW are not impacted by these vulnerabilities.
Severity CVSS v4.0: MEDIUM
Last modification:
09/06/2026