Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-11372

Publication date:
22/06/2026
IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2024-51454

Publication date:
22/06/2026
IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2026

CVE-2023-33854

Publication date:
22/06/2026
IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data using man in the middle techniques.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2026

CVE-2026-9162

Publication date:
22/06/2026
Mattermost versions 11.7.x
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-9029

Publication date:
22/06/2026
A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard (stored cross-site scripting).
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2026

CVE-2026-8074

Publication date:
22/06/2026
Mattermost versions 11.7.x
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-7165

Publication date:
22/06/2026
The vulnerability is present in the ‘/addJugador’ endpoint:<br /> * The &amp;#39;keyJugador&amp;#39; and &amp;#39;keyJugadorObjectiu&amp;#39; parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information.<br /> <br /> * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. <br /> <br /> * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges.<br /> <br /> * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable.<br /> <br /> * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
Severity CVSS v4.0: CRITICAL
Last modification:
22/06/2026

CVE-2026-7166

Publication date:
22/06/2026
Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on minors and municipal users. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain access to sensitive information and data.
Severity CVSS v4.0: CRITICAL
Last modification:
22/06/2026

CVE-2026-7167

Publication date:
22/06/2026
The vulnerability arises when the system fails to properly validate the &amp;#39;email&amp;#39; field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass creation of fraudulent accounts. Successful exploitation of this vulnerability could allow an authenticated attacker to carry out various attacks, such as mass spam distribution, system abuse, or bypassing user controls, thereby compromising the security and integrity of the system.
Severity CVSS v4.0: MEDIUM
Last modification:
22/06/2026

CVE-2026-6673

Publication date:
22/06/2026
Mattermost versions 11.7.x
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-6062

Publication date:
22/06/2026
Mattermost versions 11.7.x
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2026

CVE-2026-6653

Publication date:
22/06/2026
Use After Free in libxml2&amp;#39;s xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2026