Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-48905

Publication date:
26/05/2026
Lack of input filtering leads to an XSS vector in the HTML filter code.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-48904

Publication date:
26/05/2026
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
Severity CVSS v4.0: HIGH
Last modification:
26/05/2026

CVE-2026-48903

Publication date:
26/05/2026
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-48900

Publication date:
26/05/2026
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-48899

Publication date:
26/05/2026
An improper access check allows privilege escalation through the com_users batch task.
Severity CVSS v4.0: MEDIUM
Last modification:
26/05/2026

CVE-2026-48898

Publication date:
26/05/2026
An improper access check allows privilege escalation through the com_users batch task.
Severity CVSS v4.0: HIGH
Last modification:
26/05/2026

CVE-2026-48901

Publication date:
26/05/2026
The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2026

CVE-2026-48897

Publication date:
26/05/2026
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Severity CVSS v4.0: HIGH
Last modification:
28/05/2026

CVE-2026-48896

Publication date:
26/05/2026
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Severity CVSS v4.0: HIGH
Last modification:
28/05/2026

CVE-2026-48902

Publication date:
26/05/2026
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026

CVE-2026-48864

Publication date:
26/05/2026
A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2026

CVE-2026-48091

Publication date:
26/05/2026
Rejected reason: Further research determined the issue is not a vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026