Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-9255

Publication date:
22/05/2026
Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.<br /> <br /> <br /> <br /> We recommend you to upgrade to kiro-cli version 1.28.0 or later.
Severity CVSS v4.0: HIGH
Last modification:
04/06/2026

CVE-2026-36228

Publication date:
22/05/2026
Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2026

CVE-2026-37470

Publication date:
22/05/2026
An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2026

CVE-2026-32253

Publication date:
22/05/2026
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2026

CVE-2026-36227

Publication date:
22/05/2026
Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2026

CVE-2026-27136

Publication date:
22/05/2026
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-42506

Publication date:
22/05/2026
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-42502

Publication date:
22/05/2026
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-39821

Publication date:
22/05/2026
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2026

CVE-2026-25681

Publication date:
22/05/2026
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-25680

Publication date:
22/05/2026
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2022-34363

Publication date:
22/05/2026
Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the  Unisphere for VMAX application running in vApp
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026