Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-35223

Publication date:
26/05/2026
An improper access check allows unauthorized access to com_config webservice endpoints.
Severity CVSS v4.0: HIGH
Last modification:
28/05/2026

CVE-2026-35222

Publication date:
26/05/2026
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-35221

Publication date:
26/05/2026
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-35220

Publication date:
26/05/2026
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-30895

Publication date:
26/05/2026
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-2264

Publication date:
26/05/2026
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.<br /> <br /> For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
Severity CVSS v4.0: CRITICAL
Last modification:
26/05/2026

CVE-2026-30894

Publication date:
26/05/2026
Lack of output escaping leads to a XSS vector in the content history component.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-25901

Publication date:
26/05/2026
Lack of output escaping leads to a XSS vector in the multilingual associations component.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-25900

Publication date:
26/05/2026
Lack of output escaping leads to a XSS vector in the feed modules.
Severity CVSS v4.0: MEDIUM
Last modification:
27/05/2026

CVE-2026-24212

Publication date:
26/05/2026
NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2026

CVE-2025-36148

Publication date:
26/05/2026
IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2026

CVE-2025-36221

Publication date:
26/05/2026
IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2026