Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-20239

Publication date:

20/05/2026

In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-20240

Publication date:

20/05/2026

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.The Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-30691

Publication date:

20/05/2026

Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-9087

Publication date:

20/05/2026

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,<br /> idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim&#39;s local account.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-9100

Publication date:

20/05/2026

The MongoDB C Driver&#39;s legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read).

Severity CVSS v4.0: MEDIUM

Last modification:

20/05/2026

CVE-2026-9101

Publication date:

20/05/2026

Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.

Severity CVSS v4.0: MEDIUM

Last modification:

20/05/2026

CVE-2026-8342

Publication date:

20/05/2026

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-7613

Publication date:

20/05/2026

The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;csvdata[0][cost_of_goods_value]&#39; parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-44923

Publication date:

20/05/2026

SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-44924

Publication date:

20/05/2026

InfoScale VIOM 9.1.3 allows XSS.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026

CVE-2026-44925

Publication date:

20/05/2026

Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations Manager (VIOM) allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user&#39;s knowledge.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2026