Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52586
Publication date:
08/08/2025
The MOD3 command traffic between the monitoring application and the <br /> inverter is transmitted in plaintext without encryption or obfuscation. <br /> This vulnerability may allow an attacker with access to a local network <br /> to intercept, manipulate, replay, or forge critical data, including <br /> read/write operations for voltage, current, and power configuration, <br /> operational status, alarms, telemetry, system reset, or inverter control<br /> commands, potentially disrupting power generation or reconfiguring <br /> inverter settings.
Severity CVSS v4.0: HIGH
Last modification:
08/09/2025

CVE-2025-8355
Publication date:
08/08/2025
In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2025-8730
Publication date:
08/08/2025
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: HIGH
Last modification:
08/08/2025

CVE-2025-36023
Publication date:
08/08/2025
IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2025-36119
Publication date:
08/08/2025
IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2020-9322
Publication date:
08/08/2025
The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-8729
Publication date:
08/08/2025
A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
16/09/2025

CVE-2025-8088
Publication date:
08/08/2025
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček<br /> from ESET.
Severity CVSS v4.0: HIGH
Last modification:
30/10/2025

CVE-2025-8749
Publication date:
08/08/2025
Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots (MiR) Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-8748
Publication date:
08/08/2025
MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious <br /> HTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the <br /> underlying operating system.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-53606
Publication date:
08/08/2025
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).<br /> <br /> This issue affects Apache Seata (incubating): 2.4.0.<br /> <br /> Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-48913
Publication date:
08/08/2025
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.<br /> <br /> Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025
Subscribe to Vulnerabilities