Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-7415
Publication date:
10/07/2025
A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-6390
Publication date:
10/07/2025
Brocade SANnav before SANnav 2.4.0a logs passwords and pbe keys in the Brocade SANnav server audit logs after installation and under specific conditions. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-3946
Publication date:
10/07/2025
The Honeywell Experion PKS <br /> <br /> and OneWireless WDM<br /> <br /> contains a Deployment of Wrong Handler<br /> <br /> <br /> <br /> vulnerability <br /> <br /> in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to <br /> <br /> Input Data Manipulation, <br /> <br /> which could result in incorrect handling of packets leading to remote code execution.<br /> <br /> <br /> <br /> Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1.<br /> <br /> The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-3947
Publication date:
10/07/2025
The Honeywell Experion PKS contains an Integer Underflow <br /> <br /> vulnerability <br /> <br /> in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to <br /> <br /> Input Data Manipulation, which could result in improper integer data value checking during subtraction leading to a denial of service.<br /> <br /> <br /> <br /> Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1.<br /> <br /> The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-4662
Publication date:
10/07/2025
Brocade SANnav before SANnav 2.4.0a logs plaintext passphrases in the Brocade SANnav host server audit logs while executing OpenSSL command using a passphrase from the command line or while providing the passphrase through a temporary file.<br /> <br /> These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-2521
Publication date:
10/07/2025
The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution.<br /> <br /> Honeywell recommends updating to the most recent version of Honeywell Experion PKS:<br /> <br /> 520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1.<br /> <br /> <br /> The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-2522
Publication date:
10/07/2025
The Honeywell Experion PKS and OneWireless WDM <br /> <br /> contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in buffer reuse which may cause incorrect system behavior.<br /> <br /> Honeywell also recommends updating to the most recent version of <br /> <br /> Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. <br /> <br /> The affected Experion PKS products are <br /> <br /> <br /> <br /> C300, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are 520.1 before <br /> <br /> 520.2 TCU9 HF1 and 530 before 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-2523
Publication date:
10/07/2025
The Honeywell Experion PKS <br /> <br /> and OneWireless WDM <br /> <br /> contains an Integer Underflow <br /> <br /> vulnerability <br /> <br /> in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution.<br /> <br /> <br /> <br /> Honeywell recommends updating to the most recent version of <br /> <br /> Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1.<br /> <br /> <br /> <br /> The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-7021
Publication date:
10/07/2025
Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-7412
Publication date:
10/07/2025
A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/student/profile.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-7413
Publication date:
10/07/2025
A vulnerability classified as critical has been found in code-projects Library System 1.0. This affects an unknown part of the file /user/teacher/profile.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-53630
Publication date:
10/07/2025
llama.cpp is an inference of several LLM models in C/C++. Integer Overflow in the gguf_init_from_file_impl function in ggml/src/gguf.cpp can lead to Heap Out-of-Bounds Read/Write. This vulnerability is fixed in commit 26a48ad699d50b6268900062661bd22f3e792579.
Severity CVSS v4.0: HIGH
Last modification:
10/07/2025
Subscribe to Vulnerabilities