Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-5317
Publication date:
11/11/2025
An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-7429
Publication date:
11/11/2025
Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-8998
Publication date:
11/11/2025
It was possible to upload files with a specific name to a temporary directory, which may result in process crashes and impact usability. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-10714
Publication date:
11/11/2025
AXIS Optimizer was vulnerable to an unquoted search path vulnerability, which could potentially lead to privilege escalation within Microsoft Windows operating system. This vulnerability can only be exploited if the attacker has access to the local Windows machine and sufficient access rights (administrator) to write data into the installation path of AXIS Optimizer.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-8108
Publication date:
11/11/2025
An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-5718
Publication date:
11/11/2025
The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-6298
Publication date:
11/11/2025
ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-6571
Publication date:
11/11/2025
A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-6779
Publication date:
11/11/2025
An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-5452
Publication date:
11/11/2025
A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP application. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-5454
Publication date:
11/11/2025
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-4645
Publication date:
11/11/2025
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025
Subscribe to Vulnerabilities