Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-65290
Publication date:
10/12/2025
Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic and potentially serve modified firmware files.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-65291
Publication date:
10/12/2025
Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks on device control and monitoring.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-65292
Publication date:
10/12/2025
Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 allows attackers to execute arbitrary commands with root privileges through malicious domain names.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-65293
Publication date:
10/12/2025
Command injection vulnerabilities in Aqara Camera Hub G3 4.1.9_0027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2024-58282
Publication date:
10/12/2025
Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025

CVE-2024-58283
Publication date:
10/12/2025
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025

CVE-2024-58284
Publication date:
10/12/2025
PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025

CVE-2024-58285
Publication date:
10/12/2025
Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. Attackers can craft payloads in the title field that will execute when the post is viewed by other users, potentially stealing session cookies or performing client-side attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
10/12/2025

CVE-2023-53776
Publication date:
10/12/2025
Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. Attackers can issue unauthorized requests to the device management API by leveraging the session binding mechanism to perform critical operations on the transmitter.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025

CVE-2024-58279
Publication date:
10/12/2025
appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025

CVE-2024-58280
Publication date:
10/12/2025
CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025

CVE-2024-58281
Publication date:
10/12/2025
Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2025
Subscribe to Vulnerabilities