Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-15550
Publication date:
29/01/2026
birkir prime
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2025-15549
Publication date:
29/01/2026
FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL.
Severity CVSS v4.0: MEDIUM
Last modification:
30/01/2026

CVE-2026-1457
Publication date:
29/01/2026
An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges.
Severity CVSS v4.0: HIGH
Last modification:
29/01/2026

CVE-2026-1601
Publication date:
29/01/2026
A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2026-1610
Publication date:
29/01/2026
A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used.
Severity CVSS v4.0: HIGH
Last modification:
29/01/2026

CVE-2025-69749
Publication date:
29/01/2026
Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2026-1453
Publication date:
29/01/2026
A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product.
Severity CVSS v4.0: CRITICAL
Last modification:
29/01/2026

CVE-2025-15541
Publication date:
29/01/2026
Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2025-15542
Publication date:
29/01/2026
Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2025-15543
Publication date:
29/01/2026
Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2025-15548
Publication date:
29/01/2026
Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2025-13399
Publication date:
29/01/2026
A weakness in the web interface’s application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data.
Severity CVSS v4.0: HIGH
Last modification:
29/01/2026
Subscribe to Vulnerabilities