Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52663
Publication date:
31/10/2025
A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API.<br /> <br /> <br /> Affected Products:<br /> UniFi Talk Touch (Version 1.21.16 and earlier) <br /> UniFi Talk Touch Max (Version 2.21.22 and earlier) <br /> UniFi Talk G3 Phones (Version 3.21.26 and earlier) <br /> <br /> Mitigation:<br /> Update the UniFi Talk Touch to Version 1.21.17 or later.<br /> Update the UniFi Talk Touch Max to Version 2.21.23 or later.<br /> Update the UniFi Talk G3 Phones to Version 3.21.27 or later.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-48983
Publication date:
31/10/2025
A vulnerability in the Mount service of Veeam Backup &amp; Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.
Severity CVSS v4.0: Pending analysis
Last modification:
11/11/2025

CVE-2025-48984
Publication date:
31/10/2025
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
Severity CVSS v4.0: Pending analysis
Last modification:
11/11/2025

CVE-2025-27208
Publication date:
31/10/2025
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim&amp;#39;s browser. The session cookie cannot be accessed, but a number of other operations could be performed.<br /> <br /> The vulnerability is present in the admin-search.php file and can be exploited via the compact parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-52664
Publication date:
31/10/2025
SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by logged in users
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-48982
Publication date:
31/10/2025
This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation if a system administrator is tricked into restoring a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025

CVE-2025-34298
Publication date:
30/10/2025
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-34287
Publication date:
30/10/2025
Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-34277
Publication date:
30/10/2025
Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process.
Severity CVSS v4.0: CRITICAL
Last modification:
06/11/2025

CVE-2025-34274
Publication date:
30/10/2025
Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin, pipeline configuration injection, or a vulnerability in input parsing - the attacker could execute code with root privileges, resulting in full system compromise. The Logstash service has been altered to run as the lower-privileged &amp;#39;nagios&amp;#39; user to reduce this risk associated with a network-facing service that can accept untrusted input or load third-party components.
Severity CVSS v4.0: CRITICAL
Last modification:
06/11/2025

CVE-2025-34286
Publication date:
30/10/2025
Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system.
Severity CVSS v4.0: CRITICAL
Last modification:
06/11/2025

CVE-2025-34284
Publication date:
30/10/2025
Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to modify configuration, exfiltrate data, disrupt monitoring operations, or execute commands on the underlying host operating system.
Severity CVSS v4.0: CRITICAL
Last modification:
06/11/2025
Subscribe to Vulnerabilities