Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-67866
Publication date:
13/12/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2025

CVE-2025-36750
Publication date:
13/12/2025
ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.
Severity CVSS v4.0: HIGH
Last modification:
15/12/2025

CVE-2025-36751
Publication date:
13/12/2025
Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.
Severity CVSS v4.0: CRITICAL
Last modification:
15/12/2025

CVE-2025-36752
Publication date:
13/12/2025
Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.
Severity CVSS v4.0: CRITICAL
Last modification:
15/12/2025

CVE-2025-36753
Publication date:
13/12/2025
The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device
Severity CVSS v4.0: HIGH
Last modification:
15/12/2025

CVE-2025-36754
Publication date:
13/12/2025
The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack.
Severity CVSS v4.0: CRITICAL
Last modification:
15/12/2025

CVE-2025-14617
Publication date:
13/12/2025
A vulnerability has been found in Jehovahs Witnesses JW Library App up to 15.5.1 on Android. Affected is an unknown function of the component org.jw.jwlibrary.mobile.activity.SiloContainer. Such manipulation leads to path traversal. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-36747
Publication date:
13/12/2025
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
Severity CVSS v4.0: CRITICAL
Last modification:
15/12/2025

CVE-2025-36748
Publication date:
13/12/2025
ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.
Severity CVSS v4.0: HIGH
Last modification:
15/12/2025

CVE-2025-14619
Publication date:
13/12/2025
A vulnerability was found in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file login_query.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-14620
Publication date:
13/12/2025
A vulnerability was determined in code-projects Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/login_query.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-14606
Publication date:
13/12/2025
A security vulnerability has been detected in tiny-rdm Tiny RDM up to 1.2.5. Affected by this vulnerability is the function pickle.loads of the file pickle_convert.go of the component Pickle Decoding. The manipulation leads to deserialization. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: LOW
Last modification:
15/12/2025
Subscribe to Vulnerabilities