Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2012-10041
Publication date:
08/08/2025
WAN Emulator v2.3 contains two unauthenticated command execution vulnerabilities. The result.php script calls shell_exec() with unsanitized input from the pc POST parameter, allowing remote attackers to execute arbitrary commands as the www-data user. The system also includes a SUID-root binary named dosu, which is vulnerable to command injection via its first argument. An attacker can exploit both flaws in sequence to achieve full remote code execution and escalate privileges to root.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2010-10013
Publication date:
08/08/2025
An unauthenticated remote command execution vulnerability exists in AjaXplorer (now known as Pydio Cells) versions prior to 2.6. The flaw resides in the checkInstall.php script within the access.ssh plugin, which fails to properly sanitize user-supplied input to the destServer GET parameter. By injecting shell metacharacters, remote attackers can execute arbitrary system commands on the server with the privileges of the web server process.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2025-8733
Publication date:
08/08/2025
A vulnerability was found in GNU Bison up to 3.8.2. It has been rated as problematic. This issue affects the function __obstack_vprintf_internal of the file obprintf.c. The manipulation leads to reachable assertion. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
08/08/2025

CVE-2025-8734
Publication date:
08/08/2025
A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
08/08/2025

CVE-2025-50928
Publication date:
08/08/2025
Easy Hosting Control Panel EHCP v20.04.1.b was discovered to contain a SQL injection vulnerability via the id parameter in the Change Settings function.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-5095
Publication date:
08/08/2025
Burk Technology ARC Solo&amp;#39;s password change mechanism can be utilized without proper <br /> authentication procedures, allowing an attacker to take over the device.<br /> A password change request can be sent directly to the device&amp;#39;s HTTP <br /> endpoint without providing valid credentials. The system does not <br /> enforce proper authentication or session validation, allowing the <br /> password change to proceed without verifying the request&amp;#39;s legitimacy.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2025-52913
Publication date:
08/08/2025
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users&amp;#39; data and system configurations.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-52914
Publication date:
08/08/2025
A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 (10.0.1.101) could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQL database commands.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-50927
Publication date:
08/08/2025
A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-8284
Publication date:
08/08/2025
By default, the Packet Power Monitoring and Control Web Interface do not<br /> enforce authentication mechanisms. This vulnerability could allow <br /> unauthorized users to access and manipulate monitoring and control <br /> functions.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2025-8393
Publication date:
08/08/2025
A TLS vulnerability exists in the phone application used to manage a <br /> connected device. The phone application accepts self-signed certificates<br /> when establishing TLS communication which may result in <br /> man-in-the-middle attacks on untrusted networks. Captured communications<br /> may include user credentials and sensitive session tokens.
Severity CVSS v4.0: HIGH
Last modification:
08/08/2025

CVE-2025-8732
Publication date:
08/08/2025
A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."
Severity CVSS v4.0: MEDIUM
Last modification:
08/08/2025
Subscribe to Vulnerabilities