Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-26007
Publication date:
26/03/2025
Telesquare TLR-2005KSH 1.1.4 has an unauthorized stack overflow vulnerability in the login interface when requesting systemtil.cgi.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-26001
Publication date:
26/03/2025
Telesquare TLR-2005KSH 1.1.4 is vulnerable to Information Disclosure via the parameter getUserNamePassword.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-26002
Publication date:
26/03/2025
Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized stack overflow vulnerability when requesting the admin.cgi parameter with setSyncTimeHost.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-26003
Publication date:
26/03/2025
Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized command execution vulnerability when requesting the admin.cgi parameter with setAutorest.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-26004
Publication date:
26/03/2025
Telesquare TLR-2005KSH 1.1.4 is vulnerable to unauthorized stack buffer overflow vulnerability when requesting admin.cgi parameter with setDdns.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-25535
Publication date:
26/03/2025
HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29322
Publication date:
26/03/2025
A cross-site scripting (XSS) vulnerability in ScriptCase before v1.0.003 - Build 3 allows attackers to execute arbitrary code via a crafted payload to the "Connection Name" in the New Connection and Rename Connection pages.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-30352
Publication date:
26/03/2025
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-30353
Publication date:
26/03/2025
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-2600
Publication date:
26/03/2025
Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". <br /> <br /> <br /> <br /> <br /> <br /> This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-30351
Publication date:
26/03/2025
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. One can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires. Version 11.5.0 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-2528
Publication date:
26/03/2025
Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to <br /> use a configuration different from the one mandated by the system administrators.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2025
Subscribe to Vulnerabilities