Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1213

Publication date:

27/01/2026

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.

Severity CVSS v4.0: MEDIUM

Last modification:

27/01/2026

CVE-2025-12387

Publication date:

27/01/2026

A vulnerability in the Pix-Link LV-WR21Q router&#39;s language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities.<br /> <br /> The vendor was notified early about this vulnerability, but didn&#39;t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Severity CVSS v4.0: MEDIUM

Last modification:

27/01/2026

CVE-2025-41726

Publication date:

27/01/2026

A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes.

Severity CVSS v4.0: Pending analysis

Last modification:

27/01/2026

CVE-2025-41727

Publication date:

27/01/2026

A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access.

Severity CVSS v4.0: Pending analysis

Last modification:

27/01/2026

CVE-2025-41728

Publication date:

27/01/2026

A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response.

Severity CVSS v4.0: Pending analysis

Last modification:

27/01/2026

CVE-2025-12386

Publication date:

27/01/2026

Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.<br /> <br /> The vendor was notified early about this vulnerability, but didn&#39;t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Severity CVSS v4.0: MEDIUM

Last modification:

27/01/2026

CVE-2026-24830

Publication date:

27/01/2026

Integer Overflow or Wraparound vulnerability in Ralim IronOS.This issue affects IronOS: before v2.23-rc2.

Severity CVSS v4.0: Pending analysis

Last modification:

27/01/2026

CVE-2026-24346

Publication date:

27/01/2026

Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application

Severity CVSS v4.0: HIGH

Last modification:

27/01/2026

CVE-2026-24347

Publication date:

27/01/2026

Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory

Severity CVSS v4.0: MEDIUM

Last modification:

27/01/2026

CVE-2026-24348

Publication date:

27/01/2026

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.

Severity CVSS v4.0: HIGH

Last modification:

27/01/2026

CVE-2026-24826

Publication date:

27/01/2026

Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .

Severity CVSS v4.0: CRITICAL

Last modification:

27/01/2026