Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-7850
Publication date:
21/10/2025
A command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways.
Severity CVSS v4.0: CRITICAL
Last modification:
24/10/2025

CVE-2025-7851
Publication date:
21/10/2025
An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
Severity CVSS v4.0: HIGH
Last modification:
24/10/2025

CVE-2025-6542
Publication date:
21/10/2025
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
Severity CVSS v4.0: CRITICAL
Last modification:
24/10/2025

CVE-2025-6541
Publication date:
21/10/2025
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
Severity CVSS v4.0: HIGH
Last modification:
24/10/2025

CVE-2025-54764
Publication date:
20/10/2025
Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2025

CVE-2025-11536
Publication date:
20/10/2025
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-12001
Publication date:
20/10/2025
Lack of application manifest sanitation could lead to potential stored XSS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
Severity CVSS v4.0: CRITICAL
Last modification:
07/11/2025

CVE-2018-25118
Publication date:
20/10/2025
GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.
Severity CVSS v4.0: CRITICAL
Last modification:
23/10/2025

CVE-2025-62658
Publication date:
20/10/2025
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-61301
Publication date:
20/10/2025
Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-61303
Publication date:
20/10/2025
Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-62656
Publication date:
20/10/2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki GlobalBlocking extension allows Stored XSS.This issue affects MediaWiki GlobalBlocking extension: 1.43, 1.44.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025
Subscribe to Vulnerabilities