Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-50927
Publication date:
08/08/2025
A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-8284
Publication date:
08/08/2025
By default, the Packet Power Monitoring and Control Web Interface do not<br /> enforce authentication mechanisms. This vulnerability could allow <br /> unauthorized users to access and manipulate monitoring and control <br /> functions.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2025-8393
Publication date:
08/08/2025
A TLS vulnerability exists in the phone application used to manage a <br /> connected device. The phone application accepts self-signed certificates<br /> when establishing TLS communication which may result in <br /> man-in-the-middle attacks on untrusted networks. Captured communications<br /> may include user credentials and sensitive session tokens.
Severity CVSS v4.0: HIGH
Last modification:
08/08/2025

CVE-2025-8732
Publication date:
08/08/2025
A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."
Severity CVSS v4.0: MEDIUM
Last modification:
08/08/2025

CVE-2025-50467
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-50468
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-53520
Publication date:
08/08/2025
The affected product allows firmware updates to be downloaded from EG4&amp;#39;s<br /> website, transferred via USB dongles, or installed through EG4&amp;#39;s <br /> Monitoring Center (remote, cloud-connected interface) or via a serial <br /> connection, and can install these files without integrity checks. The <br /> TTComp archive format used for the firmware is unencrypted and can be <br /> unpacked and altered without detection.
Severity CVSS v4.0: HIGH
Last modification:
08/08/2025

CVE-2025-46414
Publication date:
08/08/2025
The affected product does not limit the number of attempts for inputting<br /> the correct PIN for a registered product, which may allow an attacker <br /> to gain unauthorized access using brute-force methods if they possess a <br /> valid device serial number. The API provides clear feedback when the <br /> correct PIN is entered. This vulnerability was patched in a server-side <br /> update on April 6, 2025.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2025-47872
Publication date:
08/08/2025
The public-facing product registration endpoint server responds <br /> differently depending on whether the S/N is valid and unregistered, <br /> valid but already registered, or does not exist in the database. <br /> Combined with the fact that serial numbers are sequentially assigned, <br /> this allows an attacker to gain information on the product registration <br /> status of different S/Ns.
Severity CVSS v4.0: MEDIUM
Last modification:
08/08/2025

CVE-2025-50465
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-50466
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-8356
Publication date:
08/08/2025
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025
Subscribe to Vulnerabilities