Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-60534

Publication date:

06/01/2026

Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-63082

Publication date:

06/01/2026

Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

Severity CVSS v4.0: MEDIUM

Last modification:

08/01/2026

CVE-2025-63083

Publication date:

06/01/2026

Lack of output escaping leads to a XSS vector in the pagebreak plugin.

Severity CVSS v4.0: MEDIUM

Last modification:

08/01/2026

CVE-2024-31088

Publication date:

06/01/2026

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in WPShop.Ru AdsPlace&#39;r – Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace&#39;r – Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-36589

Publication date:

06/01/2026

Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-39477

Publication date:

06/01/2026

Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2024-30547

Publication date:

06/01/2026

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2026-0640

Publication date:

06/01/2026

A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Severity CVSS v4.0: HIGH

Last modification:

08/01/2026

CVE-2025-14979

Publication date:

06/01/2026

AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.

Severity CVSS v4.0: HIGH

Last modification:

08/01/2026

CVE-2025-59379

Publication date:

06/01/2026

DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. This allows an attacker to steal credentials, which may be cleartext, from existing users (and admins) and use them to authenticate to the application.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-60262

Publication date:

06/01/2026

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-65212

Publication date:

06/01/2026

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device&#39;s insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

Subscribe to Vulnerabilities