Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-43725
Publication date:
10/09/2025
Dell PowerProtect Data Manager, Generic Application Agent, version(s) 19.19 and 19.20, contain(s) an Incorrect Default Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-20159
Publication date:
10/09/2025
A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features.<br /> <br /> This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-56466
Publication date:
10/09/2025
Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-56578
Publication date:
10/09/2025
An issue in RTSPtoWeb v.2.4.3 allows a remote attacker to obtain sensitive information and executearbitrary code via the lack of authentication mechanisms
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-56407
Publication date:
10/09/2025
A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-56406
Publication date:
10/09/2025
An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier&amp;#39;s position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed).
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2025

CVE-2025-56413
Publication date:
10/09/2025
OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitrary commands via the operation parameter to the /api/v2/hosts/ssh/operate endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-56405
Publication date:
10/09/2025
An issue was discovered in litmusautomation litmus-mcp-server thru 0.0.1 allowing unauthorized attackers to control the target&amp;#39;s MCP service through the SSE protocol.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-56404
Publication date:
10/09/2025
An issue was discovered in MariaDB MCP 0.1.0 allowing attackers to gain sensitive information via the SSE service as the SSE service lacks user validation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-10231
Publication date:
10/09/2025
An Incorrect File Handling Permission bug exists on the N-central Windows Agent and Probe that, in the right circumstances, can allow a local low-level user to run commands with elevated permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-7718
Publication date:
10/09/2025
The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. This is due to the plugin not properly validating a user&amp;#39;s identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user&amp;#39;s email addresses, including administrators, and leverage that to reset the user&amp;#39;s password and gain access to their account.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-10223
Publication date:
10/09/2025
Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an unexpired session token until natural expiration.
Severity CVSS v4.0: MEDIUM
Last modification:
11/09/2025
Subscribe to Vulnerabilities