Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59131
Publication date:
30/12/2025
Cross-Site Request Forgery (CSRF) vulnerability in hoernerfranz WP-CalDav2ICS wp-caldav2ics allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2025-62753
Publication date:
30/12/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MadrasThemes MAS Videos masvideos allows PHP Local File Inclusion.This issue affects MAS Videos: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-58337
Publication date:
30/12/2025
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2024-58338
Publication date:
30/12/2025
Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2025-15111
Publication date:
30/12/2025
Ksenia Security lares (legacy model) version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak default administrative credentials to obtain full control of the home automation system.
Severity CVSS v4.0: CRITICAL
Last modification:
11/03/2026

CVE-2025-15112
Publication date:
30/12/2025
Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.
Severity CVSS v4.0: MEDIUM
Last modification:
11/03/2026

CVE-2025-15113
Publication date:
30/12/2025
Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.
Severity CVSS v4.0: HIGH
Last modification:
11/03/2026

CVE-2023-53983
Publication date:
30/12/2025
Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms.
Severity CVSS v4.0: CRITICAL
Last modification:
16/01/2026

CVE-2023-54163
Publication date:
30/12/2025
NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2023-54327
Publication date:
30/12/2025
Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials.
Severity CVSS v4.0: CRITICAL
Last modification:
16/01/2026

CVE-2024-58315
Publication date:
30/12/2025
Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2024-58336
Publication date:
30/12/2025
Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026
Subscribe to Vulnerabilities