Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24525
Publication date:
30/09/2025
Keysight Ixia Vision has an issue with hardcoded cryptographic material <br /> which may allow an attacker to intercept or decrypt payloads sent to the<br /> device via API calls or user authentication if the end user does not <br /> replace the TLS certificate that shipped with the device. Remediation is<br /> available in Version 6.9.1, released on September 23, 2025.
Severity CVSS v4.0: HIGH
Last modification:
02/10/2025

CVE-2022-40285
Publication date:
30/09/2025
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2024-13967. Reason: This record is a reservation duplicate of CVE-2024-13967. Notes: All CVE users should reference CVE-2024-13967 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-56392
Publication date:
30/09/2025
An Insecure Direct Object Reference (IDOR) in the /dashboard/notes endpoint of Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users and perform arbitrary operations via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-36132
Publication date:
30/09/2025
IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-36262
Publication date:
30/09/2025
IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 <br /> <br /> could allow a malicious privileged user to bypass the UI to gain unauthorized access to sensitive information due to the improper validation of input.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2024-55017
Publication date:
30/09/2025
Account Takeover in Corezoid 6.6.0 in the OAuth2 implementation via an open redirect in the redirect_uri parameter allows attackers to intercept authorization codes and gain unauthorized access to victim accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-10659
Publication date:
30/09/2025
The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account.
Severity CVSS v4.0: CRITICAL
Last modification:
02/10/2025

CVE-2025-56132
Publication date:
30/09/2025
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-43827
Publication date:
30/09/2025
Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-57254
Publication date:
30/09/2025
An SQL injection vulnerability in user-login.php and index.php of Karthikg1908 Hospital Management System (HMS) 1.0 allows remote attackers to execute arbitrary SQL queries via the username and password POST parameters. The application fails to properly sanitize input before embedding it into SQL queries, leading to unauthorized access or potential data breaches. This can result in privilege escalation, account takeover, or exposure of sensitive medical data.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-56513
Publication date:
30/09/2025
NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-56675
Publication date:
30/09/2025
The EKEN video doorbell T6 BT60PLUS_MAIN_V1.0_GC1084_20230531 periodically sends debug logs to the EKEN cloud servers with sensitive information such as the Wi-Fi SSID and password.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025
Subscribe to Vulnerabilities