Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-27845
Publication date:
14/08/2025
In ESPEC North America Web Controller 3 before 3.3.4, /api/v4/auth/ with any invalid authentication request results in exposing a JWT secret. This allows for elevated permissions to the UI.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2025-27846
Publication date:
14/08/2025
In ESPEC North America Web Controller 3 before 3.3.8, an attacker with physical access can gain elevated privileges because GRUB and the BIOS are unprotected.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2025-9036
Publication date:
14/08/2025
A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.
Severity CVSS v4.0: HIGH
Last modification:
15/08/2025

CVE-2025-7353
Publication date:
14/08/2025
A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.
Severity CVSS v4.0: CRITICAL
Last modification:
15/08/2025

CVE-2025-7773
Publication date:
14/08/2025
A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.
Severity CVSS v4.0: HIGH
Last modification:
15/08/2025

CVE-2025-7774
Publication date:
14/08/2025
A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions.
Severity CVSS v4.0: HIGH
Last modification:
15/08/2025

CVE-2025-7973
Publication date:
14/08/2025
A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.
Severity CVSS v4.0: HIGH
Last modification:
15/08/2025

CVE-2025-55672
Publication date:
14/08/2025
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset&amp;#39;s chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column&amp;#39;s label. The payload is not properly sanitized and gets executed in the victim&amp;#39;s browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.<br /> <br /> This issue affects Apache Superset: before 5.0.0.<br /> <br /> Users are recommended to upgrade to version 5.0.0, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-55673
Publication date:
14/08/2025
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.<br /> <br /> This issue affects Apache Superset: before 4.1.3.<br /> <br /> Users are recommended to upgrade to version 4.1.3, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-55674
Publication date:
14/08/2025
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.<br /> <br /> This issue affects Apache Superset: before 5.0.0.<br /> <br /> Users are recommended to upgrade to version 5.0.0, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-55675
Publication date:
14/08/2025
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.<br /> <br /> This issue affects Apache Superset: before 5.0.0.<br /> <br /> Users are recommended to upgrade to version 5.0.0, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-43984
Publication date:
14/08/2025
An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025
Subscribe to Vulnerabilities