Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-46581
Publication date:
14/10/2025
ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-41699
Publication date:
14/10/2025
An low privileged remote attacker with an account for the Web-based management can change the system configuration to perform a command injection as root, resulting in a total loss of confidentiality, availability and integrity due to improper control of generation of code ('Code Injection').
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-55078
Publication date:
14/10/2025
In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-41707
Publication date:
14/10/2025
The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-41704
Publication date:
14/10/2025
An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-41705
Publication date:
14/10/2025
An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-41706
Publication date:
14/10/2025
The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-41703
Publication date:
14/10/2025
An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-8594
Publication date:
14/10/2025
The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-11731
Publication date:
14/10/2025
A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-59889
Publication date:
14/10/2025
Improper authentication of library files in the Eaton IPP software installer could lead to arbitrary code execution of an attacker with the access to the software package. <br /> <br /> This security issue has been fixed in the latest version of IPP which is available on the Eaton download center.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-10732
Publication date:
14/10/2025
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the &amp;#39;/wp-json/sureforms/v1/srfm-global-settings&amp;#39; REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025
Subscribe to Vulnerabilities