Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-55098

Publication date:

17/10/2025

In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get()<br /> when parsing a descriptor of an USB audio device.

Severity CVSS v4.0: LOW

Last modification:

23/10/2025

CVE-2025-55087

Publication date:

17/10/2025

In NextX Duo&#39;s snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.

Severity CVSS v4.0: MEDIUM

Last modification:

24/10/2025

CVE-2025-55092

Publication date:

17/10/2025

In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.

Severity CVSS v4.0: MEDIUM

Last modification:

24/10/2025

CVE-2025-55093

Publication date:

17/10/2025

In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.

Severity CVSS v4.0: MEDIUM

Last modification:

24/10/2025

CVE-2025-11849

Publication date:

17/10/2025

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-6950

Publication date:

17/10/2025

An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.

Severity CVSS v4.0: CRITICAL

Last modification:

15/04/2026

CVE-2025-6949

Publication date:

17/10/2025

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users. In certain scenarios, this vulnerability could allow an attacker to gain full administrative control over the affected device, leading to potential account impersonation. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.

Severity CVSS v4.0: CRITICAL

Last modification:

15/04/2026

CVE-2025-11900

Publication date:

17/10/2025

The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.

Severity CVSS v4.0: CRITICAL

Last modification:

15/04/2026

CVE-2025-11899

Publication date:

17/10/2025

Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.

Severity CVSS v4.0: CRITICAL

Last modification:

15/04/2026

CVE-2025-11898

Publication date:

17/10/2025

Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.

Severity CVSS v4.0: HIGH

Last modification:

15/04/2026

CVE-2025-6893

Publication date:

17/10/2025

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data. Successful exploitation may lead to privilege escalation, allowing the attacker to access or modify sensitive system settings. While the overall impact is high, there is no loss of confidentiality or integrity within any subsequent systems.

Severity CVSS v4.0: CRITICAL

Last modification:

15/04/2026

CVE-2025-6894

Publication date:

17/10/2025

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authorization logic of the affected device allows an authenticated, low-privileged user to execute the administrative `ping` function, which is restricted to higher-privileged roles. This vulnerability enables the user to perform internal network reconnaissance, potentially discovering internal hosts or services that would otherwise be inaccessible. Repeated exploitation could lead to minor resource consumption. While the overall impact is limited, it may result in some loss of confidentiality and availability on the affected device. There is no impact on the integrity of the device, and the vulnerability does not affect any subsequent systems.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

Subscribe to Vulnerabilities