Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-36954
Publication date:
26/01/2026
Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2025-67274
Publication date:
26/01/2026
An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-70982
Publication date:
26/01/2026
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-50537
Publication date:
26/01/2026
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2020-36952
Publication date:
26/01/2026
IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2026-1284
Publication date:
26/01/2026
An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2026-1283
Publication date:
26/01/2026
A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2016-15057
Publication date:
26/01/2026
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command (&amp;#39;Command Injection&amp;#39;) vulnerability in Apache Continuum.<br /> <br /> This issue affects Apache Continuum: all versions.<br /> <br /> Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server.<br /> <br /> As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.<br /> <br /> NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-24656
Publication date:
26/01/2026
Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.<br /> <br /> <br /> The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed.<br /> It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS.<br /> <br /> <br /> NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.<br /> <br /> This issue affects Apache Karaf Decanter before 2.12.0.<br /> <br /> Users are recommended to upgrade to version 2.12.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-59103
Publication date:
26/01/2026
The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet.
Severity CVSS v4.0: CRITICAL
Last modification:
26/01/2026

CVE-2025-59104
Publication date:
26/01/2026
With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026

CVE-2025-59105
Publication date:
26/01/2026
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026
Subscribe to Vulnerabilities