Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-64307
Publication date:
15/11/2025
The Brightpick Internal Logic Control web interface is accessible <br /> without requiring user authentication. An unauthorized user could <br /> exploit this interface to manipulate robot control functions, including <br /> initiating or halting runners, assigning jobs, clearing stations, and <br /> deploying storage totes.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2025

CVE-2025-64308
Publication date:
15/11/2025
The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2025

CVE-2025-55034
Publication date:
15/11/2025
General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may <br /> allow an attacker to execute a brute-force attack resulting in <br /> unauthorized access and login.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2025

CVE-2025-1256
Publication date:
14/11/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2025

CVE-2021-4470
Publication date:
14/11/2025
TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. The syscmd POST parameter is passed directly to a system command without validation and executed with root privileges. A remote, unauthenticated attacker can supply crafted values to execute arbitrary operating system commands as root, resulting in full device compromise.
Severity CVSS v4.0: CRITICAL
Last modification:
14/11/2025

CVE-2021-4471
Publication date:
14/11/2025
TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access.
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025

CVE-2022-4985
Publication date:
14/11/2025
Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems.
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025

CVE-2023-7328
Publication date:
14/11/2025
Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values.
Severity CVSS v4.0: MEDIUM
Last modification:
14/11/2025

CVE-2025-13188
Publication date:
14/11/2025
A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument Password results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025

CVE-2021-4465
Publication date:
14/11/2025
ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing remote interruption of service availability.
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025

CVE-2021-4466
Publication date:
14/11/2025
IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise.
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025

CVE-2021-4467
Publication date:
14/11/2025
Positive Technologies MaxPatrol 8 and XSpider contain a remote denial-of-service vulnerability in the client communication service on TCP port 2002. The service generates a new session identifier for each incoming connection without adequately limiting concurrent requests. An unauthenticated remote attacker can repeatedly issue HTTPS requests to the service, causing excessive allocation of session identifiers. Under load, session identifier collisions may occur, forcing active client sessions to disconnect and resulting in service disruption.
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025
Subscribe to Vulnerabilities