Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62846
Publication date:
20/03/2026
An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.2.007 and later
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-22895
Publication date:
20/03/2026
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QuFTP Service 1.4.3 and later<br /> QuFTP Service 1.5.2 and later<br /> QuFTP Service 1.6.2 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-59383
Publication date:
20/03/2026
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> Media Streaming Add-on 500.1.1 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-62843
Publication date:
20/03/2026
An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.3.009 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-62844
Publication date:
20/03/2026
A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.2.007 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2025-62845
Publication date:
20/03/2026
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.3.009 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2025-15608
Publication date:
20/03/2026
This vulnerability in AX53 v1 results from insufficient input sanitization in the device’s probe handling logic, where unvalidated parameters can trigger a stack-based buffer overflow that causes the affected service to crash and, under specific conditions, may enable remote code execution through complex heap-spray techniques. <br /> <br /> Successful exploitation may result in repeated service unavailability and, in certain scenarios, allow an attacker to gain control of the device.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2025-15607
Publication date:
20/03/2026
A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-4488
Publication date:
20/03/2026
A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected is the function strcpy of the file /goform/setSysAdm. Such manipulation of the argument GroupName leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-4489
Publication date:
20/03/2026
A vulnerability was detected in Tenda A18 Pro 02.03.02.28. This vulnerability affects the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. The manipulation results in stack-based buffer overflow. The attack may be launched remotely. The exploit is now public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-32986
Publication date:
20/03/2026
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2026-32989
Publication date:
20/03/2026
Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations, leading to arbitrary code execution in the context of the web server.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026
Subscribe to Vulnerabilities