Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-3194
Publication date:
06/08/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-6634
Publication date:
06/08/2025
A maliciously crafted TGA file, when linked or imported into Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025

CVE-2025-6633
Publication date:
06/08/2025
A maliciously crafted RBG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025

CVE-2025-7768
Publication date:
06/08/2025
Tigo Energy's Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2025-7769
Publication date:
06/08/2025
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-7770
Publication date:
06/08/2025
Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-6632
Publication date:
06/08/2025
A maliciously crafted PSD file, when linked or imported into Autodesk 3ds Max, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025

CVE-2025-51055
Publication date:
06/08/2025
Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-51056
Publication date:
06/08/2025
An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' custom function in '/api_vedo/colorways_preview', ultimately resulting in remote code execution (RCE).
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-51057
Publication date:
06/08/2025
A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-51058
Publication date:
06/08/2025
Bottinelli Informatical Vedo Suite 2024.17 is vulnerable to Server-side Request Forgery (SSRF) in the /api_vedo/video/preview endpoint, which allows remote authenticated attackers to trigger HTTP requests towards arbitrary remote paths via the "file" URL parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-46660
Publication date:
06/08/2025
An issue was discovered in 4C Strategies Exonaut 21.6. Passwords, stored in the database, are hashed without a salt.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025
Subscribe to Vulnerabilities