Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-26412
Publication date:
11/06/2025
The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute system commands with root permission on the modem. An attacker needs either physical access or remote shell access to a device that interacts directly with the modem via AT commands.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-41661
Publication date:
11/06/2025
An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-41663
Publication date:
11/06/2025
For u-link Management API an unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers, which are then executed with elevated privileges. To get into such a position, clients would need to use insecure proxy configurations.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-5991
Publication date:
11/06/2025
There is a "Use After Free" vulnerability in Qt&amp;#39;s QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a<br /> POST request and the simultaneous handling of HTTP error responses.<br /> <br /> This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1.
Severity CVSS v4.0: LOW
Last modification:
15/04/2026

CVE-2025-29756
Publication date:
11/06/2025
SunGrow&amp;#39;s back end users system iSolarCloud https://isolarcloud.com  uses an MQTT service to transport data from the user&amp;#39;s connected devices to the user&amp;#39;s web browser. <br /> The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. <br /> While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received.<br /> An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic &amp;#39;#&amp;#39; and thus recieve all messages from all connected devices.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2024-35295
Publication date:
11/06/2025
A vulnerability has been identified in Perfect Harmony GH180 (All versions &gt;= V8.0
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-5395
Publication date:
11/06/2025
The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the &amp;#39;core.php&amp;#39; file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-4799
Publication date:
11/06/2025
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2025-4798
Publication date:
11/06/2025
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2025-4666
Publication date:
11/06/2025
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-49785
Publication date:
11/06/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2025-49786
Publication date:
11/06/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025
Subscribe to Vulnerabilities