Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-28236
Publication date:
18/04/2025
Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute arbitrary code via supplying a crafted update package to the /#/software/upgrades endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-28237
Publication date:
18/04/2025
An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-28238
Publication date:
18/04/2025
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-28233
Publication date:
18/04/2025
Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to execute a session hijacking attack.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-28235
Publication date:
18/04/2025
An information disclosure vulnerability in the component /socket.io/1/websocket/ of Soundcraft Ui Series Model(s) Ui12 and Ui16 Firmware v1.0.7x and v1.0.5x allows attackers to access Administrator credentials in plaintext.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-28231
Publication date:
18/04/2025
Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-1697
Publication date:
18/04/2025
A potential security vulnerability has been identified in the HP Touchpoint Analytics Service for certain HP PC products with versions prior to 4.2.2439. This vulnerability could potentially allow a local attacker to escalate privileges. HP is providing software updates to mitigate this potential vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
24/02/2026

CVE-2025-28059
Publication date:
18/04/2025
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2024-41447
Publication date:
18/04/2025
A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-32389
Publication date:
18/04/2025
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a&param[1]=b&param[2]=c` utilized by PHP, which is parsed by PHP as `$_GET['param']` being of type array. This issue has been patched in version 2.1.4.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2025

CVE-2025-32442
Publication date:
18/04/2025
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-32795
Publication date:
18/04/2025
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows non-admin users to modify app details, despite being restricted from viewing apps, which poses a security risk to the integrity of the application. This issue has been patched in version 0.6.12. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can modify app details.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2025
Subscribe to Vulnerabilities