Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-41727
Publication date:
27/01/2026
A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-41728
Publication date:
27/01/2026
A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-12386
Publication date:
27/01/2026
Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point.<br /> <br /> The vendor was notified early about this vulnerability, but didn&amp;#39;t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2026-24830
Publication date:
27/01/2026
Integer Overflow or Wraparound vulnerability in Ralim IronOS.This issue affects IronOS: before v2.23-rc2.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-24346
Publication date:
27/01/2026
Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2026-24347
Publication date:
27/01/2026
Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory
Severity CVSS v4.0: MEDIUM
Last modification:
27/01/2026

CVE-2026-24348
Publication date:
27/01/2026
Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2026-24826
Publication date:
27/01/2026
Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .
Severity CVSS v4.0: CRITICAL
Last modification:
27/01/2026

CVE-2026-24827
Publication date:
27/01/2026
Out-of-bounds Write vulnerability in gerstrong Commander-Genius.This issue affects Commander-Genius: before Release refs/pull/358/merge.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-24828
Publication date:
27/01/2026
Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-24829
Publication date:
27/01/2026
Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2026-1467
Publication date:
27/01/2026
A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026
Subscribe to Vulnerabilities