Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-70981
Publication date:
12/02/2026
CordysCRM 1.4.1 is vulnerable to SQL Injection in the employee list query interface (/user/list) via the departmentIds parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-69807
Publication date:
12/02/2026
p2r3 Bareiron commit: 8e4d4020d is vulnerable to Buffer Overflow, which allows unauthenticated remote attackers to cause a denial of service via a packet sent to the server.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-63421
Publication date:
12/02/2026
An issue in filosoft Comerc.32 Commercial Invoicing v.16.0.0.3 allows a local attacker to execute arbitrary code via the comeinst.exe file
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2023-31323
Publication date:
12/02/2026
Type confusion in the AMD Secure Processor (ASP) could allow an attacker to pass a malformed argument to the External Global Memory Interconnect Trusted Agent (XGMI TA) leading to a memory safety violation potentially resulting in loss of confidentiality, integrity, or availability.
Severity CVSS v4.0: HIGH
Last modification:
12/02/2026

CVE-2024-36319
Publication date:
12/02/2026
Debug code left active in AMD's Video Decoder Engine Firmware (VCN FW) could allow a attacker to submit a maliciously crafted command causing the VCN FW to perform read/writes HW registers, potentially impacting confidentiality, integrity and availabilability of the system.
Severity CVSS v4.0: MEDIUM
Last modification:
12/02/2026

CVE-2023-20601
Publication date:
12/02/2026
Improper input validation within RAS TA Driver can allow a local attacker to access out-of-bounds memory, potentially resulting in a denial-of-service condition.
Severity CVSS v4.0: MEDIUM
Last modification:
12/02/2026

CVE-2025-61879
Publication date:
12/02/2026
In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-61880
Publication date:
12/02/2026
In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-54756
Publication date:
12/02/2026
BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or <br /> series 5 prior to v9.0.166 use a default password that is guessable with<br /> knowledge of the device information. The latest release fixes this <br /> issue for new installations; users of old installations are encouraged <br /> to change all default passwords.
Severity CVSS v4.0: HIGH
Last modification:
12/02/2026

CVE-2025-55210
Publication date:
12/02/2026
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they&amp;#39;ve already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.
Severity CVSS v4.0: LOW
Last modification:
12/02/2026

CVE-2026-26214
Publication date:
12/02/2026
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
Severity CVSS v4.0: CRITICAL
Last modification:
12/02/2026

CVE-2026-26216
Publication date:
12/02/2026
Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.
Severity CVSS v4.0: CRITICAL
Last modification:
12/02/2026
Subscribe to Vulnerabilities