Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-64294
Publication date:
03/11/2025
Missing Authorization vulnerability in d3wp WP Snow Effect allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Snow Effect: from n/a through 1.1.15.
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-40107
Publication date:
03/11/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled<br /> <br /> This issue is similar to the vulnerability in the `mcp251x` driver,<br /> which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume from<br /> sleep before interface was brought up").<br /> <br /> In the `hi311x` driver, when the device resumes from sleep, the driver<br /> schedules `priv-&gt;restart_work`. However, if the network interface was<br /> not previously enabled, the `priv-&gt;wq` (workqueue) is not allocated and<br /> initialized, leading to a null pointer dereference.<br /> <br /> To fix this, we move the allocation and initialization of the workqueue<br /> from the `hi3110_open` function to the `hi3110_can_probe` function.<br /> This ensures that the workqueue is properly initialized before it is<br /> used during device resume. And added logic to destroy the workqueue<br /> in the error handling paths of `hi3110_can_probe` and in the<br /> `hi3110_can_remove` function to prevent resource leaks.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-12626
Publication date:
03/11/2025
A security flaw has been discovered in jeecgboot jeewx-boot up to 641ab52c3e1845fec39996d7794c33fb40dad1dd. This affects the function getImgUrl of the file WxActGoldeneggsPrizesController.java. Performing manipulation of the argument imgurl results in path traversal. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The root cause was initially fixed but can be evaded with additional encoding.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-0987
Publication date:
03/11/2025
Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection.This issue affects CVLand: from 2.1.0 through 20251103.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-48397
Publication date:
03/11/2025
The privileged user could log in without sufficient credentials after enabling an application protocol. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-48396
Publication date:
03/11/2025
Arbitrary code execution is possible due to improper validation of the file upload functionality in Eaton BLSS. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-12623
Publication date:
03/11/2025
A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Token Handler. Such manipulation leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitation is known to be difficult. The exploit is publicly available and might be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.
Severity CVSS v4.0: LOW
Last modification:
04/11/2025

CVE-2025-12622
Publication date:
03/11/2025
A vulnerability was determined in Tenda AC10 16.03.10.13. Affected by this vulnerability is the function formSysRunCmd of the file /goform/SysRunCmd. This manipulation of the argument getui causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Severity CVSS v4.0: HIGH
Last modification:
05/11/2025

CVE-2025-12619
Publication date:
03/11/2025
A vulnerability was found in Tenda A15 15.13.07.13. Affected is the function fromSetWirelessRepeat of the file /goform/openNetworkGateway. The manipulation of the argument wpapsk_crypto2_4g results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: HIGH
Last modification:
05/11/2025

CVE-2025-12618
Publication date:
03/11/2025
A vulnerability has been found in Tenda AC8 16.03.34.06. This impacts an unknown function of the file /goform/DatabaseIniSet. The manipulation of the argument Time leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
05/11/2025

CVE-2025-12503
Publication date:
03/11/2025
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Severity CVSS v4.0: HIGH
Last modification:
04/11/2025

CVE-2025-12617
Publication date:
03/11/2025
A flaw has been found in itsourcecode Billing System 1.0. This affects an unknown function of the file /admin/app/login_crud.php. Executing manipulation of the argument Password can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
05/11/2025
Subscribe to Vulnerabilities