Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59984
Publication date:
09/10/2025
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in Global Search that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-59989
Publication date:
09/10/2025
An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Device Discovery page that, when visited by another user, enables the attacker to execute commands with the target&amp;#39;s permissions, including an administrator.<br /> This issue affects all versions of Junos Space before 24.1R4.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-59980
Publication date:
09/10/2025
An Authentication Bypass by Primary Weakness<br /> <br /> in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device.<br /> When the FTP server is enabled and a user named "ftp" or "anonymous" is configured, that user can login without providing the configured password and then has read-write access to their home directory.<br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.4R3-S8,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-59982
Publication date:
09/10/2025
An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the dashboard search field that, when visited by another user, enables the attacker to execute commands with the target&amp;#39;s permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-59981
Publication date:
09/10/2025
An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Device Template Definition page that, when visited by another user, enables the attacker to execute commands with the target&amp;#39;s permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-59978
Publication date:
09/10/2025
An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to store script tags directly in web pages that, when viewed by another user, enable the attacker to execute commands with the target&amp;#39;s administrative permissions.<br /> This issue affects all versions of Junos Space before 24.1R4.
Severity CVSS v4.0: CRITICAL
Last modification:
23/01/2026

CVE-2025-59983
Publication date:
09/10/2025
An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Template Definition page, when visited by another user, enables the attacker to execute commands with the target&amp;#39;s permissions, including an administrator.This issue affects all versions of Junos Space before 24.1R4.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-11549
Publication date:
09/10/2025
A vulnerability has been found in Tenda W12 3.0.0.6(3948). The affected element is the function wifiMacFilterSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument mac leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
18/10/2025

CVE-2025-11371
Publication date:
09/10/2025
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. <br /> <br /> This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2017-20203
Publication date:
09/10/2025
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.
Severity CVSS v4.0: CRITICAL
Last modification:
14/10/2025

CVE-2025-61577
Publication date:
09/10/2025
D-Link DIR-816A2_FWv1.10CNB05 was discovered to contain a stack overflow via the statuscheckpppoeuser parameter in the dir_setWanWifi function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-61532
Publication date:
09/10/2025
Cross Site Scripting vulnerability in SVX Portal v.2.7A to execute arbitrary code via the TG parameter on last_heard_page.php component
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025
Subscribe to Vulnerabilities