Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-9521
Publication date:
26/01/2026
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
Severity CVSS v4.0: LOW
Last modification:
27/01/2026

CVE-2025-14969
Publication date:
26/01/2026
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2026

CVE-2025-11687
Publication date:
26/01/2026
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-14459
Publication date:
26/01/2026
A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-11065
Publication date:
26/01/2026
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2026

CVE-2025-70368
Publication date:
26/01/2026
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2025-14756
Publication date:
26/01/2026
Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise.
Severity CVSS v4.0: HIGH
Last modification:
27/01/2026

CVE-2026-24440
Publication date:
26/01/2026
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained.
Severity CVSS v4.0: HIGH
Last modification:
28/01/2026

CVE-2026-24437
Publication date:
26/01/2026
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.
Severity CVSS v4.0: MEDIUM
Last modification:
28/01/2026

CVE-2026-24436
Publication date:
26/01/2026
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials.
Severity CVSS v4.0: CRITICAL
Last modification:
28/01/2026

CVE-2026-24439
Publication date:
26/01/2026
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script.
Severity CVSS v4.0: LOW
Last modification:
28/01/2026

CVE-2026-24435
Publication date:
26/01/2026
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests.
Severity CVSS v4.0: HIGH
Last modification:
02/02/2026
Subscribe to Vulnerabilities