Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-11549
Publication date:
09/10/2025
A vulnerability has been found in Tenda W12 3.0.0.6(3948). The affected element is the function wifiMacFilterSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument mac leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
18/10/2025

CVE-2025-11371
Publication date:
09/10/2025
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. <br /> <br /> This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2017-20203
Publication date:
09/10/2025
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.
Severity CVSS v4.0: CRITICAL
Last modification:
14/10/2025

CVE-2025-61577
Publication date:
09/10/2025
D-Link DIR-816A2_FWv1.10CNB05 was discovered to contain a stack overflow via the statuscheckpppoeuser parameter in the dir_setWanWifi function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-61532
Publication date:
09/10/2025
Cross Site Scripting vulnerability in SVX Portal v.2.7A to execute arbitrary code via the TG parameter on last_heard_page.php component
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-60302
Publication date:
09/10/2025
code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-60265
Publication date:
09/10/2025
In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in user/list is not securely filtered, resulting in a SQL injection vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-59975
Publication date:
09/10/2025
An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leading to a Denial of Service (DoS).<br /> <br /> After continuously flooding the system with inbound connection requests, all available file handles become consumed, blocking access to the system via SSH and the web user interface (WebUI), resulting in a management interface DoS. A manual reboot of the system is required to restore functionality.<br /> <br /> This issue affects Junos Space: <br /> * all versions before 22.2R1 Patch V3, <br /> * from 23.1 before 23.1R1 Patch V3.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-59976
Publication date:
09/10/2025
An arbitrary file download vulnerability in the web interface of Juniper Networks Junos Space allows a network-based authenticated attacker using a crafted GET method to access any file on the file system. Using specially crafted GET methods, an attacker can gain access to files beyond the file path normally allowed by the JBoss daemon. These files could contain sensitive information restricted from access by low-privileged users.This issue affects all versions of Junos Space before 24.1R3.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-59962
Publication date:
09/10/2025
An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker&amp;#39;s control, to cause rpd to crash and restart, leading to a Denial of Service (DoS).<br /> <br /> With BGP sharding enabled, triggering route resolution of an indirect next-hop (e.g., an IGP route change over which a BGP route gets resolved), may cause rpd to crash and restart. An attacker causing continuous IGP route churn, resulting in repeated route re-resolution, will increase the likelihood of triggering this issue, leading to a potentially extended DoS condition.<br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.4R3-S6, <br /> * from 22.1 before 22.1R3-S6, <br /> * from 22.2 before 22.2R3-S3, <br /> * from 22.3 before 22.3R3-S3, <br /> * from 22.4 before 22.4R3, <br /> * from 23.2 before 23.2R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * all versions before 22.3R3-S3-EVO, <br /> * from 22.4 before 22.4R3-EVO, <br /> * from 23.2 before 23.2R2-EVO.<br /> <br /> <br /> <br /> <br /> Versions before Junos OS 21.3R1 and Junos OS Evolved 21.3R1-EVO are unaffected by this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-59964
Publication date:
09/10/2025
A Use of Uninitialized Resource vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4700 devices allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).<br /> <br /> When forwarding-options sampling is enabled, receipt of any traffic destined to the Routing Engine (RE) by the PFE line card leads to an FPC crash and restart, resulting in a Denial of Service (DoS). <br /> <br /> Continued receipt and processing of any traffic leading to the RE by the PFE line card will create a sustained Denial of Service (DoS) condition to the PFE line card.<br /> <br /> <br /> This issue affects Junos OS on SRX4700: <br /> <br /> <br /> <br /> * from 24.4 before 24.4R1-S3, 24.4R2<br /> <br /> <br /> This issue affects IPv4 and IPv6.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-59967
Publication date:
09/10/2025
A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 devices allows an unauthenticated, adjacent attacker to cause a <br /> <br /> Denial-of-Service (DoS).<br /> <br /> Whenever specific valid multicast traffic is received on any layer 3 interface the evo-pfemand process crashes and restarts.<br /> <br /> Continued receipt of specific valid multicast traffic results in a sustained Denial of Service (DoS) attack. <br /> This issue affects Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509: <br /> <br /> <br /> <br /> * from 23.2R2-EVO before 23.2R2-S4-EVO, <br /> * from 23.4R1-EVO before 23.4R2-EVO.<br /> <br /> <br /> This issue affects IPv4 and IPv6. <br /> <br /> This issue does not affect Junos OS Evolved ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 versions before 23.2R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026
Subscribe to Vulnerabilities