Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-10721
Publication date:
19/09/2025
A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
22/09/2025

CVE-2025-10722
Publication date:
19/09/2025
A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. This affects an unknown function of the file AndroidManifest.xml of the component com.dw.android.mukbee. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
22/09/2025

CVE-2025-48703
Publication date:
19/09/2025
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-36248
Publication date:
19/09/2025
IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-57644
Publication date:
19/09/2025
Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-59344
Publication date:
19/09/2025
AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows . Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59427
Publication date:
19/09/2025
The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.
Severity CVSS v4.0: LOW
Last modification:
22/09/2025

CVE-2025-57296
Publication date:
19/09/2025
Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2025-55910
Publication date:
19/09/2025
CMSEasy v7.7.8.0 and before is vulnerable to Arbitrary file deletion in database_admin.php.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2025-56869
Publication date:
19/09/2025
Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in backend/src/applications/files/services/files-manager.service.ts.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-39861
Publication date:
19/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early<br /> <br /> Move the creation of debugfs files into a dedicated function, and ensure<br /> they are explicitly removed during vhci_release(), before associated<br /> data structures are freed.<br /> <br /> Previously, debugfs files such as "force_suspend", "force_wakeup", and<br /> others were created under hdev-&gt;debugfs but not removed in<br /> vhci_release(). Since vhci_release() frees the backing vhci_data<br /> structure, any access to these files after release would result in<br /> use-after-free errors.<br /> <br /> Although hdev-&gt;debugfs is later freed in hci_release_dev(), user can<br /> access files after vhci_data is freed but before hdev-&gt;debugfs is<br /> released.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2025-39862
Publication date:
19/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7915: fix list corruption after hardware restart<br /> <br /> Since stations are recreated from scratch, all lists that wcids are added<br /> to must be cleared before calling ieee80211_restart_hw.<br /> Set wcid-&gt;sta = 0 for each wcid entry in order to ensure that they are<br /> not added again before they are ready.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026
Subscribe to Vulnerabilities