Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-1795
Publication date:
28/02/2025
During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.
Severity CVSS v4.0: LOW
Last modification:
28/02/2025

CVE-2025-25609
Publication date:
28/02/2025
TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the static_ipv6 parameter in the formIpv6Setup interface of /bin/boa
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2025-25428
Publication date:
28/02/2025
TRENDnet TEW-929DRU 1.0.0.10 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-25429
Publication date:
28/02/2025
Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the r_name variable inside the have_same_name function on the /addschedule.htm page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-27408
Publication date:
28/02/2025
Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025

CVE-2025-25431
Publication date:
28/02/2025
Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2025-25430
Publication date:
28/02/2025
Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the configname parameter on the /cbi_addcert.htm page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-24843
Publication date:
28/02/2025
Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.
Severity CVSS v4.0: MEDIUM
Last modification:
28/02/2025

CVE-2025-24849
Publication date:
28/02/2025
Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.
Severity CVSS v4.0: HIGH
Last modification:
28/02/2025

CVE-2025-20049
Publication date:
28/02/2025
The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information.
Severity CVSS v4.0: HIGH
Last modification:
28/02/2025

CVE-2025-20060
Publication date:
28/02/2025
An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.
Severity CVSS v4.0: HIGH
Last modification:
28/02/2025

CVE-2025-23405
Publication date:
28/02/2025
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection).
Severity CVSS v4.0: MEDIUM
Last modification:
28/02/2025
Subscribe to Vulnerabilities