Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-15113
Publication date:
30/12/2025
Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.
Severity CVSS v4.0: HIGH
Last modification:
31/12/2025

CVE-2023-53983
Publication date:
30/12/2025
Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms.
Severity CVSS v4.0: CRITICAL
Last modification:
31/12/2025

CVE-2023-54163
Publication date:
30/12/2025
NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application.
Severity CVSS v4.0: HIGH
Last modification:
31/12/2025

CVE-2023-54327
Publication date:
30/12/2025
Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials.
Severity CVSS v4.0: CRITICAL
Last modification:
31/12/2025

CVE-2024-58315
Publication date:
30/12/2025
Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot.
Severity CVSS v4.0: HIGH
Last modification:
31/12/2025

CVE-2024-58336
Publication date:
30/12/2025
Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices.
Severity CVSS v4.0: HIGH
Last modification:
31/12/2025

CVE-2022-50799
Publication date:
30/12/2025
Fetch FTP Client 5.8.2 contains a denial of service vulnerability that allows attackers to trigger 100% CPU consumption by sending long server responses. Attackers can send specially crafted FTP server responses exceeding 2K bytes to cause excessive resource utilization and potentially crash the application.
Severity CVSS v4.0: HIGH
Last modification:
31/12/2025

CVE-2022-50800
Publication date:
30/12/2025
H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2022-50801
Publication date:
30/12/2025
JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users' browsers when they view the affected content.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2022-50802
Publication date:
30/12/2025
ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the 'action' GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, potentially stealing credentials or performing unauthorized actions.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2022-50803
Publication date:
30/12/2025
JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges.
Severity CVSS v4.0: CRITICAL
Last modification:
31/12/2025

CVE-2022-50804
Publication date:
30/12/2025
JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to perform administrative actions on behalf of authenticated users without their knowledge or consent.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025
Subscribe to Vulnerabilities