Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-55584
Publication date:
18/08/2025
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain insecure credentials for the telnet service and root account.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025

CVE-2025-55585
Publication date:
18/08/2025
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025

CVE-2025-55586
Publication date:
18/08/2025
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025

CVE-2025-4371
Publication date:
18/08/2025
A potential vulnerability was reported in the Lenovo 510 FHD and Performance FHD web cameras that could allow an attacker with physical access to write arbitrary firmware updates to the device over a USB connection.
Severity CVSS v4.0: HIGH
Last modification:
18/08/2025

CVE-2025-32992
Publication date:
18/08/2025
Thermo Fisher Scientific ePort through 3.0.0 has Incorrect Access Control.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-53192
Publication date:
18/08/2025
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL.<br /> <br /> This issue affects Apache Commons OGNL: all versions.<br /> <br /> <br /> <br /> When using the API Ognl.getValue​, the OGNL engine parses and evaluates the provided expression with powerful capabilities, including accessing and invoking related methods,<br /> etc. Although OgnlRuntime attempts to restrict certain dangerous classes and methods (such as java.lang.Runtime) through a blocklist, these restrictions are not comprehensive. <br /> Attackers may be able to bypass the restrictions by leveraging class objects that are not covered by the blocklist and potentially achieve arbitrary code execution.<br /> <br /> As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.<br /> <br /> <br /> NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-55213
Publication date:
18/08/2025
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40
Severity CVSS v4.0: MEDIUM
Last modification:
14/01/2026

CVE-2025-43731
Publication date:
18/08/2025
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories.
Severity CVSS v4.0: MEDIUM
Last modification:
19/12/2025

CVE-2025-55299
Publication date:
18/08/2025
VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that previously disabling the password based login only effected the frontend, but still allowed login via the API. This vulnerability is fixed in 0.9.1.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-55300
Publication date:
18/08/2025
Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users. Any third party website can send requests to the terminal websocket endpoint with browser&amp;#39;s cookies, resulting in remote code execution. This vulnerability is fixed in 1.0.4-fix1.
Severity CVSS v4.0: HIGH
Last modification:
18/08/2025

CVE-2025-7693
Publication date:
18/08/2025
A security issue exists due to improper handling of malformed CIP Forward Close packets during fuzzing. The controller enters a solid red Fault LED state and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF015. To recover, clear the fault.
Severity CVSS v4.0: CRITICAL
Last modification:
18/08/2025

CVE-2025-55293
Publication date:
18/08/2025
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses &amp;#39;if (p.public_key.size &gt; 0) {&amp;#39;, clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses &amp;#39;if (info-&gt;user.public_key.size &gt; 0) {&amp;#39;, and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025
Subscribe to Vulnerabilities