Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-50468
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-53520
Publication date:
08/08/2025
The affected product allows firmware updates to be downloaded from EG4&amp;#39;s<br /> website, transferred via USB dongles, or installed through EG4&amp;#39;s <br /> Monitoring Center (remote, cloud-connected interface) or via a serial <br /> connection, and can install these files without integrity checks. The <br /> TTComp archive format used for the firmware is unencrypted and can be <br /> unpacked and altered without detection.
Severity CVSS v4.0: HIGH
Last modification:
08/08/2025

CVE-2025-46414
Publication date:
08/08/2025
The affected product does not limit the number of attempts for inputting<br /> the correct PIN for a registered product, which may allow an attacker <br /> to gain unauthorized access using brute-force methods if they possess a <br /> valid device serial number. The API provides clear feedback when the <br /> correct PIN is entered. This vulnerability was patched in a server-side <br /> update on April 6, 2025.
Severity CVSS v4.0: CRITICAL
Last modification:
08/08/2025

CVE-2025-47872
Publication date:
08/08/2025
The public-facing product registration endpoint server responds <br /> differently depending on whether the S/N is valid and unregistered, <br /> valid but already registered, or does not exist in the database. <br /> Combined with the fact that serial numbers are sequentially assigned, <br /> this allows an attacker to gain information on the product registration <br /> status of different S/Ns.
Severity CVSS v4.0: MEDIUM
Last modification:
08/08/2025

CVE-2025-50465
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-50466
Publication date:
08/08/2025
OpenMetadata
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-8356
Publication date:
08/08/2025
In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-8731
Publication date:
08/08/2025
A vulnerability was identified in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. This affects an unknown part of the component SSH Service. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "For product TI-PG102i and TI-G160i, by default, the product&amp;#39;s remote management options are all disabled. The root account is for troubleshooting purpose and the password is encrypted. However, we will remove the root account from the next firmware release. For product TPL-430AP, the initial setup process requires user to set the password for the management GUI. Once that was done, the default password will be invalid."
Severity CVSS v4.0: HIGH
Last modification:
13/08/2025

CVE-2025-52586
Publication date:
08/08/2025
The MOD3 command traffic between the monitoring application and the <br /> inverter is transmitted in plaintext without encryption or obfuscation. <br /> This vulnerability may allow an attacker with access to a local network <br /> to intercept, manipulate, replay, or forge critical data, including <br /> read/write operations for voltage, current, and power configuration, <br /> operational status, alarms, telemetry, system reset, or inverter control<br /> commands, potentially disrupting power generation or reconfiguring <br /> inverter settings.
Severity CVSS v4.0: HIGH
Last modification:
08/09/2025

CVE-2025-8355
Publication date:
08/08/2025
In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2025-4576
Publication date:
08/08/2025
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-8730
Publication date:
08/08/2025
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: HIGH
Last modification:
08/08/2025
Subscribe to Vulnerabilities