Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-49490
Publication date:
01/07/2025
Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure.<br /> This vulnerability is associated with program files router/sms/sms.c. <br /> This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2025

CVE-2025-49489
Publication date:
01/07/2025
Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (con_mgr <br /> <br /> components) allows Resource Leak Exposure. This vulnerability is associated with program files con_mgr/dialer_task.C.<br /> <br /> This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2025

CVE-2025-5072
Publication date:
01/07/2025
Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2025

CVE-2025-41656
Publication date:
01/07/2025
An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-41648
Publication date:
01/07/2025
An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-6934
Publication date:
01/07/2025
The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the &amp;#39;on_regiser_user&amp;#39; function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-6081
Publication date:
01/07/2025
Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-5967
Publication date:
01/07/2025
A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data.
Severity CVSS v4.0: MEDIUM
Last modification:
03/07/2025

CVE-2024-46993
Publication date:
01/07/2025
Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image&amp;#39;s height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
03/07/2025

CVE-2024-49364
Publication date:
01/07/2025
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require(&amp;#39;buffer&amp;#39;) is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.
Severity CVSS v4.0: HIGH
Last modification:
03/07/2025

CVE-2024-49365
Publication date:
01/07/2025
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require(&amp;#39;buffer&amp;#39;) is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.
Severity CVSS v4.0: HIGH
Last modification:
03/07/2025

CVE-2025-6939
Publication date:
01/07/2025
A vulnerability classified as critical has been found in TOTOLINK A3002RU 3.0.0-B20230809.1615. Affected is an unknown function of the file /boafrm/formWlSiteSurvey of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
07/07/2025
Subscribe to Vulnerabilities