Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-2450
Publication date:
18/03/2025
NI Vision Builder AI VBAI File Processing Missing Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.<br /> <br /> The specific flaw exists within the processing of VBAI files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22833.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-25500
Publication date:
18/03/2025
An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2024-8997
Publication date:
18/03/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection.This issue affects EVC04 Configuration Interface: before V3.187, V4.53.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025

CVE-2024-21760
Publication date:
18/03/2025
An improper control of generation of code (&amp;#39;Code Injection&amp;#39;) vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2025

CVE-2023-47539
Publication date:
18/03/2025
An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2025

CVE-2025-2494
Publication date:
18/03/2025
Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-2495
Publication date:
18/03/2025
Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the ‘/softdial/scheduler/save.php’ resource. The injected code will execute when the uploaded file is loaded via the ‘/softdial/scheduler/load.php’ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-2489
Publication date:
18/03/2025
Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json.
Severity CVSS v4.0: MEDIUM
Last modification:
18/03/2025

CVE-2025-2493
Publication date:
18/03/2025
Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the ‘id’ parameter of the ‘/softdial/scheduler/load.php’ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2024-23943
Publication date:
18/03/2025
An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2024-41975
Publication date:
18/03/2025
An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2025-0694
Publication date:
18/03/2025
Insufficient path validation in CODESYS Control allows low privileged attackers with physical access to gain full filesystem access.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025
Subscribe to Vulnerabilities