Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-36546
Publication date:
07/05/2025
On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user&amp;#39;s SSH private key.  <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: CRITICAL
Last modification:
21/10/2025

CVE-2025-31644
Publication date:
07/05/2025
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2024-11953
Publication date:
07/05/2025
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2023-7303
Publication date:
07/05/2025
A vulnerability, which was classified as problematic, was found in q2apro q2apro-on-site-notifications up to 1.4.6. This affects the function process_request of the file q2apro-onsitenotifications-page.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.4.8 is able to address this issue. The patch is named 0ca85ca02f8aceb661e9b71fd229c45d388ea5b5. It is recommended to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-4043
Publication date:
07/05/2025
An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.
Severity CVSS v4.0: MEDIUM
Last modification:
23/06/2025

CVE-2025-31177
Publication date:
07/05/2025
gnuplot is affected by a heap buffer overflow at function utf8_copy_one.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-3925
Publication date:
07/05/2025
BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or <br /> series 5 prior to v9.0.166 contain an execution with unnecessary <br /> privileges vulnerability, allowing for privilege escalation on the <br /> device once code execution has been obtained.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-45514
Publication date:
07/05/2025
Tenda FH451 V1.0.0.9 has a stack overflow vulnerability in the function.frmL7ImForm.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2025-3272
Publication date:
07/05/2025
Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. <br /> <br /> The vulnerability could allow authenticated users to change their password without providing their old password.<br /> <br /> This issue affects Operations Bridge Manager: 24.2, 24.4.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-3476
Publication date:
07/05/2025
Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2025-45388
Publication date:
07/05/2025
Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) in the document upload functionality. Attackers can inject malicious code inside a PDF file. When a user clicks the document in the CMS interface, the payload executes. NOTE: this is disputed by the Supplier because "It has been well documented that when serving uploaded files using a method outside of Wagtail (which admittedly is the default), it requires additional configuration from the developer, because Wagtail cannot control how these are served. ... For example, if a Wagtail instance is configured to upload files into AWS S3, Wagtail cannot control the permissions on how they&amp;#39;re served, nor any headers used when serving them (a limitation of S3)."
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29746
Publication date:
07/05/2025
Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2025
Subscribe to Vulnerabilities