Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-10461
Publication date:
16/03/2026
Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.<br /> <br /> <br /> <br /> This issue affects<br /> <br /> smartLink SW-HT: through 1.42<br /> <br /> smartLink SW-PN: through 1.03.
Severity CVSS v4.0: MEDIUM
Last modification:
27/03/2026

CVE-2025-10685
Publication date:
16/03/2026
Heap-based buffer overflow vulnerability in Softing Industrial Automation GmbH smartLink SW-PN and smartLink SW-HT (Webserver modules) allows overflow buffers.This issue affects:<br /> <br /> smartLink SW-PN: through 1.03<br /> <br /> smartLink SW-HT: through 1.42
Severity CVSS v4.0: HIGH
Last modification:
27/03/2026

CVE-2017-20224
Publication date:
16/03/2026
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service.
Severity CVSS v4.0: CRITICAL
Last modification:
14/04/2026

CVE-2017-20223
Publication date:
16/03/2026
Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access resources by manipulating user-supplied input parameters. Attackers can directly reference objects in the system to retrieve sensitive information and access functionalities without proper access controls.
Severity CVSS v4.0: CRITICAL
Last modification:
14/04/2026

CVE-2017-20222
Publication date:
16/03/2026
Telesquare SKT LTE Router SDT-CS3B1 software version 1.2.0 contains an unauthenticated remote reboot vulnerability that allows attackers to trigger device reboot without authentication. Attackers can send POST requests to the lte.cgi endpoint with the Command=Reboot parameter to cause denial of service by forcing the router to restart.
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2017-20221
Publication date:
16/03/2026
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges.
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2017-20217
Publication date:
16/03/2026
Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2017-20218
Publication date:
16/03/2026
Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2017-20219
Publication date:
16/03/2026
Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user&amp;#39;s browser context.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2017-20220
Publication date:
16/03/2026
Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2016-20033
Publication date:
16/03/2026
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.
Severity CVSS v4.0: HIGH
Last modification:
19/03/2026

CVE-2016-20034
Publication date:
16/03/2026
Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to &amp;#39;admin&amp;#39; and advUser parameters set to &amp;#39;true&amp;#39; and &amp;#39;on&amp;#39; to gain administrative access.
Severity CVSS v4.0: HIGH
Last modification:
19/03/2026
Subscribe to Vulnerabilities