Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-66944
Publication date:
04/03/2026
SQL Injection vulnerability in vran-dev databaseir v.1.0.7 and before allows a remote attacker to execute arbitrary code via the query parameter in the search API endpoint
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-69969
Publication date:
04/03/2026
A lack of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) communication protocol of SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 allows attackers to reverse engineer the protocol and execute arbitrary commands on the device without establishing a connection. This is exploitable over Bluetooth Low Energy (BLE) proximity (Adjacent), requiring no physical contact with the device. Furthermore, the vulnerability is not limited to arbitrary commands but includes cleartext data interception and unauthenticated firmware hijacking via OTA services.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-15558
Publication date:
04/03/2026
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.<br /> <br /> This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager  package, such as Docker Compose.<br /> <br /> This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.
Severity CVSS v4.0: HIGH
Last modification:
09/03/2026

CVE-2026-22285
Publication date:
04/03/2026
Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2026-26478
Publication date:
04/03/2026
A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2026-26514
Publication date:
04/03/2026
An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2026-26673
Publication date:
04/03/2026
An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2025-59784
Publication date:
04/03/2026
2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation.<br /> This vulnerability can only be exploited after authenticating with administrator privileges.
Severity CVSS v4.0: MEDIUM
Last modification:
05/03/2026

CVE-2025-59785
Publication date:
04/03/2026
Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.<br /> This vulnerability can only be exploited after authenticating with administrator privileges.
Severity CVSS v4.0: MEDIUM
Last modification:
05/03/2026

CVE-2025-59786
Publication date:
04/03/2026
2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.
Severity CVSS v4.0: MEDIUM
Last modification:
05/03/2026

CVE-2025-59787
Publication date:
04/03/2026
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts.
Severity CVSS v4.0: MEDIUM
Last modification:
05/03/2026

CVE-2025-62879
Publication date:
04/03/2026
A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod&amp;#39;s logs.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026
Subscribe to Vulnerabilities