Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24109
Publication date:
02/03/2026
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `picName`. When this value is used in `sprintf` without validating variable sizes, it could lead to a buffer overflow vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2026-24111
Publication date:
02/03/2026
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by specifying the value of `userInfo`. When `userInfo` is passed into the `addAuthUser` function and processed by `sscanf` without size validation, it could lead to buffer overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2026-24113
Publication date:
02/03/2026
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `nptr`. When this value is passed into the `getMibPrefix` function and concatenated using `sprintf` without proper size validation, it could lead to a buffer overflow vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2026

CVE-2026-24114
Publication date:
02/03/2026
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate `pPortMapIndex` may lead to buffer overflows when using `strcpy`.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2026-24115
Publication date:
02/03/2026
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the sizes of `gstup` and `gstdwn` before concatenating them into `gstruleQos` may lead to buffer overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2026-23600
Publication date:
02/03/2026
A remote authentication bypass vulnerability <br /> <br /> exists in HPE AutoPass License Server (APLS).
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-58107
Publication date:
02/03/2026
In Microsoft Exchange through 2019, Exchange ActiveSync (EAS) configurations on on-premises servers may transmit sensitive data from Samsung mobile devices in cleartext, including the user&amp;#39;s name, e-mail address, device ID, bearer token, and base64-encoded password.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2026

CVE-2025-65465
Publication date:
02/03/2026
A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). This occurs because the error message is not properly sanitized before being output to the user. This vulnerability is fixed in version 2.18.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2026

CVE-2026-0995
Publication date:
02/03/2026
An issue has been identified in Arm C1-Pro before r1p2-50eac0, where, under certain conditions, a TLBI+DSB might fail to ensure the completion of memory accesses related to SME.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2026

CVE-2025-50187
Publication date:
02/03/2026
Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2026

CVE-2025-50188
Publication date:
02/03/2026
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.
Severity CVSS v4.0: HIGH
Last modification:
03/03/2026

CVE-2025-50189
Publication date:
02/03/2026
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.
Severity CVSS v4.0: HIGH
Last modification:
03/03/2026
Subscribe to Vulnerabilities