Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8110
Publication date:
10/12/2025
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
Severity CVSS v4.0: HIGH
Last modification:
20/01/2026

CVE-2025-13184
Publication date:
10/12/2025
Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, may also be affected.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2024-2105
Publication date:
10/12/2025
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2024-2104
Publication date:
10/12/2025
Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-41358
Publication date:
10/12/2025
Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
Severity CVSS v4.0: HIGH
Last modification:
12/12/2025

CVE-2025-13953
Publication date:
10/12/2025
Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method.<br /> <br /> Authentication is performed through a local WebSocket, but the web application does not properly validate the authenticity or origin of the data received, allowing an attacker with access to the local machine or internal network to impersonate the legitimate WebSocket and inject manipulated information.<br /> <br /> Exploiting this vulnerability could allow an attacker to authenticate as any user in the domain, without the need for valid credentials, compromising the confidentiality, integrity, and availability of the application and its data.
Severity CVSS v4.0: CRITICAL
Last modification:
12/12/2025

CVE-2025-41732
Publication date:
10/12/2025
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-41730
Publication date:
10/12/2025
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-7073
Publication date:
10/12/2025
A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user.
Severity CVSS v4.0: HIGH
Last modification:
12/01/2026

CVE-2025-66675
Publication date:
10/12/2025
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.<br /> <br /> This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.<br /> <br /> Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.<br /> <br /> It&amp;#39;s related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-14390
Publication date:
10/12/2025
The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-66004
Publication date:
10/12/2025
A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user.This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba.
Severity CVSS v4.0: MEDIUM
Last modification:
22/12/2025
Subscribe to Vulnerabilities