Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-2540
Publication date:
15/02/2026
The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previously used (stale) rolling codes and execute a command. Successful exploitation allows an attacker to clone the alarm key. This grants the attacker unauthorized access to the vehicle to unlock or lock the doors.
Severity CVSS v4.0: HIGH
Last modification:
15/02/2026

CVE-2026-2541
Publication date:
15/02/2026
The Micca KE700 system relies on a 6-bit portion of an identifier for authentication within rolling codes, providing only 64 possible combinations. This low entropy allows an attacker to perform a brute-force attack against one component of the rolling code. Successful exploitation simplify an attacker to predict the next valid rolling code, granting unauthorized access to the vehicle.
Severity CVSS v4.0: MEDIUM
Last modification:
15/02/2026

CVE-2025-32060
Publication date:
15/02/2026
The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a flaw can lead to taking control over the entire system.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2025-32061
Publication date:
15/02/2026
The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2025-32062
Publication date:
15/02/2026
The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2025-32063
Publication date:
15/02/2026
There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2026-2539
Publication date:
15/02/2026
The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensitive information required for authentication.
Severity CVSS v4.0: MEDIUM
Last modification:
15/02/2026

CVE-2025-32059
Publication date:
15/02/2026
The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2025-32058
Publication date:
15/02/2026
The Infotainment ECU manufactured by Bosch uses a RH850 module for CAN communication. RH850 is connected to infotainment over the INC interface through a custom protocol. There is a vulnerability during processing requests of this protocol on the V850 side which allows an attacker with code execution on the infotainment main SoC to perform code execution on the RH850 module and subsequently send arbitrary CAN messages over the connected CAN bus.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2026-1750
Publication date:
15/02/2026
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the &amp;#39;save_custom_user_profile_fields&amp;#39; function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the &amp;#39;ec_store_admin_access&amp;#39; parameter during a profile update and gain store manager access to the site.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2026-1793
Publication date:
15/02/2026
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the &amp;#39;render_svg&amp;#39; function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026

CVE-2026-1490
Publication date:
15/02/2026
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the &amp;#39;checkWithoutToken&amp;#39; function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2026
Subscribe to Vulnerabilities