Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-25196
Publication date:
27/02/2026
An OS command injection <br /> vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an <br /> authenticated attacker to achieve remote code execution on the system by<br /> injecting malicious input into the Wi-Fi SSID and/or password fields <br /> can lead to remote code execution when the configuration is processed.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-25721
Publication date:
27/02/2026
An OS command injection <br /> vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an <br /> authenticated attacker to achieve remote code execution on the system by<br /> injecting malicious input into the server username and/or password <br /> fields of the restore action in the API V1 route.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-3037
Publication date:
27/02/2026
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 <br /> and prior, enabling an authenticated attacker to achieve remote code <br /> execution on the system by modifying malicious input injected into the <br /> MBird SMS service URL and/or code via the utility route which is later <br /> processed during system setup, leading to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-3274
Publication date:
27/02/2026
A security flaw has been discovered in Tenda F453 1.0.0.3. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Performing a manipulation of the argument page results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-3275
Publication date:
27/02/2026
A weakness has been identified in Tenda F453 1.0.0.3. This affects the function fromAddressNat of the file /goform/addressNat of the component httpd. Executing a manipulation of the argument entrys can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-3281
Publication date:
27/02/2026
A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a manipulation of the argument index results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit is now public and may be used. The patch is named fd28c5463697712cb0ab116a2c55e4f4d92c4088. It is suggested to install a patch to address this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-24497
Publication date:
27/02/2026
Stack-based Buffer Overflow vulnerability in SimTech Systems, Inc. ThinkWise allows Remote Code Inclusion.This issue affects ThinkWise: from 7 through 23.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2026

CVE-2026-24498
Publication date:
27/02/2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in EFM-Networks, Inc. IpTIME T5008, EFM-Networks, Inc. IpTIME AX2004M, EFM-Networks, Inc. IpTIME AX3000Q, EFM-Networks, Inc. IpTIME AX6000M allows Authentication Bypass.This issue affects ipTIME T5008: through 15.26.8; ipTIME AX2004M: through 15.26.8; ipTIME AX3000Q: through 15.26.8; ipTIME AX6000M: through 15.26.8.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2026

CVE-2026-25037
Publication date:
27/02/2026
An OS command injection <br /> <br /> vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an <br /> authenticated attacker to achieve remote code execution on the system by<br /> configuring a maliciously crafted LCD state which is later processed <br /> during system setup, enabling remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-25105
Publication date:
27/02/2026
An OS command injection <br /> <br /> <br /> <br /> <br /> <br /> vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an <br /> authenticated attacker to achieve remote code execution on the system by<br /> injecting malicious input into parameters of the Modbus command tool in<br /> the debug route.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-20764
Publication date:
27/02/2026
An OS command injection <br /> vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an <br /> authenticated attacker to achieve remote code execution on the system by<br /> providing malicious input via the device hostname configuration which <br /> is later processed during system setup, resulting in remote code <br /> execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026

CVE-2026-20797
Publication date:
27/02/2026
A stack based buffer overflow exists in an API route of XWEB Pro version<br /> 1.12.1 and prior, enabling unauthenticated attackers to cause stack <br /> corruption and a termination of the program.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2026
Subscribe to Vulnerabilities