Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-61879
Publication date:
12/02/2026
In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-61880
Publication date:
12/02/2026
In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-54756
Publication date:
12/02/2026
BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or <br /> series 5 prior to v9.0.166 use a default password that is guessable with<br /> knowledge of the device information. The latest release fixes this <br /> issue for new installations; users of old installations are encouraged <br /> to change all default passwords.
Severity CVSS v4.0: HIGH
Last modification:
12/02/2026

CVE-2025-55210
Publication date:
12/02/2026
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they&amp;#39;ve already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.
Severity CVSS v4.0: LOW
Last modification:
12/02/2026

CVE-2026-26214
Publication date:
12/02/2026
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
Severity CVSS v4.0: CRITICAL
Last modification:
12/02/2026

CVE-2026-26216
Publication date:
12/02/2026
Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.
Severity CVSS v4.0: CRITICAL
Last modification:
12/02/2026

CVE-2026-26217
Publication date:
12/02/2026
Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.
Severity CVSS v4.0: CRITICAL
Last modification:
12/02/2026

CVE-2025-69634
Publication date:
12/02/2026
Cross Site Request Forgery vulnerability in Dolibarr ERP &amp; CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-69752
Publication date:
12/02/2026
An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users&amp;#39; profile information by modifying the objectKey HTTP parameter in the My Details page URL.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-70886
Publication date:
12/02/2026
An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the public comment submission endpoint
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2025-56647
Publication date:
12/02/2026
npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026

CVE-2026-1104
Publication date:
12/02/2026
The FastDup – Fastest WordPress Migration &amp; Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2026
Subscribe to Vulnerabilities