Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-70037
Publication date:
09/03/2026
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-15568
Publication date:
09/03/2026
A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap. Successful exploitation results in root-level privileges and impacts confidentiality, integrity and availability of the device.<br /> <br /> This issue affects Archer AXE75 v1.6/v1.0: through 1.3.2 Build 20250107.
Severity CVSS v4.0: HIGH
Last modification:
09/03/2026

CVE-2026-3588
Publication date:
09/03/2026
A server-side request forgery (SSRF) vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2026-25866
Publication date:
09/03/2026
MobaXterm versions prior to 26.1 contain an uncontrolled search path element vulnerability. The application calls WinExec to execute Notepad++ without a fully qualified executable path when opening remote files. An attacker can exploit the search path behavior by placing a malicious executable earlier in the search order, resulting in arbitrary code execution in the context of the affected user.
Severity CVSS v4.0: HIGH
Last modification:
09/03/2026

CVE-2025-70060
Publication date:
09/03/2026
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-70042
Publication date:
09/03/2026
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-70046
Publication date:
09/03/2026
An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-70048
Publication date:
09/03/2026
An issue pertaining to CWE-319: Cleartext Transmission of Sensitive Information was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-70050
Publication date:
09/03/2026
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-70040
Publication date:
09/03/2026
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2025-70047
Publication date:
09/03/2026
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in Nexusoft NexusInterface v3.2.0-beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026

CVE-2024-14027
Publication date:
09/03/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/xattr: missing fdput() in fremovexattr error path<br /> <br /> In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a<br /> file reference but returns early without calling fdput() when<br /> strncpy_from_user() fails on the name argument. In multi-threaded processes<br /> where fdget() takes the slow path, this permanently leaks one<br /> file reference per call, pinning the struct file and associated kernel<br /> objects in memory. An unprivileged local user can exploit this to cause<br /> kernel memory exhaustion. The issue was inadvertently fixed by commit<br /> a71874379ec8 ("xattr: switch to CLASS(fd)").
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2026
Subscribe to Vulnerabilities