Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-22898
Publication date:
20/03/2026
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QVR Pro 2.7.4.14 and later
Severity CVSS v4.0: CRITICAL
Last modification:
20/03/2026

CVE-2026-22900
Publication date:
20/03/2026
A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.5.0906 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2026-22901
Publication date:
20/03/2026
A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.5.0906 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2026-22902
Publication date:
20/03/2026
A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuNetSwitch 2.0.5.0906 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2025-62846
Publication date:
20/03/2026
An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.2.007 and later
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2026-22895
Publication date:
20/03/2026
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QuFTP Service 1.4.3 and later<br /> QuFTP Service 1.5.2 and later<br /> QuFTP Service 1.6.2 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-59383
Publication date:
20/03/2026
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> Media Streaming Add-on 500.1.1 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-62843
Publication date:
20/03/2026
An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.3.009 and later
Severity CVSS v4.0: LOW
Last modification:
20/03/2026

CVE-2025-62844
Publication date:
20/03/2026
A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.2.007 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2025-62845
Publication date:
20/03/2026
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuRouter 2.6.3.009 and later
Severity CVSS v4.0: MEDIUM
Last modification:
20/03/2026

CVE-2025-15608
Publication date:
20/03/2026
This vulnerability in AX53 v1 results from insufficient input sanitization in the device’s probe handling logic, where unvalidated parameters can trigger a stack-based buffer overflow that causes the affected service to crash and, under specific conditions, may enable remote code execution through complex heap-spray techniques. <br /> <br /> Successful exploitation may result in repeated service unavailability and, in certain scenarios, allow an attacker to gain control of the device.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026

CVE-2025-15607
Publication date:
20/03/2026
A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device.
Severity CVSS v4.0: HIGH
Last modification:
20/03/2026
Subscribe to Vulnerabilities