Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-54243

Publication date:

09/09/2025

Substance3D - Viewer versions 0.25.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Severity CVSS v4.0: Pending analysis

Last modification:

12/09/2025

CVE-2025-54244

Publication date:

09/09/2025

Substance3D - Viewer versions 0.25.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Severity CVSS v4.0: Pending analysis

Last modification:

12/09/2025

CVE-2025-54245

Publication date:

09/09/2025

Severity CVSS v4.0: Pending analysis

Last modification:

12/09/2025

CVE-2025-44593

Publication date:

09/09/2025

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. Specifically, .html files can trigger stored XSS vulnerabilities. This vulnerability is fixed in 2.20.13

Severity CVSS v4.0: Pending analysis

Last modification:

18/09/2025

CVE-2025-44595

Publication date:

09/09/2025

Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.

Severity CVSS v4.0: Pending analysis

Last modification:

18/09/2025

CVE-2025-54083

Publication date:

09/09/2025

Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.

Severity CVSS v4.0: MEDIUM

Last modification:

12/09/2025

CVE-2025-54084

Publication date:

09/09/2025

OS Command (&#39;OS Command Injection&#39;) vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with &#39;super&#39; user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.

Severity CVSS v4.0: HIGH

Last modification:

12/09/2025

CVE-2025-54239

Publication date:

09/09/2025

After Effects versions 25.3, 24.6.7 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure, potentially disclosing sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Severity CVSS v4.0: Pending analysis

Last modification:

12/09/2025

CVE-2025-23344

Publication date:

09/09/2025

The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to run code on the platform host as a non-privileged user. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure and data tampering.

Severity CVSS v4.0: Pending analysis

Last modification:

18/09/2025

CVE-2025-34176

Publication date:

09/09/2025

In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the file cannot be read, the server reveals whether the file exists, which enables an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

Severity CVSS v4.0: MEDIUM

Last modification:

17/10/2025

CVE-2025-34177

Publication date:

09/09/2025

In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

Severity CVSS v4.0: MEDIUM

Last modification:

10/10/2025

CVE-2025-34178

Publication date:

09/09/2025

In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

Severity CVSS v4.0: MEDIUM

Last modification:

10/10/2025

Subscribe to Vulnerabilities